This page describes how to troubleshoot common issues that you might encounter when setting up Cloud Next Generation Firewall policies for Virtual Private Cloud (VPC) networks with the remote direct memory access (RDMA) over converged ethernet (RoCE) network profile.
Default policy allows all connections
This issue occurs when you don't associate any firewall policy for a a VPC network with the RoCE network profile.
To resolve this issue, define a firewall policy for your VPC network with the RoCE network profile. If you don't define a policy, all virtual machine (VM) instances in the same VPC network connect to one another by default. For more information, see Create a network with the RDMA network profile.
Implied firewall rule allows ingress traffic
This issue occurs when a RoCE firewall policy attaches to a VPC network by using the RoCE network profile and no other matching rules.
To resolve this issue, understand that the implied firewall rule for a
RoCE network firewall policy is INGRESS ALLOW ALL. This rule
applies if no other rules match.
Cannot enable logging on implied deny rule
This issue occurs when you attempt to enable logging on the implied
DENY rule for a RoCE firewall policy.
To resolve this issue, create a separate DENY rule. Use the
--src-ip-range=0.0.0.0/0 and --enable-logging flags with this rule. You
cannot enable logging directly on the implied rule.
Firewall action logs include the following connection information:
ALLOWlogs are published once, at connection establishment, and provide 2-tuple (source IP address, destination IP address) information.DENYlogs provide 5-tuple information for the denied packet. These logs are repeated as long as traffic attempts continue, with a maximum rate of once every 5 seconds.
For more information about limits, see Per firewall rule.
What's next
- Cloud NGFW for the RoCE network profile
- Create and manage firewall rules for RoCE
- Network profiles overview