Create firewall rules that blocked your own VC

Working on daily tasks with firewalls can sometimes end in a situation where you end up blocking access to the management of your firewall.

This situation is very challenging, regardless of the vendor you are working with.

The end result of this scenario is that you are unable to access the firewall management to remove the rules that are blocking you from reaching the firewall management!

 

How it’s related to NSX?

Think of a situation where you deploy a distributed firewall into each of your ESX hosts in a cluster, including the management cluster where you have your virtual center located.

And then you deploy a firewall rule like the one below.

Deny any Any Rule

Deny any Any Rule

Let me show you an example of what you’ve done by implementing this rule:

cut tree you sit on

cut tree you sit on

Like the poor guy above blocking himself from his tree, by implementing this rule, you have blocked yourself from managing your vCenter.

 

How we can we protect ourselves from this situation?

Put your vCenter (and other critical virtual machines) in an exclusion list.

Any VM on that list will not receive any distributed firewall rules.

Go to the Network & security tab Click on NSX Manager

Exclusion VM list 1

Exclusion VM list 1

 

Double click on the IP address object. In my example it is 192.168.110.42

Exclusion VM list 2

Exclusion VM list 2

Click on Manage:

Exclusion VM list 3

Exclusion VM list 3

Click on the green plus button.

Exclusion VM list 4

Exclusion VM list 4

Choose your virtual machine.

Exclusion VM list 5

Exclusion VM list 5

That’s it!  Now your VC is excluded from any enforced firewall rules.

Exclusion VM list 6

Exclusion VM list 6

 

What if we made a mistake and do not yet have access to the VC?

We can use the NSX Manager REST API to revert to the default firewall ruleset.

By default the NSX Manager is automatically excluded from DFW.

Using a REST Client or cURL:

https://addons.mozilla.org/en-US/firefox/addon/restclient

Submit a DELETE request to:

https://$nsxmgr/api/4.0/firewall/globalroot-0/config

Exclusion VM list 7

After receiving code status 204 we will revert to default DFW policy with default rule to allow.

Exclusion VM list 8

Now we can access our VC, As we can see we revert to default policy, but don’t panic 🙂 , we have saved policy.

Exclusion VM list 9

Click on the “Load Saved Configuration” button.

Exclusion VM list 10

Load Saved Configuration before the last Saved.

Exclusion VM list 11

Accept the warning by click Yes.

Exclusion VM list 12
Now we have our last policy before we blocked our VC.

Exclusion VM list 13

We will need to change the last Rule from Block to Allow to fix the problem.

Exclusion VM list 14

And Click “Publish the Changes”.

Exclusion VM list 15

 

Exclusion List allows to disable DFW functionality per VM, its Not possible to disable DFW functionality per vNIC

By default NSX Manager, NSX Controllers, Edge Service Gateway and Service VM (PAN FW for instance) automatically excluded from DFW functions

Thank to Michael Moor for reviewing this post


Posted in Firewall, Troubleshooting Tagged with: , , ,
One comment on “Create firewall rules that blocked your own VC
  1. ouchris says:

    so, if we want our nsx management firewalled, then if VC or nsx is firewalled off is there a solution?

Leave a Reply