After a vCenter HA takeover, firewall configuration that was previously present on the original Active node may appear to be missing on the node that has assumed the Active role.

In this situation, you may observe that

 - After takeover, the newly promoted Active node does not show the same firewall configuration.

This behavior can lead to the impression that the firewall configuration was deleted during the vCenter HA takeover.

VMware vCenter 8.0U3

In this scenario, the firewall configuration was observed to remain node-specific after the vCenter HA deployment was completed, rather than being synchronized across all HA nodes after later configuration changes were made.

As a result:

 - The original Active node retained the firewall configuration.
 - The Passive node, after being promoted during takeover, did not contain the same firewall configuration.
 - When service was failed back to the original node, the previously configured firewall rules were loaded again from that node.

Therefore, the firewall settings were not removed from the environment. Instead, the active service role moved to a node that did not have the same local firewall configuration.

If the required firewall configuration exists on the original Active node, the practical workaround is to return service to that node and then rebuild the vCenter HA configuration so that a new Passive node is created from the desired current state.

Recommended approach:

 - Fail over or restore service back to the original node that still contains the required firewall configuration.
 - Confirm that the expected firewall settings are present on that node.
 - Remove and reconfigure vCenter HA, or redeploy the Passive node as appropriate for the environment, so that the new HA topology is built from the node with the correct configuration.

If maintaining the current vCenter HA topology is preferred, you can also consider:

 - Manually reapply the same firewall configuration on the Passive node.