Recovering access to vCenter after blocking it with NSX DFW

When you use the vCenter virtual appliance in an environment protected by VMware NSX, there is a chance for accidentally blocking access to vCenter due to a misconfigured firewall rule. When that happens, you get into serious trouble since you also lose the GUI for configuring NSX, so you can’t undo what has gone wrong.

Luckily, there are ways of recovering from that situation and they are perfectly explained in several blogs out there, take the following two as a sample:

These blogs propose a complete wipe out of your existing firewall configuration, taking it back to factory default where all traffic is allowed.

I have just happen to experience the same situation myself recently, though losing existing DFW configuration was not an option since there was plenty of time and work invested into it. So I figured out a different way to recover from the same lock-out situation by adding a new rule that allows all traffic on top of the existing configuration. The rest of this blog details the steps for that.

  1. From your favourite browser, access the NSX Manager URL until you get to the login screen, accepting the security warnings as required.
  2. From the same browser instance, launch your favourite REST API client. In my case, I used Firefox with the following add-on https://addons.mozilla.org/en-US/firefox/addon/restclient/
  3. Configure the following headers:
    • Authentication, Basic Authentication -> NSX Manager userid and password
    • Headers, Custom Header -> Content-Type: application/xml
  4. Issue a GET request to the following URL https://NSX-Manager-IP-Address/api/4.0/firewall/globalroot-0/configImage01
  5. Take note of the Etag value on the Response Headers tab since it will be used later:
    Image02 - Etag
  6. Navigate to the Response Body (Highlight) tab and copy all its contents to your favourite text edit:
    Image 03 - Response Body
  7. At the beginning of the firewall config, right after the first section id available, add the new rule that will allow all traffic through, in blue below:
    <?xml version="1.0" encoding="UTF-8"?>
     <firewallConfiguration timestamp="1464880714374">
     <contextId>globalroot-0</contextId>
     <layer3Sections>
     <section id="a335b9d5-c61a-4423-83fe-7d38df7d8470" name="Cross-vCenter DFW Rules" generationNumber="1464880714374" timestamp="1464880714374" managedBy="universalroot-0" type="LAYER3">
     <rule disabled="false" logged="true">
     <name>Rescue Rule</name>
     <action>allow</action>
     </rule>
     <rule id="2147483651" disabled="false" logged="true" managedBy="universalroot-0">
     <name>Web-to-Web</name>
     <action>deny</action>
     <appliedToList>
     <appliedTo>
     <name>DISTRIBUTED_FIREWALL</name>
     <value>DISTRIBUTED_FIREWALL</value>
     <type>DISTRIBUTED_FIREWALL</type>
     <isValid>true</isValid>
     </appliedTo>
     </appliedToList>
    
    [truncated output]
  8. Configure a new header on the REST API client:
    • Header, Custom Header -> If-Match =  Etag value from step 5
  9. On the REST API client change the method from GET to PUT keeping the same URL.
  10. Copy the edited text from step 7 and paste it into the Body field of the REST API client. Click on Send:
    Image 04 - PUT BOdy
  11. If the operation is successful you will get a 200 Status Code on the Response Headers tab:
    Image 05 - 200 responseAnd on the Response Body (Highlight) tab you will see the ID of the just created rule, on the example below 2147483657:
    Image 06 - New rule ID
  12. Finally, you should have gained access to vCenter again and in the NSX DFW section you will find the new rule at the top-most position:
    Image 07 - DFW console with the new rule

 

Hope it helps!!

Advertisements

One thought on “Recovering access to vCenter after blocking it with NSX DFW

  1. Pingback: NSX Distributed Firewall Exclusion List – Eat Sleep Virtualize Repeat

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s