Citation from the vCD 10.6.1 release notes:
Provider administrators can now govern which tenants can use stateful firewall services, with the ability to block the addition of stateful firewall rules on T1, T0, and vApps if the ANS security stack is not entitled.A new configuration option on edge clusters lets providers enable or disable stateful firewall.
This configuration is done on a per Edge cluster configuration. For each edge cluster you can configure gateway firewall behavior to active or inactive for stateful firewall. Can be found in the provider portal -> infrastructure resources -> NSX-T Edge Clusters.
Please note: changing the configuration won’t affect already deployed edge gateways.
Find the policy configuration in the Security section of NSX-> Policy Management -> Gateway Firewall
The issue I had:
I deployed a new edge gateway and configured the gateway firewall to allow certain traffic. I started at the point, even configuring everything correctly, traffic didn’t flow. After some investigation I found out, that the policy created in NSX on the T1 for the firewall rules is configured as stateless. The firewall rules are configured stateful (as expected) but the policy configuration overrules the rule configuration. Once I either created a firewall rule manually allowing the return traffic or changed the policy to stateful, traffic flows worked as expected.
The behavior I discovered:
If you create a new edge gateway with the scope set to ovdc, everything works as expected, also the configuration of the policy for the firewall rules on the T1. If you increase the scope from ovdc to datacenter group, the edge gateway firewall configuration still works as expected. Also, the policy is set to stateful.
If you create a new edge gateway in the scope of the datacenter group, the policy for the firewall rules is created as stateless which leads to unexpected behavior because even if the firewall rules are stateful, the policy is stateless which overrules the rule configuration.Allowed traffic works, but return traffic is blocked.
Hint for Troubleshooters:
PLEASE be careful during troubleshooting. NSX tricked me, because if you use the traffic flow analysis from the Plan & Troubleshoot section, it shows that the traffic flow works.This is, because the trace does not include return traffic. The result is that the firewall rule implementation is correct, but the traffic does not flow as expected.
Workaround:
There are multiple workarounds:
1. Reconfigure the default rule from drop to allow which will allow all traffic. Be aware – that is like having no firewall
2. If you have only firewall rules for incoming traffic, create a temporary rule allowing all outgoing traffic. That should cover the return traffic.
3. Create one return rule for each allow rule. This is the approach with the most effort, but I consider this being the securest approach.
If you expect a workaround saying to reconfigure the policy from stateless to stateful, I must inform you that this change is not possible.At least not using the UI. I haven’t tested via the API so far.
A case is already open and engineering is actively working to provide a solution.
Update as of 07th April 2025 - 10.6.1.1 will receive a fix for this issue.
I hope this information saves some troubleshooting time.
