vCenter Server access is blocked after creating a Deny All rule in DFW
search cancel

vCenter Server access is blocked after creating a Deny All rule in DFW

book

Article ID: 343363

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

To access vCenter Sever, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method.

Symptoms:
Access to vCenter Server gets blocked after creating a Deny All rule (or modifying default rule to block action) from the NSX Distributed Firewall (DFW).

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.4.x

Cause

This issue occurs when vCenter Server is deployed on a cluster that is created by navigating to NSX Home > Installation > Host Preparation.

When a cluster is created, DFW function is automatically enforced to all guest virtual machines that are running on the cluster. However, NSX components such as NSX Manager, NSX controllers, and NSX Edge, are automatically excluded from DFW function.

Resolution

To resolve this issue, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method:

 

Notes: Prior to doing the steps, ensure that:

  • You have basic authorization with the NSX Manager web credentials such as the admin user, or any vCenter Server user granted NSX privileges.
  • header: content-type: application/xml and Accept: application/xml are used.

 

Method: DELETE
URL: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config

Note: The request must return a status of 204. This restores the default policy (with a default rule of allow) for DFW and then re-enables access to vCenter Server and the vSphere Web Client.

To prevent this issue from recurring, add vCenter Server in the exclusion list:

  1. Log in to the vCenter Server using the vSphere Web Client.
  2. Navigate to Home > Networking & Security.
  3. Select NSX Manager.
  4. In the Manage tab, click Exclusion List.
  5. Select the + icon to add the vCenter Server virtual machine.



Additional Information