Operational Defect Database
BugZero updated this defect 33 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 97757
Duplicate sequence number generated for DFW Policies
Last update date:
4/17/2024
Affected products:
NSX-T
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Symptoms
Publishing the firewall configuration from a filtered view can lead to duplicate sequence numbers. This issue was identified as a bug in NSX-T version 3.1.3 and has been resolved in version 3.2.4 and subsequent releases.
Cause
In NSX 3.2.4 or earlier versions, if the user attempts to modify rules by searching them from the application's global search instead of utilizing the filtering available within the rules table. Subsequently, if the user tries to add a new Policy or Rule, it may result in generating duplicate sequence numbers. This could potentially distort the policy/rule ordering after publishing. This happens because the UI isn't aware of the complete firewall configuration. It may generate a sequence number close to the filtered rule, which could be non-unique, causing adjacent rules to share the same sequence number.This scenario also occurs from REST APIs, if the user modifies a rule/policy with stale sequence number information for the rule/policy.
Impact / Risks
Rearranging DFW rules via API will not cause any impact. However, customers are advised to rearrange DFW policies during maintenance windows and monitor the sequence to ensure it remains intact. If any policies get shifted out of sequence, they should be manually rearranged according to the required sequence.
Resolution
The problem has been resolved in NSX-T version 3.2.4, where the functionality allowing users to publish DFW policies through filtered views has been disabled and is no longer permitted.From NSX-T 4.1.0 the rule-level operations like Add Rule, Delete Rule, etc. from the filter view have been allowed
Workaround
Workaround for Duplicate Sequence numbers.Step 1: Make sure your current Policy Order is proper before applying the fix/workaround.GET https://<policy_ip>/policy/api/v1/infra/domains/default/security-policies?sort_by=sequence_numberStep 2: Run the following API/Command to regenerate duplicate sequence numbers.POST - https://<NSX-Manager>/policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>?action=revise&operation=insert_top { }Example:POST - https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/TEST_POLICY?action=revise&operation=insert_top { }Command from the NSX Manager:curl -k -u admin -H "Content-Type: application/json" -X POST 'https://localhost/policy/api/v1/infra/domains/default/security-policies/TEST_POLICY?action=revise&operation=insert_top' -d '{ }'Step 3: After applying the above API/Command, make sure the policy order is in the desired state.Recommendations.===============For UI Users===============Do not use a filtered view to publish firewall configuration from UI. Navigate to a specific policy if you want to add a new/rule. Use the context menu to add a new policy Above/Below to the selected policy.===============For API Users=============== 1. While using API to update any Policy Configuration make sure you get the latest policy configuration before updating it. Refer to the steps mentioned below. Step 1: GET - https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/<Policy_name> Step 2: POST https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/<Policy_name> { // Use payload received in step1 and update only necessary fields. }2. To insert NewPolicy Before certain policy e,g policy-1 use the following API. POST https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/NewPolicy?action=revise&operation=insert_before&anchor_path=/infra/domains/default/security-policies/policy-1 { // Payload }3. To insert NewPolicy after some policy e,g policy-1 use the following API. POST https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/NewPolicy?action=revise&operation=insert_after&anchor_path=/infra/domains/default/security-policies/policy-1 { // Payload }
