Firewall cleanup

This post will show how to purge all the Distributed Firewall rules created by NSX. In my studies for the VCIX-NV certification I managed to build some interesting rule sets and was applying them to all sorts of objects. This was good and I wanted a fresh slate. With creating numerous rules in my environment I did not want to clicky-clicky remove these from my Distributed Firewall. I wanted to reset it. Well luckily there is an API for that.

Screen Shot 2015-04-16 at 11.00.04 am


The unstoppable force of an API call

I am using a Mozilla client REST plugin but as long as this command can be pushed as XML to the NSX Manager this could be a python script. I might just got hack my “Big red button” script together this afternoon.

DELETE https:///api/4.0/firewall/globalroot-0/config

By using this call you can see the result below.

Screen Shot 2015-04-16 at 11.08.28 am
Rest client – remember to add auth and content-type


204 No Content. The command has been passed. If you see a 404 then you’ve got the wrong IP address.

Screen Shot 2015-04-16 at 11.08.41 am
Fresh rulebase.


As you can tell this is quite a powerful too. This is also used in situations where people may have inadvertently enabled a deny all on the infrastructure. If you have vCenter on this infrastructure you may have blocked communication accidentally. I have had a few customers do this and this was the fix. Oops.

Exclusions – AKA I am too good for Firewalls

You will find the ability to exclude VMs from Distributed Firewalls located under NSX Managers > Manager IP > Manage > Exclusion List. You can add the virtual machines for exclusion here. This will signal to NSX not to apply a DVFilter to Virtual Machines in this list.

Screen Shot 2015-04-16 at 11.49.07 am
Whilst you can exclude VMs here from having any policy applied to them the best practice would be to confirm the ports required for vCenter communication.

Big Red Button

This gives you the ability to fix your environment if disaster strikes. If it is a bad firewall rule (the same as doing deny ip any any on the CLI right) it will happen in the GUI, CLI or API world. This is a hand command to fix problems. The next step is leveraging one of the firewall backups and importing the firewall policy. You did read the chapter on backing up your firewall policy right? Happy purging.

Leave a Reply

Your email address will not be published. Required fields are marked *