Troubleshoot Cloud NGFW policies for RoCE network profiles

This page describes how to troubleshoot common issues that you might encounter when setting up Cloud Next Generation Firewall policies for Virtual Private Cloud (VPC) networks with the remote direct memory access (RDMA) over converged ethernet (RoCE) network profile.

Default policy allows all connections

This issue occurs when you don't associate any firewall policy for a a VPC network with the RoCE network profile.

To resolve this issue, define a firewall policy for your VPC network with the RoCE network profile. If you don't define a policy, all virtual machine (VM) instances in the same VPC network connect to one another by default. For more information, see Create a network with the RDMA network profile.

Implied firewall rule allows ingress traffic

This issue occurs when a RoCE firewall policy attaches to a VPC network by using the RoCE network profile and no other matching rules.

To resolve this issue, understand that the implied firewall rule for a RoCE network firewall policy is INGRESS ALLOW ALL. This rule applies if no other rules match.

Cannot enable logging on implied deny rule

This issue occurs when you attempt to enable logging on the implied DENY rule for a RoCE firewall policy.

To resolve this issue, create a separate DENY rule. Use the --src-ip-range=0.0.0.0/0 and --enable-logging flags with this rule. You cannot enable logging directly on the implied rule. Firewall action logs include the following connection information:

  • ALLOW logs are published once, at connection establishment, and provide 2-tuple (source IP address, destination IP address) information.
  • DENY logs provide 5-tuple information for the denied packet. These logs are repeated as long as traffic attempts continue, with a maximum rate of once every 5 seconds.

For more information about limits, see Per firewall rule.

What's next