thanks ihoffer,

there is no steps i can follow to disable it for ORACLE TNS as i want to do it quickly !

Thanks,

shamy

Unfortunately no.  According to Oracle connections time out when forwarded through the VMware NSX for vSphere 6.1.x Edge (2126674) |... it needs to be done by support so it probably requires root access to the affected elements.

Out of curiosity, what are you trying to achieve or fix?

This blog post: Distributed Firewall ALG - The Network Virtualization Blog‌ shows that a new rule specifying the TCP/UDP port (of Oracle TNS in your case) should have higher precedence over the ALG.

But if you are looking to disable it, as mentioned by lhoffer‌ referenced to the KB - open a Support Request to VMware GSS

dear ihoffer

how can we disable firewall ?

dear ihoffer

how can we disable firewall please?

use REST API or through GUI

https://nsxmgr-ip/api/4.0/firewall/domainID/enable/true|false

There are multiple ways:

1. From GUI which will be done in cluster leve

2. From CLI which can be done per ESXi host

VMware Documentation Library - Checking Distributed Firewall—Commands Run from Hosts‌

SSH into ESXi host and run below command

/etc/init.d/vShield-Stateful-Firewall stop

/etc/init.d/vShield-Stateful-Firewall {start|stop|status|restart}

3. REST API

4. Exclude VM from DFW

Exclude Virtual Machines from Firewall Protection - Exclude Virtual Machines from Firewall Protectio...

5. Create negate rules

VMware Documentation Library - Add a Firewall Rule

You can use negate on source/destionation/service or ports so you can choose which object to negate/exclude from DFW

I had an issue with ALG where I was using traffic direction and it wasn't work because of ALG.

In that case I use negate rules to exclude that particular traffic/VMs so it doesn't get redirected to the third party service VMs