Software Defined Networking – Curious-Techies

December 29, 2025

Understanding Catch-All Rules in vDefend Firewalls

A Conversation About Different Types of Catch-All Rules While Implementing vDefend Distributed Firewall

CuriousTechie: Hello IT Guy! I’m starting a project to implement micro-segmentation using vDefend Distributed Firewall (DFW) for applications running in my SDDC environment. I’ve read that I need to implement Catch-All rules to analyze traffic. Can you help me understand what these rules actually mean and how they should be built?

ITGuy: Let’s start with the basic. Firewalls are generally implemented using two major approaches:

Allow List – You explicitly create ALLOW rules for known, required (good) traffic.
Block List – You explicitly create DROP rules for known, unwanted (bad) traffic.

When you micro-segment an application, you typically need to build ALLOW rules for all required (known) traffic for the application to function properly. At the end of these ALLOW rules, you usually place a DROP rule to block all unwanted or unknown traffic.

However, In brownfield environments, teams often lack complete visibility into all application dependencies. Enforcing a default DROP rule prematurely, without sufficient traffic analysis, can therefore result in unintended application outages.

To address this challenge, a Catch-All rule is implemented to monitor and log traffic that does not match any existing ALLOW rules, enabling teams to identify missing dependencies before enforcing restrictive security controls.

In simple terms, a Catch-All rule is a temporary monitoring rule placed at the bottom of an application-specific Distributed Firewall policy to observe traffic that is not yet explicitly allowed. This rule is typically configured in ALLOW mode with logging enabled during the discovery phase, prior to enforcing a strict default DROP posture.

CuriousTechie: How does the Catch-All rule help monitor traffic? What tools can be used for this analysis?

ITGuy: When traffic hits the Catch-All rule, it indicates that no explicit ALLOW rule has yet been defined for that specific flow. If that traffic is required for the application, a corresponding ALLOW rule must be created above the Catch-All rule.

At a high level, there are three ways to monitor traffic hitting Catch-All rules:

Use Security Intelligence(Preferred) – Security Intelligence is a feature running on the Security Services Platform (SSP) that provides visibility into traffic flows across the environment and generates data-driven Distributed Firewall rule recommendations, while maintaining centralized policy governance.
Use VCF Operations for Networks (formerly vRNI, also known as AON) – This tool can be used to analyze flows passing through a particular DFW rule ( the Catch-All ). Required rules can then be created manually or using other preferred method.
Use VCF Operations for Logs (formerly vRLI, also known as AOL)– VCF Operations for Logs is best suited for verification and deep-dive troubleshooting rather than initial dependency analysis, as packet-level inspection can be time-intensive and operationally complex.

CuriousTechie: Should I create two Catch-All rules for Ingress and Egress, or use a single rule and just use the Applied To field?

ITGuy: Excellent question! Let’s look at the differences between these two approaches.

Option 1: Use separate rules for ingress and Egress

This approach can be useful when you are manually analyzing flows, as having two separate rules allows you to focus on ingress and egress traffic independently. It can provide some operational convenience.

However, there are a few challenges with this approach:

The Catch-In rule does not capture multicast or broadcast traffic targeting the vNIC, which can result in incomplete visibility during the discovery phase.
When using Security Intelligence, traffic hitting ingress and egress Catch-All rules is classified as Protected, which means it is treated as intentionally permitted and is therefore excluded from recommendation analysis.

Option 2: Use a Single Catch-All Rule

This is the recommended and default approach for modern implementations using Security Intelligence.

This method overcomes the limitations of the previous approach by capturing all traffic hitting the vNIC of virtual machines that are members of the group specified in the Applied To field.

Traffic flowing through a single Catch-All rule is classified as Unprotected, making it eligible for Security Intelligence analysis and rule recommendation generation.

Catch-All rules should be time-bound and periodically reviewed, with the objective of replacing them with explicit ALLOW rules and ultimately enforcing a default DENY posture in alignment with zero-trust principles.

CuriousTechie: This is great information! I’ll plan to use the single Catch-All rule approach.. But I am very curious to understand:

Why is multicast and broadcast traffic not captured by the Catch-In rule in the first scenario?
What exactly do Protected and Unprotected traffic mean in Security Intelligence?

ITGuy: Great questions! Let’s dive into these topics the next time we talk!

September 22, 2024

Unlocking Micro-Segmentation Potential with vDefend Security Intelligence

A discussion on vDefend Security Intelligence, also known as NSX Intelligence, for enhanced visibility within the Software-Defined Datacenter.

CuriousTechie: Hello IT Guy. In our last conversation here, we discussed micro-segmentation. Now, I have a solid understanding of how vDefend DFW can support it. However, I’m managing an existing brownfield environment with hundreds of applications and thousands of virtual machines. What’s the best approach to implement micro-segmentation in such a complex setup?

ITGuy: This is a very common scenario faced by every enterprise when they embark on their journey towards micro-segmentation. To sail through this journey you need two major things to consider as mentioned below.

A methodology
Tools

August 5, 2024

Quick Steps: Viewing DFW Rule Creation/Modification Time – Browser API Calls

A short conversation on how to run API calls on Browser to check the time of DFW rule creation or modification time!

CuriousTechie: Hello IT Guy, I need to check the time of creation and modification of a Distributed Firewall rule. Is there a quick way to check these details in the browser itself.

ITGuy: Yes it is doable but depends on the browser, what browser do you use?

CuriousTechie: Currently I am using Mozilla Firefox for this environment, will it be possible to get this data out of the box without any extension or plugins?

ITGuy: Yes sure, let’s login to your NSX manager UI and will show you how to get this information.

CuriousTechie: Here is my NSX manager Policy UI and I need to find the time of creation/modification details of rule number 2024.

June 26, 2024June 26, 2024

3 Ways to Verify Applied Distributed Firewall Rules on a VNIC

A short conversation on how to check the applied Distributed Firewall Rules on a vnic!!

CuriousTechie: Hello IT Guy, I am working on a project to implement DFW rules in an environment and often need to check exactly what firewall rules are applied on a vnic, is there a way to do that?

ITGuy: Sure ! We can talk about three different ways to do that and we can talk about pro’s and con’s of each.

CuriousTechie: Okay cool!

ITGuy:

From NSX UI
From ESXi Host shell
From ARIA Operations for Networks aka vRNI

April 24, 2024

AVI (NSX-ALB) Quick tip for troubleshooting network connectivity!

A short conversation on how to check and troubleshoot network connectivity from AVI Service Engines.

CuriousTechie: Hello IT Guy, I am new to AVI and sometimes I get stuck in troubleshooting connectivity issues on service engines. Is there a way to check connectivity of the data nics from the service engines?

ITGuy: Sure there is a simple way! You may login to the network namespace of the data nic inside the service engine and check the connectivity.

CuriousTechie: Can you please show me how to do that? Here is my scenario!

I have NSX-T cloud with service engines running, I have created a virtual service but the Virtual Service is DOWN and the Pool is DOWN as well. Also I am not able to reach the SE data nics.

March 10, 2024

NSX API: Quick Troubleshooting Trick

A conversation about using browser Developer tools to validate NSX API’s for quick troubleshooting in some cases.

CuriousTechie: Hello IT Guy, I am planning to upgrade my NSX but I see a problem with the upgrade status in UI and not sure where to start the troubleshoot process.

ITGuy: Okay sure! Let’s take a look at the problem then we can get some clue to move ahead.

CuriousTechie: My upgrade screen is stuck like this.

August 11, 2023August 31, 2023

NAPP – What? Why? How?

CuriousTechie: Hey, IT Guy! I am currently managing a NSX environment but there are plans to use NAPP, ATP and NTA in the environment. I am little confused about all these terminologies and what they do. I also heard that I must know Kubernetes/Containers to deploy NAPP. Can you help me connect the dots around these technologies?

ITGuy: Sure! Let’s tackle NAPP today!

May 12, 2023May 15, 2023