VMware Networking Community
Buckwheattb1
Contributor
Contributor
‎04-20-2018 12:17 PM

NSX Firewall Rule Processing

Hello,

I am trying to figure out why the following rules are not processing as I would expect.

Scenario:

I have a number of security groups of VM's defined in NSX.  Of those groups, only one of them is allowed to access external websites (port 80 or 443).

Example:

  • AppGroup1 -- This can access external websites
  • AppGroup2 -- Cannot access external websites
  • AppGroup3 -- Cannot access external websites

I have rules defined (and working so far between the application groups) but was concerned about using the blind "any" for a destination in terms of allowing external access for AppGroup1. 

Following this post:  https://nealdolson.com/2017/01/09/vmware-nsx-distributed-firewall-rules-scoping-and-direction-matter... I created a few IP sets:

IPSet1:  192.168.1.0/24

IPSet2:  10.10.0.0/16

IPSet3:  1.1.1.1-254.254.254

I then created three additional security groups:

  • SG-Internal_IPs
    • Include--IPSet1
    • Include--IPSet2

  • SG-All_IPs
    • Include--IPSet3

  • SG-External_IPs
    • Include--SG-All_IPs
    • Exclude--SG-Internal_IPs

In my firewall configuration, I have a section for the rules for AppGroup1 of which has an entry as follows:

NameRuleIDSource
Destination
ServiceActionApplies To
AppGroup1_To_ExternalWeb1000AppGroup1SG-External_IPs

TCP 80

TCP 443

Allow - Out - LogDistributed Firewall

Later in the firewall definition, I have my blocking rules defined which include:

NameRuleIDSourceDestinationServiceActionApplies To
AppGroup1_To_Any-BLOCK1234AppGroup1AnyAnyBlock - Out - LogDistributed Firewall

What I am observing (using Log Insight) is that when I reference the destination of SG-External_IPs in my allow rule out, the rule is skipped and processed by rule 1234 (the Blocking rule).

However, when I change the destination to "any" for rule 1000, it begins allowing the proper traffic out.

In my mind, there should be not difference between using the "any" destination and the SG-External_IPs destination as the firewall process the outbound traffic.  In my mind, it would be a more secure method of defining "external" for the firewall rather than using the "any" definition as it could lead to potential unexpected results as shown in the post referenced above (particularly as time goes by and other hands get into the mix).

Am I off-base with this expectation?  Or have I configured something wrong?  By nesting the IPSets within security groups, have I somehow masked the intent of "External" to the system?

For the purposes of this question, I have not configured any policies, and am excluding any NSXControllers or ESG's from the equation and limited solely to the DFW portion of NSX.

Any ideas are greatly appreciated.

Thank you

0 Kudos
1 Reply
Buckwheattb1
Contributor
Contributor
‎04-20-2018 01:45 PM

Sorry about this...but I just reviewed each specific group and its membership, and found an earlier test IP Set that I made for external addresses that was inadvertently added to the "Objects to Include" part of the rule definition.  Now that the offending group has been removed, it is working as expected.

dumb mistake

0 Kudos