VMware NSX

 View Only
  • 1.  DFW Rules on a host

    Posted Aug 09, 2016 04:18 AM

    Would the DFW rules that have been pushed down to a host get removed when the host is rebooted? Or do they stay persistent? My understanding is that the rules are stored in a memory construct (VNIC-FW), and therefore assuming if there is a reboot, the rules are lost and have to be downloaded again.


    Can anyone confirm.


    Thanks!



  • 2.  RE: DFW Rules on a host

    Posted Aug 09, 2016 05:08 AM

    Hello,

    While I didn't validate this in lab, I concluded the same from the documentation.

    It makes perfect sense, as VMs in question could be restarted on different host, while "our" host in still rebooting. And NSX Manager pushes DFW rules on "need-to-know" basis.

    And think about scenario when rules have changed during host reboot. It's definitely better to just redownload curent set of rules from NSX Manager



  • 3.  RE: DFW Rules on a host

    Posted Aug 09, 2016 04:21 PM

    VNIC-FW Memory Construct contains the Rule Table and Connection Tracker Table applied to each VNIC.

    https://networkinferno.net/nsx-compendium

    NSX Distributed Firewall Deep Dive – VMware Professional Services

    DFW and Connection Tracker Tables

    As NSX Manager would Sync the Rules through Message Bus Agent after bootup, saving the Rule table locally on ESXi host  would be only benefit in case NSX Manager is not available after the host reboot. (A very unikely case due to HA).



  • 4.  RE: DFW Rules on a host

    Broadcom Employee
    Posted Aug 25, 2016 01:29 AM

    Rules persist on the ESXi host on a reboot. If there are new rules that are added to the NSX manager when the host is being rebooted - those rules will be pushed down when the host reconnects back to the NSX manager. There is a distinction between - Rule application to a vNIC - that happens when the vNIC comes online.



  • 5.  RE: DFW Rules on a host

    Posted Aug 25, 2016 01:04 PM

    Thanks for the update, then the filter on NIC (seen as nic-412323-eth0-vmware-sfw.2) is saved on disk as well as memory construct. During a reboot of the ESXi host, even if it cannot connect to the NSX Manage while it  is not available or cottacted  throught the Message Bus, the latest rule will be available. The rare case of this is covered as well, dFW for all the VM nics will be available.  Rule is applied and synchronized once vNIC comes online after bootup,  or message bus is available.