Would the DFW rules that have been pushed down to a host get removed when the host is rebooted? Or do they stay persistent? My understanding is that the rules are stored in a memory construct (VNIC-FW), and therefore assuming if there is a reboot, the rules are lost and have to be downloaded again.
Can anyone confirm.
Thanks!
Hello,
While I didn't validate this in lab, I concluded the same from the documentation.
It makes perfect sense, as VMs in question could be restarted on different host, while "our" host in still rebooting. And NSX Manager pushes DFW rules on "need-to-know" basis.
And think about scenario when rules have changed during host reboot. It's definitely better to just redownload curent set of rules from NSX Manager
VNIC-FW Memory Construct contains the Rule Table and Connection Tracker Table applied to each VNIC.
https://networkinferno.net/nsx-compendium
NSX Distributed Firewall Deep Dive – VMware Professional Services
DFW and Connection Tracker Tables
As NSX Manager would Sync the Rules through Message Bus Agent after bootup, saving the Rule table locally on ESXi host would be only benefit in case NSX Manager is not available after the host reboot. (A very unikely case due to HA).
Rules persist on the ESXi host on a reboot. If there are new rules that are added to the NSX manager when the host is being rebooted - those rules will be pushed down when the host reconnects back to the NSX manager. There is a distinction between - Rule application to a vNIC - that happens when the vNIC comes online.
Thanks for the update, then the filter on NIC (seen as nic-412323-eth0-vmware-sfw.2) is saved on disk as well as memory construct. During a reboot of the ESXi host, even if it cannot connect to the NSX Manage while it is not available or cottacted throught the Message Bus, the latest rule will be available. The rare case of this is covered as well, dFW for all the VM nics will be available. Rule is applied and synchronized once vNIC comes online after bootup, or message bus is available.