Consider a scenario where two policy domains exist, each consisting of multiple rules. As an admin you are not always certain of which VMs can end up getting membership of a group because VMs get associated to a group based on dynamic membership criteria, such as OS Name, Computer Name, User, Tagging.

Conflicts arise in the following scenarios:

  • A VM is part of two groups, where each group is protected by a different profile.
  • A partner service VM is associated with more than one service profile.
  • An unexpected rule ran on a guest VM, or when a rule does not run on a VM group.
  • Sequence number is not assigned to policy rules or domains.
Table 1. Resolve policy conflicts
Scenario Expected Endpoint Protection Flow Resolution

When a VM gets membership to multiple groups. And each group is protected by a different type of service profile.

Expected protection was not applied to the VM.

A VM group created with a membership criteria means that VMs are added to the group dynamically. In such a case, the same VM can be part of multiple groups. There is no way to pre-determine which group that VM is going to be part of because the membership criteria dynamically populates VM into the group.

Consider VM 1 is part of Group 1 and Group 2.

  • Rule 1: Group 1 (by OS name) is applied Gold (Service Profile) with Sequence Number 1
  • Rule 2: Group 2 (by tag) is applied Platinum with Sequence Number 10

Endpoint protection policy runs the Gold service profile on VM 1 but does not run Platinum service profile on VM1.

Change the Sequence Number of Rule 2 such that it runs before Rule 1.

  • On the NSX-T Policy Manager UI, drag the Rule 2 before Rule 1 on the rule list.

  • Using NSX-T Policy Manager API, manually add a higher sequence number for Rule 2.

When a rule associates the same service profile to protect two VM groups.

Endpoint protection does not run the rule on the second VM group.

Endpoint protection only runs the first service profile on the VM because the same service profile cannot be applied again to any other rule across policies or domain.

Consider VM 1 is part of Group 1 and Group 2.

Rule 1: Group 1 (by OS name) is applied Gold (service profile)

Rule 2: Group 2 (by tag) is applied Gold (service profile)

  • Add Group 2 to Rule 1. (Rule 1: Group 1, Group 2 is applied Profile 1)