NSX for vSphere: recovering from Distributed Firewall vCenter lock-out

NSX for vSphere (NSX-v) includes Distributed Firewall (DFW), which is applied at vNICs of your Virtual Machines. This functionality is available in clusters provisioned for NSX, which in some cases would include the cluster where your vCenter VM is running. As a consequence, vCenter VM’s network connectivity would be the subject to DFW rules, and thus a possibility of getting yourself locked out by making a DFW rule change.

If you’re here because it happened to you, read on. 🙂

A bit of background

NSX-v has a VM exclusion list for DFW, and your vCenter should be added to that list if it is running on a cluster provisioned with NSX. By default, NSX excludes its own VMs, such as NSX Manager, Controllers, and Edges (both Edge Services Gateways and Logical Distributed Router Control VMs). However by default, vCenter is not on that list.

To fix that, Navigate to the Network and Security in vSphere web client, select your NSX Manager from the “NSX Managers” section, then Manage -> Exclusion List, click “+” to bring up VM selector, and select your vCenter VM (and any other VMs you may want to exclude). Please keep in mind that after a VM is added to this list, it can’t be protected by NSX DFW.



Now, if you’ve made a DFW rule change that locked you out of your vCenter, you won’t be able to get to your NSX UI. However, since NSX Manager *is* excluded, you should be able to get to its REST API endpoint, and undo the damage.

The way to do it is to make the following API call, using your favourite tool (Firefox REST client, cURL, etc):

Send a “DELETE” request to “https://<your NSX Manager’s IP address>/api/4.0/firewall/globalroot-0/config” (don’t forget to supply the appropriate login credentials).

You should get the “204” result code back. This will reset DFW rule set to its default.

When this is done, you should be able to go to the DFW configuration section and restore the last active rule set, which NSX saved before executing the DELETE request. Don’t forget to change the offending rule before publishing the changes, and do add your vCenter to the exclusion list.

Note: If you had any rules managed by the Service Composer, you will get an error when trying to restore them in DFW configuration section. To get them back, go to the Service Composer -> Security Policies, select your Policies that had DFW rules, click “Actions” and select “Synchronize Firewall Rules”.

Credit for providing the API call details (and the screenshot, because I’m lazy) – @rbudavari

About Dmitri Kalintsev

Some dude with a blog and opinions ;) View all posts by Dmitri Kalintsev

11 responses to “NSX for vSphere: recovering from Distributed Firewall vCenter lock-out

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: