vCenter blocked by nsx4.1 dfw

aaronkiki · ‎03-30-2023

I plan to migrate my nsx-v to nsx 4.1. So I deploy a nsx 4.1 in my lab for a test.

I have add some rules to permit access vms for manage. eg. vcenter, nsx etc. When I changed the default rule's action from Allow to Reject. All ESXi hosts show " not responding" in vCenter vSphere client.

I can access the vcenter, but the vcenter can not access the ESXi hosts because the dfw default rules. I've forgot to add rule for vms go out. And dfw didn't add the vcenter into esclusion list by default.

I've tried the KB 2079620 and it's for the nsx-v. There is no api https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config. No api for similar functionality was found in nsx 4.1.

I have changed the NSX dfw default rule's action to Allow. but it can not pulish to the ESXi hosts. all the hosts status show Degraded. Is anyone knows how to disable the dfw rule and change rule for the vm in ESXi. So the vCenter can work normally.

CyberNils · ‎03-31-2023

Try this:

SSH to ESXi where vCenter is running.
summarize-dvfilter to get filter name starting with nic-.
vsipioctl getrules -f filter-name to get the rule set. You want the one without _L2.
vsipioctl vsipfwcli -Override -f filter-name -c "create ruleset ruleset-name;" to clear the ruleset.

Nils Kristiansen
https://cybernils.net/

aaronkiki · ‎04-02-2023

CyberNils, thank you very much! This is very helpful. Is "vsipioctl vsipfwcli" hidden command? I can't find it by "vsipioctl -h". Is there any docments about it?

CyberNils · ‎04-02-2023

I don't know. At least it is documented here so it should be supported:

https://kb.vmware.com/s/article/51459

Nils Kristiansen
https://cybernils.net/

prashantpandey2 · ‎04-05-2023

Is your vCenter is part of NSX prepared ESX host ?

if yes, better you add all vCenter & other management related VMs to exclusion list, before making "default deny = True" in DFW.