4 Replies Latest reply on Aug 18, 2019 10:00 AM by MRoushdy

    NSX-T native Gateway firewall, not processing further rules

    MRoushdy Enthusiast
    vExpert

      Hello,

       

      I'm testing NSX-T in my lab, and I faced an obstacle with the Gateway firewall. I have four rules, one for DNS, one for DHCP, one for internet access, and the last one is a catch-all set to deny any other traffic, and I've found that it processes only one rule, and skips (or ignores) the rest, so, the VM would get an IP from the DHCP server, and fail to query DNS. this quote from a VMW article:

       

      first rule that matches the packet has its configured action applied, and any processing specified in the rule's configured options is performed and all subsequent rules are ignored (even if a later rule is a better match).

      So, does it mean what I understood? that this firewall is useless? .. How can I set a logical north-south firewall then please?

        • 1. Re: NSX-T native Gateway firewall, not processing further rules
          A13xxx Enthusiast

          I went through this nightmare a few days ago, gateway default deny, i then created a default deny in the application rules of the dfw (since the default seems to be allow!!!) and then used the other sections for infrastructure services. seems to work and deny all works.

           

          I tried to use the GW for NS traffic and DFW for EW but that just ended up being a nightmare and a pain to diagnose since we do not have a paid for subscription to log intel. Now its deny all in all areas and the DFW to do the work

          • 2. Re: NSX-T native Gateway firewall, not processing further rules
            MRoushdy Enthusiast
            vExpert

            Thanks for responding back. So, what do you wan't me to do exactly?

            • 3. Re: NSX-T native Gateway firewall, not processing further rules
              bhatg Lurker
              VMware Employees

              It should work but few questions to understand more about your setup.

              - Can you share exact rules you have defined.  Static or Dynamic groups.

              - Have you root caused why DNS query is failing.

                    - Does DNSserver IP outside T1 GW (over its uplink).

                    - Presume you have routes available for DNS server and back.

              • 4. Re: NSX-T native Gateway firewall, not processing further rules
                MRoushdy Enthusiast
                vExpert

                Hi again,

                 

                I'm sorry for my terrible drawing, but simply this is my network. I use only a Tier-0 GW. Everything is reachable as long as I don't use the GW firewall, once I enable the rules, only one of them works, and traffic sticks to it, meaning that no further rules process traffic. I fix this by disabling the "catch all" rule (I crated it), but I think traffic goes to the default NSX catch-all rule that is set to "Allow" and I am unable to edit it. Rule logging counts for the rules I set, sometimes not always, there's something wrong. The rules are here:

                1- "Internet", source: any, destination: 0.0.0.0/0 (there's a static route for it and works fine if no firewall rule is enabled, I also use BGP ny the way), mode: allow.

                2- "DNS", source: any, destination: DNS_IP, set to allow indeed.

                3- "DHCP", source: any, destination: the cisco router.

                4- "DenyAll", source; any, dest: any, and set to "drop".