Hello All,
I have setup a lab of NSX-V to complete pre-defined use cases, successfully completed couple of PoCs and got stuck in the Micro-segmentation.
Configured a rule with service composer above default rule to allow communication with source and destination with service http and changed the default rule to blocked but still traffic is not going through configured rule.
I have checked from the flow monitoring it is getting blocked with default and not matching the configured rule.
Can anyone help me here.
Regards,
Hardik.
Have you published the changes ? I hope the new rule will be on top of default one in the order list.
Please check "VMware Knowledge Base ".https://kb.vmware.com/s/article/2149818
Hi Suresh,
Thanks for taking time.
Yes, I have configured custom rule well above default rule and also publish the changes but it is matching default rule.
Regards,
Hardik
Hello Singho,
I have gone through KB article does it mean that we will not able to control TCS traffic between VMs if that is the case Micro-segmentation is not giving expected outcome.
I would like to know your view on this.
Regards,
Hardik.
Hi,
How have you configured the rule? Are you using objects?
When firewall rules are created using objects they have to be translated to IP addresses to actually be applied. Here VMTools plays an important part and if it is not present you might see the behavior you mention. Take a look at this: NSX Distributed Firewall Deep Dive – Route to Cloud
It has lots of good info on how this works.
Please check if you have VMTools in the VMs that you are trying to create a rule for and try to change the rule to use IP addresses instead of objects and let us know the results.