1 2 Previous Next 15 Replies Latest reply on Mar 3, 2019 1:25 PM by DaleCoghlan

    if a firewall rule is applied to a security group, which is composed of an ip set, this rule will not be implemented.

    ZhouLiu Novice

      I have experienced that when a DFW rule is applied to a security group, it has strange behaviour.

       

      I have an VM, 172.18.132.2. First I build up a security group, SG-test,  which is only consisted of 172.18.132.2.

       

      sourcedestinationserviceactionapplied to
      172.18.132.2anyanyallowSG-test
      172.18.132.2anyanyrejectdfw

       

      It works fine. The VM can communicate with others.

       

      Then I modify the security group. First I build an ip set, IPSet-test, which is only composed by 172.18.132.2. Then I build a security group, SG-test, which is only consisted of IPSet-test. The firewall rules are the same. But now the VM cannot communicate with others anymore.

       

      After more investigations I can conclude that a security group, which contains ip set, works fine as source and destination, but not as "applied to". Unfortunately it is exactly "applied to", where we have no possibility at choose ip set.

        1 2 Previous Next