This issue is resolved in NSX for vSphere 6.2.2.
To work around this issue if you do not want to upgrade, use this REST API call to enforce the same firewall status across all ESXi hosts in the cluster.
Note: Replace the domainID field with the Cluster ID of the cluster which has the firewall disabled.
For example:
PUT https://X.X.X.X/api/4.0/firewall/domain-c23/enable/true
Use this REST API call to confirm the host preparation status.
Note: The ESXi host must be prepared for NSX and have the DFW VIB installed.
https://<nsxmgr-ip>/api/2.0/nwfabric/status?resource=host-25
<?xml version="1.0" encoding="UTF-8"?>
<resourceStatuses>
<resourceStatus>
<resource>
<objectId>host-25</objectId>
<objectTypeName>HostSystem</objectTypeName>
<vsmUuid>XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</vsmUuid>
<revision>505</revision>
<type>
<typeName>HostSystem</typeName>
</type>
<name>X.X.X.X</name>
<scope>
<id>domain-c7</id>
<objectTypeName>ClusterComputeResource</objectTypeName>
<name>VC1-Cluster</name>
</scope>
<clientHandle></clientHandle>
<extendedAttributes/>
</resource>
<hostRebootRequired>false</hostRebootRequired>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.firewall</featureId>
<featureVersion>5.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>GREEN</status> <===== DFW status
<installed>true</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
Starting with NSX for vSphere releases 6.1.5 and 6.2.0, the cluster-level feature status reflects the status of its member hosts. In the following example output, the cluster (domain-c7) status is set to GREY, indicating that at least one member host has the DFW disabled.
GET on https://X.X.X.X/api/2.0/nwfabric/status?resource=domain-c7
<?xml version="1.0" encoding="UTF-8"?>
<resourceStatuses>
<resourceStatus>
<resource>
<objectId>domain-c7</objectId>
<objectTypeName>ClusterComputeResource</objectTypeName>
<vsmUuid>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX</vsmUuid>
<revision>5</revision>
<type>
<typeName>ClusterComputeResource</typeName>
</type>
<name>Cluster-1</name>
<scope>
<id>datacenter-2</id>
<objectTypeName>Datacenter</objectTypeName>
<name>Datacenter</name>
</scope>
<clientHandle></clientHandle>
<extendedAttributes/>
</resource>
<hostRebootRequired>false</hostRebootRequired>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.vdr_mon</featureId>
<featureVersion>5.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>UNKNOWN</status>
<installed>false</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.vxlan</featureId>
<featureVersion>5.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>UNKNOWN</status>
<installed>false</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.firewall</featureId>
<updateAvailable>false</updateAvailable>
<status>GREY</status>
<installed>true</installed>
<enabled>false</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.nwfabric.hostPrep</featureId>
<featureVersion>6.1.5</featureVersion>
<updateAvailable>false</updateAvailable>
<status>GREEN</status>
<installed>true</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
<nwFabricFeatureStatus>
<featureId>com.vmware.vshield.vsm.messagingInfra</featureId>
<updateAvailable>false</updateAvailable>
<status>GREEN</status>
<installed>true</installed>
<enabled>true</enabled>
</nwFabricFeatureStatus>
</resourceStatus>
</resourceStatuses>