Search the VMware Knowledge Base (KB)
View by Article ID

Partial firewall rule is seen on the vNIC with 'Applied To' configuration set to 'Policy's Security Group' (2151210)

  • 0 Ratings

Symptoms

With Applied To configuration set to Policy’s Security Groups in NSX for vSphere 6.3.2 or 6.2.8, you see partial firewall rules on the vm vnic.2.

There are two scenarios where partial FW rules are seen on the vNIC:
  1. When a virtual machine is out of a security group and added to the security group.
  2. Bulk of virtual machines were created using automation tools such as vRealize Automation.

Cause

When a VM is either added to SG or removed from SG, address set changes come down to the host. In this use case, the same SG comes down as a set of IPs for source and destination for the FW rule and as vNICs for where the rule is applied to. Generally, they come as separate messages. But if there are large number of SGs that get changed at the same time (due to nesting in this case), they come down aggregated in the same message. Earlier, the host processed one at a time. With the new aggregation optimization, it picks up multiple messages at a time. If the manager is slow or host is slow, the messages are not aggregated as much and hence chances of this happening is less.

Resolution

To resolve this issue:
  1. Change the Applied To setting to Distributed Firewall.
  2. Navigate to Networking & Security > Installation > Host Preparation.
  3. Select the cluster you want to force sync, Click ActionsForceSync Services.
  4. Select Firewall from the services to force sync. Click OK.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: