In this blog post, we will discuss a scenario where the NSX distributed firewall is set to drop all traffic by default, causing all network access to the NSX Manager to be blocked. We will explore how to recover from this situation and ensure that it does not happen again in the future.

Background

———-

In a lab environment, I was setting up NSX using the vCenter plug-in and had all the necessary components deployed. However, when I set the default NSX distributed firewall rules to drop all traffic, I realized that I could no longer access the NSX Manager via the network. This was a surprise, as I expected the firewall to only block incoming traffic, not outgoing traffic as well.

Recovery

———

To recover access to the NSX Manager, we can use the `vsipioctl clearallfilters` command on the ESXi host that the NSX Manager VM is running on. This command will remove all firewall rules from all VMs on the ESXi host, so it’s important to only run this command when necessary and to have a backup of any critical virtual machines before doing so.

Here’s what the command looks like when run on the ESXi host:

“`

vsipioctl clearallfilters

“`

After running the command, I was able to access my NSX Manager again and change my default rules back to allow traffic.

Prevention

————

To prevent this situation from happening again in the future, we can make use of the user-configured Distributed Firewall Exclusion List. This list allows us to specify VMs that should not be subject to the distributed firewall rules.

Here’s how to create and manage the Distributed Firewall Exclusion List:

1. Navigate to the NSX Manager web interface and go to the Manage > Distributed Firewall page.

2. Click on the “Excluded VMs” tab and click the “Add Excluded VM” button.

3. Enter the name or IP address of the VM you want to exclude, and select the “User Excluded Groups” option.

4. Create a new group and add the VM to it.

5. Save and apply the changes.

By adding the NSX Manager VM to the Distributed Firewall Exclusion List, we can ensure that it is never blocked by the distributed firewall again in the future.

Conclusion

———-

In this post, we discussed a scenario where the NSX distributed firewall blocks all network access to the NSX Manager. We explored how to recover from this situation and ensure that it does not happen again in the future. By using the `vsipioctl clearallfilters` command on the ESXi host and making use of the user-configured Distributed Firewall Exclusion List, we can prevent this issue from occurring again.