NSX: Steering rules are not generated on Panorama
4917
Created On 03/12/20 18:43 PM - Last Modified 04/04/20 00:52 AM
Symptom
- While trying to generate Steering Rules under Panorama > VMware NSX > Steering Rules > Auto-generate Steering Rules, no rules are populated.
- Set logging level on configd process to “debug” by turning on debug on management-server using below CLI on Panorama:
> debug management-server on debug (configd.log/ms.log)
- Review configd logs to understand and verify the events when Auto Generate Steering Rules is triggered.
configd.log
2020-01-31 11:39:17.406 -0800 debug: _pan_cfg_exec_ctxt_init(pan_cfg_engine.c:2246): effective xpath is:/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-Child2']/post-rulebase/security/rules/entry[rule-type='intrazone']
2020-01-31 11:39:17.406 -0800 debug: pan_cfg_dumpresults(pan_cfg_get_handler.c:1965): buffer returned is:
<result total-count="0" count="0"/>
2020-01-31 11:39:17.406 -0800 debug: _pan_cfg_exec_ctxt_init(pan_cfg_engine.c:2246): effective xpath is:/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-Child2']/post-rulebase/security/rules/entry[rule-type='intrazone']
2020-01-31 11:39:17.406 -0800 debug: pan_cfg_dumpresults(pan_cfg_get_handler.c:1965): buffer returned is:
<result total-count="0" count="0"/>
- Above log snippet shows, configd did a lookup for all security rules of type “intrazone” under device group “DG-Child2” but it shows return count as ‘0’ which means no intrazone security policy was found
- Under ideal scenario, configd returns a list of intrazone security policies from each device group as below:
configd.log
2020-01-31 11:43:08.115 -0800 debug: _pan_cfg_exec_ctxt_init(pan_cfg_engine.c:2246): effective xpath is:/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-Child2']/pre-rulebase/security/rules/entry[rule-type='intrazone']
2020-01-31 11:43:08.116 -0800 debug: pan_cfg_dumpresults(pan_cfg_get_handler.c:1965): buffer returned is:
<result total-count="1" count="1">
<entry name="sec-pol-g2-out" loc="DG-Child2">
2020-01-31 11:43:08.115 -0800 debug: _pan_cfg_exec_ctxt_init(pan_cfg_engine.c:2246): effective xpath is:/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG-Child2']/pre-rulebase/security/rules/entry[rule-type='intrazone']
2020-01-31 11:43:08.116 -0800 debug: pan_cfg_dumpresults(pan_cfg_get_handler.c:1965): buffer returned is:
<result total-count="1" count="1">
<entry name="sec-pol-g2-out" loc="DG-Child2">
- Verify Security Policy is of type “intrazone”
- Verify Dynamic Address Group is configured on Security Policy
Environment
- Platform: Panorama
- Deployment: Security Centric
Cause
- Security policy was configured with type as “universal”.
- Only “intrazone” security policies are supported with Security Centric deployments
Resolution
- Changing the rule type from “universal” to “intrazone” resolved the issue