How to unload policy from a particular esx hosts interface

This would have saved some hassle on the previous incident on the POC.

1. SSH into ESX that runs the VC VM.
2. Run command summarize-dvfilter or vsipioctl getfilters to find out the filter name that is protecting the VC VM. The filter name starts with `nic-‘, such as nic-12345-eth0-vmware-sfw.2.

  1. Run command vsipioctl getrules -f <filter-name> to get the ruleset of the firewall. There should be two rulesets, such as domain-c7 and domain-c7_L2. The first ruleset like domain-c7 is the one you need to remove.
  2. Run command vsipioctl vsipfwcli -f <filter-name> -c “create ruleset <ruleset-name>;” to clear the ruleset.
    5. Run command vsipioctl getrules -f <filter-name> to get the ruleset of the firewall. The first ruleset should be empty without any rules.
    Your VC should be online now 🙂
    Then always add the vCenter VM to the exclusion list:
    To prevent this situation on the next time, put the VC in the exclusion list (“NSX Home -> NSX Managers -> NSX Manager -> Manage -> Exclusion List).

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *