Search the VMware Knowledge Base (KB)
View by Article ID

vCenter Server access is blocked after creating a Deny All rule in DFW (2079620)

  • 4 Ratings

Symptoms

Access to vCenter Server gets blocked after creating a Deny All rule (or modifying default rule to block action) from the NSX Distributed Firewall (DFW).

Purpose

To access vCenter Sever, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method.

Cause

This issue occurs when vCenter Server is deployed on a cluster that is created by navigating to NSX Home > Installation > Host Preparation.
 
When a cluster is created, DFW function is automatically enforced to all guest virtual machines that are running on the cluster. However, NSX components such as NSX Manager, NSX controllers, and NSX Edge, are automatically excluded from DFW function.

Resolution

To resolve this issue, roll back the DFW to its default firewall rule set by using NSX Manager REST API DELETE Method:

Notes: Prior to doing the steps, ensure that:

  • You have basic authorization with the NSX Manager web credentials such as the admin user, or any vCenter Server user granted NSX privileges.
  • header: content-type: application/xml and Accept: application/xml are used.
You can use a REST client such as:
  • https://addons.mozilla.org/en-US/firefox/addon/restclient
  • https://chrome.google.com/webstore/detail/postman-rest-client/fdmmgilgnpjigdojojpjoooidkmcomcm?hl=en
  • curl
For more information on how to make API calls to the NSX Manager, see the Using the NSX REST API section in the VMware NSX for vSphere API Guide.

Method: DELETE
URL: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config

Note: The request must return a status of 204. This restores the default policy (with a default rule of allow) for DFW and then re-enables access to vCenter Server and the vSphere Web Client.

To prevent this issue from recurring, add vCenter Server in the exclusion list:

  1. Log in to the vCenter Server using the vSphere Web Client.
  2. Navigate to Home > Networking & Security.
  3. Select NSX Manager.
  4. In the Manage tab, click Exclusion List.
  5. Select the + icon to add the vCenter Server virtual machine.

Tags

vcenter blocked, deny all rule, access vCenter Sever

See Also

Update History

11/12/2014- Added VMware NSX for vSphere 6.1.x to product versions

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 4 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 4 Ratings
Actions
KB: