You enabled the Distributed Firewall by changing the default rule to DENY but forgot to exclude the virtual vCenter Server first. Now you are locked out. Yup this happend in my lab tonight after a redeploy of NSX and enabling the DFW.
There is a way to resolve this situation via the Rest API as per this VMware KB article.
vCenter Server access is blocked after creating a Deny All rule in DFW (2079620)
Symptoms
Purpose
Cause
This issue occurs when vCenter Server is deployed on a cluster that is created by navigating to NSX Home > Installation > Host Preparation.
When a cluster is created, DFW function is automatically enforced to all guest virtual machines that are running on the cluster. However, NSX components such as NSX Manager, NSX controllers, and NSX Edge, are automatically excluded from DFW function.
Resolution
To resolve this issue, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method:
URL: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config
To prevent this issue from recurring, add vCenter Server in the exclusion list:
- Log in to the vCenter Server using the vSphere Web Client.
- Navigate to Home > Networking& Security.
- Select NSXManager.
- In the Manage tab, click ExclusionList.
- Select the + icon to add the vCenter Server virtual machine.
What they don’t mention in the KB is that you are setting your DFW back to factory default. You additionally will need to apply the last firewall rule set that was created that doesn’t include the deny rule. Add that vCenter to the exclusion list!
Musings from a past life 