📌 Overview

Broadcom has officially released VMware NSX 4.2.3, now generally available. This update brings key enhancements across edge networking, vDefend firewall capabilities, diagnostics, lifecycle tooling, and certificate automation.

✨ What’s New in NSX 4.2.3

Focus Areas: Edge Platform, VMware vDefend, System Platform & Operations, Lifecycle Management, Certificate Management

Edge Platform

• Added log warning: users are notified that redeploying an Edge node will erase all associated logs—support bundles are advised beforehand.
• Root shell command history now preserved in a separate file to improve troubleshooting clarity.

VMware vDefend (Firewall & IDS/IPS)

• Full support for ICMPv4/ICMPv6 types and codes, plus all IP protocols, across Distributed and Gateway Firewall via UI and API.
• Gateway Firewall now supports dropping packets based on IP Options: loose/strict source routing, IPv4 record-route, and IPv6 Routing Header (Type 43) rules via API.
• New Turbo Mode compatibility check scripts are available in NSX Manager UI, providing cluster/host version info, bootbank size, and SCRX status, exportable as CSV.
• Alarm for network over‑subscription in ESXi hosts using Turbo Mode Distributed IDS/IPS.

System Platform & Operations

• dp_support.py tool introduced for offline ESXi net-stats analysis, generating Datapath.json summaries. Requires Python 3.10+, supports custom log levels and flags.

Lifecycle Management

• Enhanced Upgrade Readiness Assessment runs pre-upgrade checks faster and focused on selected hosts only.
• New pre-check verifies that no transport node SSL certificates are expired or expiring within 90 days prior to upgrade; triggers Certificate Analyzer (CARR) script if needed.

Certificate Management

• CARR script v1.17 released—recommended use before upgrading NSX Manager to proactively manage TN certificates expiring within 90 days.
• Removed 24‑hour grace period for revoked TN certificates—connections close immediately if CRL validation fails.

🛠️ Resolved Issues

NSX 4.2.3 addresses a wide range of bugs affecting visibility, upgrade stability, security posture, and platform operations. Fixes include UI display inaccuracies, IDS/IPS coverage delays, load balancer and VPN failures, certificate pre-check issues, high memory usage, and several upgrade and migration blockers. For the complete list of resolved issues, see the NSX 4.2.3 release notes.

⚠️ Known Issues

NSX 4.2.3 includes a number of known issues impacting IDS/IPS visibility, firewall rule behavior, proxy configurations, BGP sessions, and upgrade workflows. Some features like Turbo IDPS, security feed updates, and Traceflow may not behave as expected under certain conditions. Workarounds are available for several of these issues, and administrators are encouraged to review the full list of known issues in the release notes before upgrading.

✅ Action Items

• Review release notes and docs for NSX 4.2.3.
• Prepare support bundles and understand data-loss risk when redeploying Edge nodes.
• Validate firewall configurations and enable enhanced TCP/ICMP filtering where needed.
• Run the dp_support.py diagnostic tool as part of routine triage.
• Use the Upgrade Readiness Assessment and pre-checks to confirm transport node certificates are healthy.
• Execute CARR v1.17 script proactively and replace expiring certificates.

🔍 Why NSX 4.2.3 Matters

This release strengthens operational insight, improves firewall control, accelerates upgrade processes, and enforces stronger certificate security. It’s especially relevant for teams managing IDPS rules, custom routing policies, and large NSX edge infrastructures.