Hello,
I am trying to figure out why the following rules are not processing as I would expect.
Scenario:
I have a number of security groups of VM's defined in NSX. Of those groups, only one of them is allowed to access external websites (port 80 or 443).
Example:
I have rules defined (and working so far between the application groups) but was concerned about using the blind "any" for a destination in terms of allowing external access for AppGroup1.
Following this post: https://nealdolson.com/2017/01/09/vmware-nsx-distributed-firewall-rules-scoping-and-direction-matter... I created a few IP sets:
IPSet1: 192.168.1.0/24
IPSet2: 10.10.0.0/16
IPSet3: 1.1.1.1-254.254.254
I then created three additional security groups:
In my firewall configuration, I have a section for the rules for AppGroup1 of which has an entry as follows:
Name | RuleID | Source | Destination | Service | Action | Applies To |
---|---|---|---|---|---|---|
AppGroup1_To_ExternalWeb | 1000 | AppGroup1 | SG-External_IPs | TCP 80 TCP 443 | Allow - Out - Log | Distributed Firewall |
Later in the firewall definition, I have my blocking rules defined which include:
Name | RuleID | Source | Destination | Service | Action | Applies To |
---|---|---|---|---|---|---|
AppGroup1_To_Any-BLOCK | 1234 | AppGroup1 | Any | Any | Block - Out - Log | Distributed Firewall |
What I am observing (using Log Insight) is that when I reference the destination of SG-External_IPs in my allow rule out, the rule is skipped and processed by rule 1234 (the Blocking rule).
However, when I change the destination to "any" for rule 1000, it begins allowing the proper traffic out.
In my mind, there should be not difference between using the "any" destination and the SG-External_IPs destination as the firewall process the outbound traffic. In my mind, it would be a more secure method of defining "external" for the firewall rather than using the "any" definition as it could lead to potential unexpected results as shown in the post referenced above (particularly as time goes by and other hands get into the mix).
Am I off-base with this expectation? Or have I configured something wrong? By nesting the IPSets within security groups, have I somehow masked the intent of "External" to the system?
For the purposes of this question, I have not configured any policies, and am excluding any NSXControllers or ESG's from the equation and limited solely to the DFW portion of NSX.
Any ideas are greatly appreciated.
Thank you
Sorry about this...but I just reviewed each specific group and its membership, and found an earlier test IP Set that I made for external addresses that was inadvertently added to the "Objects to Include" part of the rule definition. Now that the offending group has been removed, it is working as expected.
dumb mistake