Understanding and Utilizing NSX Distributed Firewall through CLI Commands

This blog post aims to elucidate the essential command-line interface (CLI) commands for managing the NSX Distributed Firewall, focusing on commands that can be executed from the NSX Manager and ESXi hosts, as well as detailing relevant log files for troubleshooting and auditing purposes. Additionally, we’ll touch upon commands for managing gateway firewall settings on NSX Edge devices.

NSX Manager: The Central Control Plane

The NSX Manager serves as the centralized control plane for managing NSX environments, offering a unified interface for configuring and monitoring network virtualization and security settings. Here are some key CLI commands you can run directly from the NSX Manager:

  • View the Rule Count of L2, L3 Firewall Rules: To get a summary of Layer 2 and Layer 3 firewall rules, use the command get firewall summary
    This command provides a quick overview of the rules in place, helping administrators gauge the extent of their firewall configurations.
  • List of Firewall Entities in the Excluded List: To view the entities excluded from firewall protection, execute get firewall exclude-list
    This command is crucial for identifying assets that are intentionally bypassed by firewall rules for specific purposes.
  • Firewall Status: Checking the overall status of the firewall is as simple as running get firewall status
    This command confirms whether the distributed firewall is operational and can help in troubleshooting connectivity issues.

ESXi Hosts: The Data Plane

ESXi hosts, where VMs reside, are integral to enforcing NSX DFW rules. The following CLI commands can be run on ESXi hosts to manage and troubleshoot DFW settings at the host level:

  • List All the VMs dvFilter Names: Use summarize-dvfilter to list all dvFilters associated with VMs. dvFilters are kernel modules that apply firewall rules to VMs’ network traffic.
  • View IP and MAC Addresses for a dvFilter: To see the IP and MAC addresses related to a specific dvFilter, the command is
    vsipioctl getaddrsets -f <dvfilter-name>
  • List the Firewall Rules Applied on DvFilter: Retrieve the set of firewall rules applied to a dvFilter by executing
    vsipioctl getrules -f <dvfilter-name>
  • View Firewall Configuration for a dvFilter: To inspect the firewall configuration for a specific dvFilter, the command is
    vsipioctl getfwconfig -f <dvfilter-name>

Log Files: The Insight Tools

Log files play a pivotal role in monitoring, troubleshooting, and auditing. Here are essential log file locations for NSX components:

  • NSX Syslog Log File on ESXi: Located at /var/log/nsx-syslog.log, this file captures a wide range of NSX-related events and is invaluable for troubleshooting.

Gateway Firewall: NSX Edge Commands

NSX Edge devices provide gateway services, including firewalling for north-south traffic. Here’s how to manage gateway firewall settings via CLI:

  • Query Interfaces with Firewall Rules:
    get firewall interfaces lists all edge interfaces with configured firewall rules.
  • Query Gateway Firewall Rules: For specific interface rules, use
    get firewall <interface-uuid> ruleset rules

Author: Daniel Micanek

Senior Service Architect, SAP Platform Services Team at Tietoevry | SUSE SCA | vExpert ⭐⭐⭐⭐⭐ | vExpert NSX | VCIX-DCV/NV | VCAP-DCV/NV Design+Deploy | VCP-DCV/NV/CMA/TKO/DTM | NCIE-DP | OCP | Azure Solutions Architect | Certified Kubernetes Administrator (CKA)