Virtual machines and Edge Nodes deployed in VMware NSX environment and added to the DFW exclusion list have firewall rules attached
book
Article ID: 326355
calendar_today
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
Edge nodes (EN) and Virtual machines (VM) have firewall rules attached, even if they are in the Distributed Firewall (DFW) exclusion list Security - Distributed Firewall - Settings - User/System Excluded VMs.
When we run the following command on the ESXi host, we see that slot 2 (DFW) is still applied.
summarize-dvfilter | grep -A 2 <VM-name> world 3540626 vmm0:<VM-name> vcUuid:'## ## ## ## ## ## ## ## ## ##' port 67108899 <VM-name>.eth1 vNic slot 2 name: nic-3540626-eth1-vmware-sfw.2 -->> slot 2 filter, this is the DFW filter
The slot 2 filter may have firewall rules applied, to review the rules you can run the following on the ESXi host, using the slot 2 filter name returned above for the VM:
Note: When a VM or EN is added to the exclusion list, there should be no slot 2 and therefore no firewall rules applied to the VM. By default system VMs such as Edge nodes and Managers should be excluded from the DFW.
Environment
VMware NSX-T
Cause
This issue occurs when the Management plane Exclusion list gets overwritten by Policy.
Resolution
This issue is resolved in VMware NSX 4.1.2 This issue is resolved in VMware NSX 4.2.0
Workaround:
If you believe you have encountered this issue and are unable to upgrade, please contact Broadcom Support and refer to this KB article.