An edge firewall rule becomes invalid when grouping objects, services, or service groups that are used in the rule are deleted. Invalid firewall rules cannot be published.

Consider that you have created an edge firewall rule that uses an IP set object in the destination of the rule, as shown in the following figure.


Figure Shows an Edge Firewall Rule That Uses an IP Set Object in the Destination Column of the Rule.

In the following procedure, you will delete the "FW-IPset" object on the edge, and then return to the firewall table to observe that NSX Edge detects the invalid rule. You will mark the rule as valid and republish the rule.

Procedure

  1. Force delete the IP set object on the edge.
    1. Log in to the vSphere Web Client.
    2. Click Networking & Security > NSX Edges
    3. Double-click the edge, and navigate to Manage > Grouping Objects.
    4. Click the IP Sets tab, and then select the FW-IPSet object.
    5. Click the Delete (Delete Icon in HTML5 UI. or Delete Icon in Flex UI.) icon, and then select the Proceed to force delete check box.
  2. Click the Firewall tab to return to the edge firewall table.
  3. Observe that NSX displays the following error message above the firewall table.

    Error Message Shows the Position of Invalid Object in the Firewall Rule.
    NSX Edge detects that the destination of the firewall rule at position 4 is invalid, and therefore the rule becomes invalid. The empty object in the destination column of the rule is enclosed in a red box, as shown in the following figure.

    Figure Shows an Empty Object in the Firewall Rule is Enclosed in a Red Box.
  4. (Required) Remove the empty object.
    NSX Version Steps
    6.4.6 and later Point to the empty sys-gen-empty-ipset-edge-fw object, click Three Dots Icon, and then select Remove.
    6.4.5 and earlier Point to the empty sys-gen-empty-ipset-edge-fw object and click Delete Icon.
  5. (Optional) Edit the rule destination to make the rule configuration valid.
    NSX Version Steps
    6.4.6 and later
    1. Point to the Destination column of the rule, click Three Dots Icon and select Edit Rule Destination.
    2. Add objects or IP addresses, as necessary.
    6.4.5 and earlier
    1. Point to the Destination column of the rule, click Edit Icon..
    2. Add objects or IP addresses, as necessary.
  6. (6.4.6 and later only) Click the Mark the rule as valid link in the error message.
    NSX Edge displays the following warning message: 
    This action will mark rule as valid.
Please ensure that all elements in the rule are valid objects before performing this action.
Do you want to continue?
    • To confirm that the rule can be marked as valid, click Yes. The error message is removed.
    • To close the warning message and return to the firewall table to verify and edit the rule destination, click No.
    Note: In NSX 6.4.5 and earlier, the error message above the firewall table does not show the Mark rule as valid link. After you remove the empty object, and optionally edit the rule destination, NSX Edge removes the error message when it detects that the rule configuration has become valid.
  7. Click Publish Changes for the rule changes to take effect.