Working on daily tasks with firewalls can sometimes end in a situation where you end up blocking access to the management of your firewall.
This situation is very challenging, regardless of the vendor you are working with.
The end result of this scenario is that you are unable to access the firewall management to remove the rules that are blocking you from reaching the firewall management!
How it’s related to NSX?
Think of a situation where you deploy a distributed firewall into each of your ESX hosts in a cluster, including the management cluster where you have your virtual center located.
And then you deploy a firewall rule like the one below.
Deny any Any Rule
Let me show you an example of what you’ve done by implementing this rule:
cut tree you sit on
Like the poor guy above blocking himself from his tree, by implementing this rule, you have blocked yourself from managing your vCenter.
How we can we protect ourselves from this situation?
Put your vCenter (and other critical virtual machines) in an exclusion list.
Any VM on that list will not receive any distributed firewall rules.
Go to the Network & security tab Click on NSX Manager
Exclusion VM list 1
Double click on the IP address object. In my example it is 192.168.110.42
Exclusion VM list 2
Click on Manage:
Exclusion VM list 3
Click on the green plus button.
Exclusion VM list 4
Choose your virtual machine.
Exclusion VM list 5
That’s it! Now your VC is excluded from any enforced firewall rules.
Exclusion VM list 6
What if we made a mistake and do not yet have access to the VC?
We can use the NSX Manager REST API to revert to the default firewall ruleset.
By default the NSX Manager is automatically excluded from DFW.
Using a REST Client or cURL:
https://addons.mozilla.org/en-US/firefox/addon/restclient
Submit a DELETE request to:
https://$nsxmgr/api/4.0/firewall/globalroot-0/config
After receiving code status 204 we will revert to default DFW policy with default rule to allow.
Now we can access our VC, As we can see we revert to default policy, but don’t panic 🙂 , we have saved policy.
Click on the “Load Saved Configuration” button.
Load Saved Configuration before the last Saved.
Accept the warning by click Yes.
Now we have our last policy before we blocked our VC.
We will need to change the last Rule from Block to Allow to fix the problem.
And Click “Publish the Changes”.
Thank to Michael Moor for reviewing this post
Roie Ben Haim is a Senior Member of Technical Staff who specializes in Networking and Security at VMware and who is currently focused on implementing solutions, which incorporate VMware’s NSX platform as well as integrating with various Cloud platforms on VMware’s infrastructure. Roie works in VMware’s Consulting (PSO) team whose focus is on the delivery of Networking Virtualization and Security solutions. In this role Roie provides technical leadership in all aspects, including the installation, configuration, and implementation of VMware’s products and services. This is also includes being involved from the inception of these project, through requirements assessment, design and deployment phases and then into production which ensures continuity for VMware’s customers. Roie has over a 15 years of experience working on data center technologies, and providing solutions for global enterprises, which primarily focus on Network and Security. A highly motivated and enthusiastic MSc graduate Roie holds a wide range of industry leading certificates, including his most recent Network Virtualization (VCDX-NV). Cisco CCIE x2 (DC/SEC) and Juniper JNCIE-SP. Roie is not only a strong team member, but is also able to demonstrate his skills and experience working in various fields. As a well known and respected blogger, Roie maintains an impressive blog at: http://routetocloud.com
Roie Ben Haim
roie9876.wordpress.com 
so, if we want our nsx management firewalled, then if VC or nsx is firewalled off is there a solution?