Troubleshoot Cloud NGFW policies for RoCE network profiles
Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to troubleshoot common issues that you might encounter
when setting up Cloud Next Generation Firewall policies for
Virtual Private Cloud (VPC) networks with the remote direct
memory access (RDMA) over converged ethernet (RoCE) network profile.
Default policy allows all connections
This issue occurs when you don't associate any firewall policy for a
a VPC network with the RoCE network profile.
To resolve this issue, define a firewall policy for your VPC
network with the RoCE network profile. If you don't define a policy, all
virtual machine (VM) instances in the same VPC network
connect to one another by default. For more information, see
Create a network with the RDMA network profile.
Implied firewall rule allows ingress traffic
This issue occurs when a RoCE firewall policy attaches to a
VPC network by using the RoCE network profile and no other
matching rules.
To resolve this issue, understand that the implied firewall rule for a
RoCE network firewall policy is INGRESS ALLOW ALL. This rule
applies if no other rules match.
Cannot enable logging on implied deny rule
This issue occurs when you attempt to enable logging on the implied
DENY rule for a RoCE firewall policy.
To resolve this issue, create a separate DENY rule. Use the
--src-ip-range=0.0.0.0/0 and --enable-logging flags with this rule. You
cannot enable logging directly on the implied rule.
Firewall action logs include the following connection information:
ALLOW logs are published once, at connection establishment, and provide
2-tuple (source IP address, destination IP address) information.
DENY logs provide 5-tuple information for the denied packet. These logs
are repeated as long as traffic attempts continue, with a maximum rate of
once every 5 seconds.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Troubleshoot Cloud NGFW policies for RoCE network profiles\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes how to troubleshoot common issues that you might encounter\nwhen setting up Cloud Next Generation Firewall policies for\nVirtual Private Cloud (VPC) networks with the remote direct\nmemory access (RDMA) over converged ethernet (RoCE) network profile.\n\n### Default policy allows all connections\n\nThis issue occurs when you don't associate any firewall policy for a\na VPC network with the RoCE network profile.\n\nTo resolve this issue, define a firewall policy for your VPC\nnetwork with the RoCE network profile. If you don't define a policy, all\nvirtual machine (VM) instances in the same VPC network\nconnect to one another by default. For more information, see\n[Create a network with the RDMA network profile](/firewall/docs/create-manage-roce-vpcs#create_a_network_with_the_rdma_network_profile).\n\n### Implied firewall rule allows ingress traffic\n\nThis issue occurs when a RoCE firewall policy attaches to a\nVPC network by using the RoCE network profile and no other\nmatching rules.\n\nTo resolve this issue, understand that the implied firewall rule for a\nRoCE network firewall policy is `INGRESS ALLOW ALL`. This rule\napplies if no other rules match.\n\n### Cannot enable logging on implied deny rule\n\nThis issue occurs when you attempt to enable logging on the implied\n`DENY` rule for a RoCE firewall policy.\n\nTo resolve this issue, create a separate `DENY` rule. Use the\n`--src-ip-range=0.0.0.0/0` and `--enable-logging` flags with this rule. You\ncannot enable logging directly on the implied rule.\nFirewall action logs include the following connection information:\n\n- `ALLOW` logs are published once, at connection establishment, and provide 2-tuple (source IP address, destination IP address) information.\n- `DENY` logs provide 5-tuple information for the denied packet. These logs are repeated as long as traffic attempts continue, with a maximum rate of once every 5 seconds.\n\nFor more information about limits, see\n[Per firewall rule](/firewall/docs/quotas#per-firewall-rule).\n\nWhat's next\n-----------\n\n- [Cloud NGFW for the RoCE network profile](/firewall/docs/firewall-for-roce)\n- [Create and manage firewall rules for RoCE](/firewall/docs/create-manage-roce-vpcs)\n- [Network profiles overview](/firewall/docs/network-profiles)"]]
