VMware Networking Community
Vivosik
Contributor
Contributor
‎09-12-2016 09:42 AM
Jump to solution

Unlock lockdown after blocking all L2 traffic in Firewall

I was playing with settings in NSX Manager trough vCenter  and successfully locked a whole infrastructure. I have 10 VMs including Active Directory Domain Controller, vCenter, NSX controller, NSX Manager on a single host. All the VMs are connected to vDS. The last thing I did was going into Firewall menu (between NSX Edges and SpoofGuard on the left pane), Ethernet button and then enabling a rule inside it.

As a result I have no connection to VMs from outside, all the VMs don't see each other from inside. I only have access to the host's management kernel adapter/port and vDS (vSwitch) adapter/port. Also I can ping NSX Manager.

By using vShpere Client and connecting to the host, I can open a console of NSX Manager and ping NSX Controller. So NSX Manager has connectivity with the controller and the host. And how to disable firewall? NSX commands are useless, they are only "show" commands, I cannot control anything with NSX CLI.

0 Kudos
1 Solution

Accepted Solutions
jorge_luis_hern
Enthusiast
Enthusiast
‎09-12-2016 10:41 AM
Jump to solution

Hi,

I think you cannot access to you vSphere Web Client, so you can send a “DELETE” request to “https://<your NSX Manager’s IP address>/api/4.0/firewall/globalroot-0/config” (don’t forget to supply the appropriate login credentials). You should get the “204” result code back. This will reset DFW rule set to its default.

More info: NSX for vSphere: recovering from Distributed Firewall vCenter lock-out | Telecom Occasionally

Jorge Hernández

VCP5-VCP, VCP6-DCV, VCAP5-DCA/DCV, VCIX-NV, VCI

View solution in original post

0 Kudos
3 Replies
jorge_luis_hern
Enthusiast
Enthusiast
‎09-12-2016 10:41 AM
Jump to solution

Hi,

I think you cannot access to you vSphere Web Client, so you can send a “DELETE” request to “https://<your NSX Manager’s IP address>/api/4.0/firewall/globalroot-0/config” (don’t forget to supply the appropriate login credentials). You should get the “204” result code back. This will reset DFW rule set to its default.

More info: NSX for vSphere: recovering from Distributed Firewall vCenter lock-out | Telecom Occasionally

Jorge Hernández

VCP5-VCP, VCP6-DCV, VCAP5-DCA/DCV, VCIX-NV, VCI

0 Kudos
Vivosik
Contributor
Contributor
‎09-12-2016 12:14 PM
Jump to solution

Thanks! I'm sure that API would help as well but I did this (fine for test lab): removed vDS - didn't help, removed VIBs related to NSX - helped immediately Smiley Happy

0 Kudos
jorge_luis_hern
Enthusiast
Enthusiast
‎09-12-2016 02:37 PM
Jump to solution

Remove the VIBs related to NSX help because you remove the kernel module (esx-vsip) that is responsable for the DFW in the esxi world, but this solution have the inconvenient that you need to prepare your host again.

Is a good practice put NSX Manager and vCenter in the exclusion list of the DFW. Smiley Wink

0 Kudos