DFW rules can be created, updated, and deleted using both the UI and API.

Security administrators need to find out the realization time of any security policy operation. The realization time is the time taken for the security policy/rule to be realized on the transport nodes. Any create/update/delete operation on the security policy/rule will get realized on the transport nodes based on where the rules are applied.

Rule Realization Status on UI

You can see the rule realization status for DFW and Gateway firewall policies by navigating to Security > Distributed Firewall or Security Gateway Firewall, and checking the rule realization status reported by transport nodes.

There are four possible values for the rule realization status:
  • Success
  • Error
  • In Progress
  • Unknown

Rule Realization Status Through APIs

If the rule was created and enforced at relevant nodes, the realization status can be checked by following Policy Manager APIs.

In NSX 4.1.1, there are two new fields:
  • publish_time - Keeps track of when the publish status was updated. Whenever an intent is updated, the status tracker modifies the publish status once it has been pushed down to the transport nodes. Because this is based on a poll mechanism, it is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time.
  • time_taken_for_realization - Approximate time taken for the realization of the intent to the data path. The actual time taken could be less than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization.
For example: 
"publish_status": "REALIZED",
    "publish_time":  1668599137109, <====================== Newly added
    "time_taken_for_realization": 1563 <============ in milliseconds 
    "intent_version": "1"

To check realization status for all the entities created in policy manager run the command: GET: https://<Policy Appliance IP>/policy/api/v1/infra/realized-state/realized-entitiesThe realized state of the object should be "REALIZED" and 'runtime_status' should be "SUCCESS"

For example, the query to check the realized state of <e2d4c010-96c8-11e9-8c0a-f7581ab92530> of security policy at the Policy manager level is GET https://10.172.121.219/policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/domains/default/security-policies/f96f27c0-92b8-11e9-96af-b5e746a259e7/rules/e2d4c010-96c8-11e9-8c0a-f7581ab92530. 

{
"results": [
{
"extended_attributes": [],
"entity_type": "RealizedFirewallRule",
"intent_paths": [
"/infra/domains/default/security-policies/1-communication-560"
],
"resource_type": "GenericPolicyRealizedResource",
"id": "default.1-communication-560.3-communication-110",
"display_name": "default.1-communication-560.3-communication-110",
"description": "default.1-communication-560.3-communication-110",
"path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560/firewall-rules/default.1-communication-560.3-communication-110",
"relative_path": "default.1-communication-560.3-communication-110",
"parent_path": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.1-communication-560",
"intent_reference": [],
"realization_specific_identifier": "1028",
"state": "REALIZED",  
"alarms": [],
"runtime_status": "IN_PROGRESS",
"_create_user": "system",
"_create_time": 1561673625030,
"_last_modified_user": "system",
"_last_modified_time": 1561674044534,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 6
}
],
"result_count": 1
}

To check the overall realized status of section of every rule in a section on the hypervisor run the command:GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?include_enforced_status=true&intent_path=<Security_policy_path>.

There are four possible values for the consolidated status:
  • Success
  • Error
  • In Progress
  • Unknown
Table 1. Consolidated Status
Transport Node 1 Overall Status Transport Node 2 Overall Status Consolidated Status
ERROR ERROR ERROR
ERROR IN_PROGRESS ERROR
ERROR UNKNOWN ERROR
IN_PROGRESS IN_PROGRESS IN_PROGRESS
IN_PROGRESS UNKNOWN IN_PROGRESS
SUCCESS SUCCESS SUCCESS
SUCCESS ERROR ERROR
SUCCESS IN_PROGRESS IN_PROGRESS
SUCCESS UNKNOWN UNKNOWN
UNKNOWN UNKNOWN UNKNOWN