NSX Distributed Firewall Exclusion List

Quick article on an important topic: don’t lock yourself out when enabling NSX Distributed Firewall.

When you prepare vSphere Clusters for NSX and the DFW kernel module is injected into the Host’s kernel, Distributed Firewall is automatically enabled on any vNIC with a default “allow any-any” rule.

By default, some VMs are excluded from DFW and traffic can flow freely on them:

  • NSX Manager;
  • NSX Controller Cluster;
  • Edge Service Gateways.

It is recommended to manually exclude some other service VMs:

  • vCenter Server;
  • SQL Server Database used by vCenter (if you’re using the Windows version of vCenter);
  • Partners Service Virtual Machines;
  • vCenter Web Server (if installed on a different VM than vCenter).

Following, the NSX 6.3 official documentation for the Exclusion List.

It may happen to forgot to add vCenter to the exclusion list and change the defaul DFW rule to “deny any-any”.
In this case, you will no more be able to reach your vCenter and manage it using the vSphere Web Client.

To regain access to the vCenter, you can use the following API call against the NSX Manager (remember, NSX Manager is automatically excluded from DFW so you can always call APIs against it!).
You can use your favorite REST Client to perform the operation with the following parameters:
Header: “Content-Type: application/xml”
Header: “Accept: application/xml”
Authentication: “Basic”
DELETE https://nsx_manager_ip/api/4.0/firewall/globalroot-0/config
The API call should return Status Code 204.

This call erase all DFW configuration and reset the default rule to “allow any-any”.
After you regain access to your vCenter, you can load the saved (or auto-saved) firewall configuration.

In the case you don’t have a saved NSX DFW configuration (not a best practice!) and you don’t want to lose your configured rules, my colleague Angel Villar Garea has elaborated a way to recover access to vCenter without resetting the overall configuration, creating a rescue rule. you can check his article here:

UPDATE August 11th, 2017:

With NSX 6.3.3, released on August 11th 2017, the previous DELETE API call to erase the entire Firewall configuration has been deprecated.

A new method has been introduced to get the default Firewall configuration.
Use the output of this method to replace the entire configuration or any of the default sections:

  • Get default configuration with GET api/4.0/firewall/globalroot-0/defaultconfig
  • Update entire configuration with PUT /api/4.0/firewall/globalroot-0/config
  • Update single section with PUT /4.0/firewall/globalroot0/config/layer2sections|layer3sections/{sectionId}