Distributed Firewall Rule Masked by Preceding Rule alert Limitation

This alert has the following limitations:

• This alert is supported only for the NSX-V distributed firewall rules, NSX-T distributed and Edge firewall rules, and NSX-T on VMware Cloud on AWS firewall rules. Other firewall vendors are not supported.
• The following firewall rule properties are currently supported for masking computation:
  • Source
  • Destination
  • Applied To
  • Service protocol and Port ranges
  • Packet type
  • Layer-7 application IDs
• Rules with source or destination inversion are not supported.
• Deactivated rules are ignored.
• Rules with security groups containing excluded members directly or indirectly in Source/Destination or Applied To is not supported.
• The masking computation for Source, Destination, and Applied To properties are based on the static membership and IP range overlap of member IPSets. Dynamic membership of a security group are not considered for masking.