VMware Networking Community
luv_nsx
Contributor
Contributor
‎08-08-2016 09:17 PM

DFW Rules on a host

Would the DFW rules that have been pushed down to a host get removed when the host is rebooted? Or do they stay persistent? My understanding is that the rules are stored in a memory construct (VNIC-FW), and therefore assuming if there is a reboot, the rules are lost and have to be downloaded again.


Can anyone confirm.


Thanks!

0 Kudos
4 Replies
yak9
Enthusiast
Enthusiast
‎08-08-2016 10:07 PM

Hello,

While I didn't validate this in lab, I concluded the same from the documentation.

It makes perfect sense, as VMs in question could be restarted on different host, while "our" host in still rebooting. And NSX Manager pushes DFW rules on "need-to-know" basis.

And think about scenario when rules have changed during host reboot. It's definitely better to just redownload curent set of rules from NSX Manager

0 Kudos
cnrz
Expert
Expert
‎08-09-2016 09:20 AM

VNIC-FW Memory Construct contains the Rule Table and Connection Tracker Table applied to each VNIC.

https://networkinferno.net/nsx-compendium

NSX Distributed Firewall Deep Dive – VMware Professional Services

DFW and Connection Tracker Tables

As NSX Manager would Sync the Rules through Message Bus Agent after bootup, saving the Rule table locally on ESXi host  would be only benefit in case NSX Manager is not available after the host reboot. (A very unikely case due to HA).

0 Kudos
kausum
Community Manager
Community Manager
‎08-24-2016 06:29 PM

Rules persist on the ESXi host on a reboot. If there are new rules that are added to the NSX manager when the host is being rebooted - those rules will be pushed down when the host reconnects back to the NSX manager. There is a distinction between - Rule application to a vNIC - that happens when the vNIC comes online.

0 Kudos
cnrz
Expert
Expert
‎08-25-2016 06:03 AM

Thanks for the update, then the filter on NIC (seen as nic-412323-eth0-vmware-sfw.2) is saved on disk as well as memory construct. During a reboot of the ESXi host, even if it cannot connect to the NSX Manage while it  is not available or cottacted  throught the Message Bus, the latest rule will be available. The rare case of this is covered as well, dFW for all the VM nics will be available.  Rule is applied and synchronized once vNIC comes online after bootup,  or message bus is available.

0 Kudos