VMware Networking Community
JJBN
Enthusiast
Enthusiast
‎06-06-2018 03:22 AM

Remove ESGs from the DFW Exclusion List

Hi,

ESGs are automatically assigned to the DFW Exclusion List. Is it possible to remove ESGs from the DFW Exclusion List?

We have checked via rest API, but ESGs are not in the Exclusion List. We have a huge number of FW policies on the ESGs that we want to use them only on the DFW and use the ESG as a regular transit VM (like we do for example with F5 VE, where the F5 works as a LB and the DFW as the firewall). With this we will reduce the resource usage of the ESGs.

Is it possible?

Thanks!

JJBN

Tags (3)
0 Kudos
2 Replies
cnrz
Expert
Expert
‎06-06-2018 05:12 AM

Exclusion list on the dFW includes the source IP of the packets, the ESG vNIC interfaces have no dFW in front of them by default they should be excluded. If the firewall service on the ESG is disabled, it becomes a router (some services such as NAT depends on ESG fw, so it may be important for other servies). The same could be achieved with with a permit any any rule.

Since they are inherently on the exclusion list, there is no need to explicitly add ESG interfaces to the Exclusion list,

These links could be helpful:

https://vcrooky.com/2017/07/exclude-vm-nsx-dfw-protection/

If you deploy your NSX Manager into a cluster managed by Distributed Firewall (DFW) it will automatically be excluded from the DFW. NSX Controllers are also automatically excluded from the DFW as well as any Edge Service Gateways (ESG) and DLR Control VMs.

NSX Edge and L2 (MAC-Set) Rule not working

0 Kudos
JJBN
Enthusiast
Enthusiast
‎06-07-2018 03:37 AM

Hi Canero,

Thanks for the answer. What we want is exactly the opposite, we want to exclude the ESGs from the Exclusion List. We want the ESG vNIC to have DFW rules applied.

Is this possible?

Thanks.

JJBN

0 Kudos