Solved: Verifying DFW rules were pushed to the vnic of all...

vmmedmed · ‎07-31-2019

After you publish new Distributed Firewall Rules, how can you verify that each VM affected

by the new rules have them in fact, working at their vNic?

Sreec · ‎08-01-2019

Yes, you can fetch it via NSX Manager as well

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

Sreec · ‎07-31-2019

One way of checking is like below

1.vsipioctl getfilters

2.vsipioctl getrules -f nic-2739622-eth0-vmware-sfw.2(give the respective filtername)

3.For active connections/flows you can use getconnections/getflows instead of getrules command.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

vmmedmed · ‎07-31-2019

That's very helpful. Thank you. On this consult gig I don't think I have access to the ESXi hosts unfortunately.

Only access to NSX, VRNI, vCenter. Perhaps access to the CLI NSX. Perhaps a thought on verifying the

push with one of those tools?

nipanwar · ‎08-01-2019

Vmwre docs provide more details around it, Troubleshooting Distributed Firewall

Sreec · ‎08-01-2019

Yes, you can fetch it via NSX Manager as well

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

Verifying DFW rules were pushed to the vnic of all intended VMs