DFW failsafe mode in NSX

yetanothertechi · ‎09-26-2016

We are planning an infrastructure upgrade so I planned to change failsafe mode in vShield to Allow in case the connection dropped between vShield Manager and the appliances. However, an upgrade to NSX has occurred but I can't see anything about an equivalent to failsafe mode in NSX.

Is there such a thing?

Thanks,

cnrz · ‎09-26-2016

If the NSX Manager-Vsfwd connection is los, NSX dFW continues to function with latest rule tabl. NSX manager updates the dFW to the latest version when the connection occurs again. In failsafe mode, is it required to use default deny any or permit any when there is a problem with the dFW?

Similar feature is that dFW operates in fail-closed mode (does not allow connections) if the ESXi host CPU utilization reaches %100 since it can't check the packet against the rule table.