Locked out of VMware vCenter Server by the NSX Distributed Firewall?

You enabled the Distributed Firewall by changing the default rule to DENY but forgot to exclude the virtual vCenter Server first. Now you are locked out. Yup this happend in my lab tonight after a redeploy of NSX and enabling the DFW.

There is a way to resolve this situation via the Rest API as per this VMware KB article.

vCenter Server access is blocked after creating a Deny All rule in DFW (2079620)

Symptoms

Access to vCenter Server gets blocked after creating a Deny All rule (or modifying default rule to block action) from the NSX Distributed Firewall (DFW).

Purpose

To access vCenter Sever, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method.

Cause

This issue occurs when vCenter Server is deployed on a cluster that is created by navigating to NSX Home > Installation > Host Preparation.

When a cluster is created, DFW function is automatically enforced to all guest virtual machines that are running on the cluster. However, NSX components such as NSX Manager, NSX controllers, and NSX Edge, are automatically excluded from DFW function.

Resolution

To resolve this issue, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method:

Note: The request must return a status of 204. This restores the default policy (with a default rule of allow) for DFW and then re-enables access to vCenter Server and the vSphere Web Client.

To prevent this issue from recurring, add vCenter Server in the exclusion list:

  1. Log in to the vCenter Server using the vSphere Web Client.
  2. Navigate to Home > Networking& Security.
  3. Select NSXManager.
  4. In the Manage tab, click ExclusionList.
  5. Select the + icon to add the vCenter Server virtual machine.

 

What they don’t mention in the KB is that you are setting your DFW back to factory default. You additionally will need to apply the last firewall rule set that was created that doesn’t include the deny rule. Add that vCenter to the exclusion list!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: