How to unload policy from a particular esx hosts interface
This would have saved some hassle on the previous incident on the POC.
1. SSH into ESX that runs the VC VM.
2. Run command summarize-dvfilter or vsipioctl getfilters to find out the filter name that is protecting the VC VM. The filter name starts with `nic-‘, such as nic-12345-eth0-vmware-sfw.2.
- Run command vsipioctl getrules -f <filter-name> to get the ruleset of the firewall. There should be two rulesets, such as domain-c7 and domain-c7_L2. The first ruleset like domain-c7 is the one you need to remove.
- Run command vsipioctl vsipfwcli -f <filter-name> -c “create ruleset <ruleset-name>;” to clear the ruleset.
5. Run command vsipioctl getrules -f <filter-name> to get the ruleset of the firewall. The first ruleset should be empty without any rules.
Your VC should be online now 🙂
Then always add the vCenter VM to the exclusion list:
To prevent this situation on the next time, put the VC in the exclusion list (“NSX Home -> NSX Managers -> NSX Manager -> Manage -> Exclusion List).