The export version of Distributed Firewall must be set to 1000 on hosts before you migrate them to NSX-T Data Center. You must verify the export version and update if necessary.

This configuration is required for Maintenance migration mode. It is also required when you use the lift and shift migration approach to migrate workload VMs with vSphere vMotion.

Procedure

  • For each host, complete the following steps.
    1. Log into the command-line interface.
    2. Retrieve the Distributed Firewall filter for the host.
      [root@esxi:~] vsipioctl getfilters | grep "Filter Name" | grep "sfw.2"
         name: nic-2112467-eth0-vmware-sfw.2
         name: nic-2112467-eth1-vmware-sfw.2
         name: nic-2112467-eth2-vmware-sfw.2
      [root@esxi:~] 
    3. Use the filter information to retrieve the export version for the host.
      [root@esxi:~] vsipioctl getexportversion -f nic-2112467-eth0-vmware-sfw.2 
      Current export version: 500
      [root@esxi:~]
    4. If the version is not 1000, set the export version by using any one of the following methods:
      • Method 1: Run the vsipioctl setexportversion command.
        [root@esxi:~] vsipioctl setexportversion -f nic-2112467-eth0-vmware-sfw.2 -e 1000
      • Method 2: Disable and then enable Distributed Firewall on the cluster.

        In the vSphere Client, navigate to Networking and Security > Installation and Upgrade > Host Preparation. Select the cluster and click Actions > Disable Firewall. After the firewall is disabled, click Actions > Enable Firewall.

    5. Verify that the export version is updated.
      [root@esxi:~] vsipioctl getexportversion  -f nic-2112467-eth0-vmware-sfw.2 
      Current export version: 1000