I plan to migrate my nsx-v to nsx 4.1. So I deploy a nsx 4.1 in my lab for a test.
I have add some rules to permit access vms for manage. eg. vcenter, nsx etc. When I changed the default rule's action from Allow to Reject. All ESXi hosts show " not responding" in vCenter vSphere client.
I can access the vcenter, but the vcenter can not access the ESXi hosts because the dfw default rules. I've forgot to add rule for vms go out. And dfw didn't add the vcenter into esclusion list by default.
I've tried the KB 2079620 and it's for the nsx-v. There is no api https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config. No api for similar functionality was found in nsx 4.1.
I have changed the NSX dfw default rule's action to Allow. but it can not pulish to the ESXi hosts. all the hosts status show Degraded. Is anyone knows how to disable the dfw rule and change rule for the vm in ESXi. So the vCenter can work normally.
Try this:
I don't know. At least it is documented here so it should be supported:
https://kb.vmware.com/s/article/51459
Is your vCenter is part of NSX prepared ESX host ?
if yes, better you add all vCenter & other management related VMs to exclusion list, before making "default deny = True" in DFW.