Cannot disable the NSX distributed firewall (DFW) on a host in VMware NSX for vSphere 6.x
Article ID: 341213
Updated On:
Products
Issue/Introduction
- Cannot change the NSX Distributed Firewall (DFW) status from enabled to disabled or from disabled to enabled on a cluster prepared by NSX loaded with the DFW VIB.
- After clicking the disabled link and refreshing the NSX User Interface (UI), the cluster status remains as enabled
- When you run the show log command on the NSX Manager console, you see entries similar to:
2015-07-16 20:23:09.192 GMT INFO http-nio-127.0.0.1-7441-exec-309 FirewallUIFacade:798 - Calling enable[false] cluster API...
2015-07-16 20:23:09.195 GMT INFO http-nio-127.0.0.1-7441-exec-309 FirewallServiceImpl:2562 - Enable firewall[false] called for cluster[domain-c7]
2015-07-16 20:23:09.204 GMT INFO http-nio-127.0.0.1-7441-exec-309 FirewallServiceImpl:2572 - Firewall is already disabled on {}
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.3.x
Cause
Note: Changing the firewall status at the host level is not supported, and the User Interface (UI) correctly disallows this operation.
Disabling the NSX Distributed Firewall fails at the cluster level when the firewall functionality has been disabled on at least one host in the same cluster using REST API.
Resolution
This issue is resolved in NSX for vSphere 6.2.2.
To work around this issue if you do not want to upgrade, use this REST API call to enforce the same firewall status across all ESXi hosts in the cluster.
Note: Replace the domainID field with the Cluster ID of the cluster which has the firewall disabled.
For example:
PUT https://X.X.X.X/api/4.0/firewall/domain-c23/enable/true
Additional Information
Use this REST API call to confirm the host preparation status.
Note: The ESXi host must be prepared for NSX and have the DFW VIB installed.
https://<nsxmgr-ip>/api/2.0/nwfabric/status?resource=host-25
<?xml version="1.0" encoding="UTF-8"?>
<resourceStatuses>
<resourceStatus>
<resource>
<objectId>host-25</objectId>
<objectTypeName>HostSystem</objectTypeName>
<vsmUuid>XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</vsmUuid>
<revision>505</revision>
<type>
<typeName>HostSystem</typeName>
</type>
<name>X.X.X.X</name>
<scope>
<id>domain-c7</id>
<objectTypeName>ClusterComputeResource</objectTypeName>
<name>VC1-Cluster</name>
</scope>
<clientHandle></clientHandle>
<extendedAttributes/>
</resource>
<hostRebootRequired>false</hostRebootRequired>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.firewall</featureId>
<featureVersion>5.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>GREEN</status> <===== DFW status
<installed>true</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
Starting with NSX for vSphere releases 6.1.5 and 6.2.0, the cluster-level feature status reflects the status of its member hosts. In the following example output, the cluster (domain-c7) status is set to GREY, indicating that at least one member host has the DFW disabled.
GET on https://X.X.X.X/api/2.0/nwfabric/status?resource=domain-c7
<?xml version="1.0" encoding="UTF-8"?>
<resourceStatuses>
<resourceStatus>
<resource>
<objectId>domain-c7</objectId>
<objectTypeName>ClusterComputeResource</objectTypeName>
<vsmUuid>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX</vsmUuid>
<revision>5</revision>
<type>
<typeName>ClusterComputeResource</typeName>
</type>
<name>Cluster-1</name>
<scope>
<id>datacenter-2</id>
<objectTypeName>Datacenter</objectTypeName>
<name>Datacenter</name>
</scope>
<clientHandle></clientHandle>
<extendedAttributes/>
</resource>
<hostRebootRequired>false</hostRebootRequired>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.vdr_mon</featureId>
<featureVersion>5.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>UNKNOWN</status>
<installed>false</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.vxlan</featureId>
<featureVersion>5.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>UNKNOWN</status>
<installed>false</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.firewall</featureId>
<updateAvailable>false</updateAvailable>
<status>GREY</status>
<installed>true</installed>
<enabled>false</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.nwfabric.hostPrep</featureId>
<featureVersion>6.1.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>GREEN</status>
<installed>true</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.messagingInfra</featureId>
<updateAvailable>false</updateAvailable>
<status>GREEN</status>
<installed>true</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
</resourceStatus>
</resourceStatuses>
Feedback
