VCF/NSX 9.0.x does not allow users to apply DFW policies/rules to NSX Manager VMs
search cancel

VCF/NSX 9.0.x does not allow users to apply DFW policies/rules to NSX Manager VMs

book

Article ID: 426123

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

In VCF/NSX 9.0.x, all the NSX manager VMs (management and workload domans) are marked as type MP (Management Plane). This results in those VMs automatically being added to the DFW System Excluded VMs which does not allow users to configure DFW rules on these NSX VMs.

Environment

VCF 9.0.x

NSX 9.0.x

Resolution

The behavior will be addressed in an upcoming NSX major release. 

Workaround for NSX 9.0.x

Change the NSX Manager VM type from 'MP' to 'REGULAR' using the following steps: 

1. SSH to one of the NSX managers as root 

2. Get the NSX Manager VM external id by executing the following api call:

curl -X GET 'http://localhost:7443/cm-inventory/api/v1/fabric/virtual-machines'

Example:

"results" : [ {
    "host_id" : "1e14d09d-c994-####-####-############",
    "source" : {
      "target_id" : "1e14d09d-c994-####-####-############",
      "target_display_name" : "NSX MANAGER 1",
      "target_type" : "HostNode",
      "is_valid" : true
    },
    "external_id" : "50253953-a12a-####-####-############", <<<< Note the external ID
    .
    .
    <snip>
    "type" : "MP", <<<< Note the VM type
    .
    .
    <snip>
    .
    "_last_sync_time" : 1768900615159
  }

3. Execute the below api to change the vm type from MP to REGULAR

curl -X POST  'http://localhost:7443/cm-inventory/api/v1/fabric/virtual-machines?action=update_vm_type' -d  '{"external_id": "50253953-a12a-####-####-############","type": "REGULAR"}' -H "Content-Type: application/json" <<<< Use the external_id value from step#2 above

4. Execute the api call from step #2 and ensure that the NSX Manager VM type is updated to 'REGULAR'

5. For the NSX Manager VM, remove the Key "SystemVM" with value as "MP" using the following steps:

a. Log in to the vCenter

b. Power off the NSX Manager VM

c. Right-click on the NSX Manager VM and select Edit Settings

d. Click the Advanced Parameters tab

e. Find the SystemVM property, click the three vertical dots, click Remove.

 f. Power on the NSX VM

6. Repeat these steps 1 - 5 for the other 2 NSX Manager VMs

7. Verify that the NSX Manager VMs are removed from the system defined DFW System Excluded VMs.

8. Verify that the NSX Manager VMs are automatically placed in the DFW User Excluded Groups (VCF-Created-Virtual-Machines), which is user-editable.

Powered by Wolken Software