VMware Networking Community
m1xed0s
Enthusiast
Enthusiast
‎07-24-2018 05:16 AM
Jump to solution

Do I really need to use exclusion list on NSX when configure DFW?

Say I prepared two clusters for both Firewall and VXLAN, one compute and one management. The Management cluster contains my vcenter, ESG, DLR, NSX Controllers and NSX Manager.

When I configure DFW rules, I think the default setting is to apply the rule on all clusters on which distributed firewall is installed. So does this mean I need to add my controllers, ESG, DLR and NSX manager VMs into the exclusion list to prevent firewall rules been applied? I do not think the NSX related VMs will have the rules applied but want to confirm here...

Also, even I try to add them into exclusion list, those VMs are not really showing up on the list to be selected...

OR, I should only prepare the compute cluster actually for firewall and VXLAN...

Capture.JPG

1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee
‎07-24-2018 05:45 AM
Jump to solution

NSX Manager and service virtual machines are automatically excluded from firewall protection. But you should exclude the vCenter server ,PSC ,partner service virtual machines etc in the exclusion list.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

5 Replies
Sreec
VMware Employee
VMware Employee
‎07-24-2018 05:45 AM
Jump to solution

NSX Manager and service virtual machines are automatically excluded from firewall protection. But you should exclude the vCenter server ,PSC ,partner service virtual machines etc in the exclusion list.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
m1xed0s
Enthusiast
Enthusiast
‎07-24-2018 05:51 AM
Jump to solution

Cool. Assuming I have enough NSX license, is there any use case to prepare the management cluster in reality? I guess securing vsphere management?

0 Kudos
Sreec
VMware Employee
VMware Employee
‎07-24-2018 07:35 AM
Jump to solution

End-End to security for all clusters is one way we approach the solution , however based on the functionality/feature ( For eg : only microsegmentation but not context aware) we can opt for NSX Data Center Standard license.

VMware Knowledge Base 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
bayupw
Leadership
Leadership
‎07-24-2018 02:41 PM
Jump to solution

If you are going to deploy NSX Edge Services Gateway on the management cluster, you would need to prepare the cluster for NSX

See this link: Add an Edge Services Gateway

Verify that the host clusters on which the NSX Edge appliance will be installed are prepared for NSX. See "Prepare Host Clusters for NSX" in the NSX Installation Guide.

As mentioned in other replies, some NSX components are excluded from DFW by default.

See this link, it also covers what VMs should be excluded from DFW: Exclude Virtual Machines from Firewall Protection

NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from NSX distributed firewall protection. In addition, VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.

vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues.

It is important to add the vCenter Server to the exclusion list before changing the "any any" default rule from allow to block. Failure to do so will result in access to the vCenter Server being blocked after creating a Deny All rule (or modifying default rule to block action). If this occurs, roll back the DFW to the default firewall rule set by running the following API command: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config. The request must return a status of 204. This restores the default policy (with a default rule of allow) for DFW and re-enables access to vCenter Server and the vSphere Web Client.

Partner service virtual machines.

Virtual machines that require promiscuous mode. If these virtual machines are protected by NSX distributed firewall, their performance may be adversely affected.

The SQL server that your Windows-based vCenter uses.

vCenter Web server, if you are running it separately.

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
m1xed0s
Enthusiast
Enthusiast
‎07-24-2018 02:55 PM
Jump to solution

Thanks, good information

0 Kudos