Virtual machines and Edge Nodes deployed in VMware NSX environment and added to the DFW exclusion list have firewall rules attached
Article ID: 326355
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
Symptoms:
- Edge nodes (EN) and Virtual machines (VM) have firewall rules attached, even if they are in the Distributed Firewall (DFW) exclusion list Security - Distributed Firewall - Settings - User/System Excluded VMs.
- When we run the following command on the ESXi host, we see that slot 2 (DFW) is still applied.
summarize-dvfilter | grep -A 2 <VM-name>
world 3540626 vmm0:<VM-name> vcUuid:'xx xx xx xx xx xx xx xx xx xx'
port 67108899 <VM-name>.eth1
vNic slot 2
name: nic-3540626-eth1-vmware-sfw.2 -->> slot 2 filter, this is the DFW filter
world 3540626 vmm0:<VM-name> vcUuid:'xx xx xx xx xx xx xx xx xx xx'
port 67108899 <VM-name>.eth1
vNic slot 2
name: nic-3540626-eth1-vmware-sfw.2 -->> slot 2 filter, this is the DFW filter
- The slot 2 filter may have firewall rules applied, to review the rules you can run the following on the ESXi host, using the slot 2 filter name returned above for the VM:
vsipioctl getrules -f nic-3540626-eth1-vmware-sfw.2
Note: When a VM or EN is added to the exclusion list, there should be no slot 2 and therefore no firewall rules applied to the VM. By default system VMs such as Edge nodes and Managers should be excluded from the DFW.
Environment
VMware NSX-T
Cause
This issue occurs when the Management plane Exclusion list gets overwritten by Policy.
Resolution
This issue is resolved in VMware NSX 4.1.2
Workaround:
- If you believe you have encountered this issue and are unable to upgrade, please open a support request with Broadcom Support and refer to this KB article.
Feedback
Yes
No
Powered by
