vCenter Server access is blocked after creating a Deny All rule in DFW
Article ID: 343363
Updated On:
Products
VMware NSX for vSphere
Issue/Introduction
To access vCenter Sever, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method.
Symptoms:
Access to vCenter Server gets blocked after creating a Deny All rule (or modifying default rule to block action) from the NSX Distributed Firewall (DFW).
Symptoms:
Access to vCenter Server gets blocked after creating a Deny All rule (or modifying default rule to block action) from the NSX Distributed Firewall (DFW).
Environment
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.4.x
Cause
This issue occurs when vCenter Server is deployed on a cluster that is created by navigating to NSX Home > Installation > Host Preparation.
When a cluster is created, DFW function is automatically enforced to all guest virtual machines that are running on the cluster. However, NSX components such as NSX Manager, NSX controllers, and NSX Edge, are automatically excluded from DFW function.
When a cluster is created, DFW function is automatically enforced to all guest virtual machines that are running on the cluster. However, NSX components such as NSX Manager, NSX controllers, and NSX Edge, are automatically excluded from DFW function.
Resolution
To resolve this issue, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method:
Notes: Prior to doing the steps, ensure that:
- You have basic authorization with the NSX Manager web credentials such as the admin user, or any vCenter Server user granted NSX privileges.
- header: content-type: application/xml and Accept: application/xml are used.
Method: DELETE
URL: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config
URL: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config
Note: The request must return a status of 204. This restores the default policy (with a default rule of allow) for DFW and then re-enables access to vCenter Server and the vSphere Web Client.
To prevent this issue from recurring, add vCenter Server in the exclusion list:
- Log in to the vCenter Server using the vSphere Web Client.
- Navigate to Home > Networking & Security.
- Select NSX Manager.
- In the Manage tab, click Exclusion List.
- Select the + icon to add the vCenter Server virtual machine.
Additional Information
Feedback
Yes
No
Powered by
