Virtual machines and Edge Nodes deployed in VMware NSX environment and added to the DFW exclusion list have firewall rules attached
search cancel

Virtual machines and Edge Nodes deployed in VMware NSX environment and added to the DFW exclusion list have firewall rules attached

book

Article ID: 326355

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • Edge nodes (EN) and Virtual machines (VM) have firewall rules attached, even if they are in the Distributed Firewall (DFW) exclusion list Security - Distributed Firewall - Settings - User/System Excluded VMs.
  • When we run the following command on the ESXi host, we see that slot 2 (DFW) is still applied.
summarize-dvfilter | grep -A 2 <VM-name>
world 3540626 vmm0:<VM-name> vcUuid:'50 1d 7f a4 c0 82 8e f6-c0 eb 39 46 8d c7 e7 11'
 port 67108899 <VM-name>.eth1
  vNic slot 2
   name: nic-3540626-eth1-vmware-sfw.2
-->> slot 2 filter, this is the DFW filter
  • The slot 2 filter may have firewall rules applied, to review the rules you can run the following on the ESXi host, using the slot 2 filter name returned above for the VM:
vsipioctl getrules -f nic-3540626-eth1-vmware-sfw.2

Note: When a VM or EN is added to the exclusion list, there should be no slot 2 and therefore no firewall rules applied to the VM. By default system VMs such as Edge nodes and Managers should be excluded from the DFW.

Environment

VMware NSX-T

Cause

This issue occurs when the Management plane Exclusion list gets overwritten by Policy.

Resolution

This issue is resolved in VMware NSX 4.1.2, available at VMware downloads.

Workaround:
  • If you believe you have encountered this issue and are unable to upgrade, please open a support request with VMware NSX-T GSS and refer to this KB article.
    For more information, see How to Submit a Support Request.