Traffic Still Blocked by DFW After Adding VM to Exclusion List via Global Manager
search cancel

Traffic Still Blocked by DFW After Adding VM to Exclusion List via Global Manager

book

Article ID: 380432

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

In Federation environments, traffic continues to be blocked by DFW even after adding VMs to the exclusion list via the Global Manager UI under Security > Distributed Firewall > Settings > Exclusion List.

 

Check for the Issue:

 

  1. Identify a VM you want to check and issue the following command as root user from the ESXi host:

    summarize-dvfilter | grep -A 9 <VM Name>

    Example:
    [root@esx-04:~] summarize-dvfilter | grep -A 9 UPSAv2-02.eth0

     port ####### UPSAv2-02.eth0 
     vNic slot 2
     name: nic-########-eth0-vmware-sfw.2   <--- Slot 2 Filter
       agentName: vmware-sfw
       state: IOChain Attached
       vmState: Attached
       failurePolicy: failClosed
       serviceVMID: 4
       filter source: Dynamic Filter Creation
       moduleName: nsxt-vsip-########

  2. If no slot-2 is found for the VM, this confirms that no DFW rules are applied, and the exclusion list is functioning. 
  3. For Security-Only environments, if a slot-2 is applied to the VM, check if any rules are applied:

    vsipioctl getrules -f <Slot 2 Filter>

    Example:
    [root@esx-04:~] vsipioctl getrules -f nic-#########-eth0-vmware-sfw.2
    No rules.


  4. If you see 'No rules' applied, it confirms that no DFW rules are active and the exclusion list is functioning. 
  5. If rules are still applied, please refer to the workaround and resolution section of the KB.

    Example of rules applied:

    [root@esx-04:~] vsipioctl getrules -f nic-#########-eth0-vmware-sfw.2  
    rule 2145 at 1, 20497799 evals, 178006 hits, 172331 sessions, in 1164179 out 0 pkts, in 65754432 out 0 bytes  
    rule 2267 at 2, 3567 evals, 375 hits, 373 sessions, in 20463 out 16733 pkts, in 1754851 out 87609052 bytes  
    rule 3124 at 3, 2799 evals, 178006 hits, 172331 sessions, in 13459 out 0 pkts, in 3345644432 out 0 bytes  
    rule 4179 at 4, 38451 evals, 455 hits, 383 sessions, in 28963 out 18933 pkts, in 17784851 out 86789052 bytes
    If you see rules applied, refer to the workaround and resolution section.

 

 

Environment

VMware NSX 4.1.2.0 - 4.1.2.4

Resolution

Workaround
If rules are applied to the slot-2 of the VM please login to the Local Manager UI > Security > Settings > Distributed Firewall > Exclusion list
Add VM to the exclusion list. You should not have rules applied to this VM anymore and can use the check process above to confirm. 

 

Permanent Fix
This is corrected in 4.2.x and 4.1.2.5

Powered by Wolken Software