Virtual machines and Edge Nodes deployed in VMware NSX environment and added to the DFW exclusion list have firewall rules attached
book
Article ID: 326355
calendar_today
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
Edge nodes (EN) and Virtual machines (VM) have firewall rules attached, even if they are in the Distributed Firewall (DFW) exclusion list Security - Distributed Firewall - Settings - User/System Excluded VMs.
When we run the following command on the ESXi host, we see that slot 2 (DFW) is still applied.
summarize-dvfilter | grep -A 2 <VM-name> world 3540626 vmm0:<VM-name> vcUuid:'## ## ## ## ## ## ## ## ## ##' port 67108899 <VM-name>.eth1 vNic slot 2 name: nic-3540626-eth1-vmware-sfw.2 -->> slot 2 filter, this is the DFW filter
The slot 2 filter may have firewall rules applied, to review the rules you can run the following on the ESXi host, using the slot 2 filter name returned above for the VM:
Note: When a VM or EN is added to the exclusion list, there should be no slot 2 and therefore no firewall rules applied to the VM. By default system VMs such as Edge nodes and Managers should be excluded from the DFW.
Environment
VMware NSX-T 3.x
VMware NSX 4.x
Cause
This issue occurs when the Management plane Exclusion list gets overwritten by Policy.
Resolution
This issue is resolved in VMware NSX-T 3.2.4 This issue is resolved in VMware NSX 4.1.2 This issue is resolved in VMware NSX 4.2.0
Workaround:
If you believe you have encountered this issue and are unable to upgrade, please contact Broadcom Support and refer to this KB article.