As of NSX-T 3.2, this configuration change is a prerequisite only for lift-and-shift migrations. The export version of Distributed Firewall must be set to 1000 on hosts before you start a migration.

Procedure

  • For each host, complete the following steps.
    1. Log into the command-line interface.
    2. Retrieve the Distributed Firewall filter for the host.
      [root@esxi:~] vsipioctl getfilters | grep "Filter Name" | grep "sfw.2"
         name: nic-2112467-eth0-vmware-sfw.2
         name: nic-2112467-eth1-vmware-sfw.2
         name: nic-2112467-eth2-vmware-sfw.2
      [root@esxi:~] 
    3. Use the filter information to retrieve the export version for the host.
      [root@esxi:~] vsipioctl getexportversion -f nic-2112467-eth0-vmware-sfw.2 
      Current export version: 500
      [root@esxi:~]
    4. If the version is not 1000, set the export version by using any one of the following methods:
      • Method 1: Run the vsipioctl setexportversion command.
        [root@esxi:~] vsipioctl setexportversion -f nic-2112467-eth0-vmware-sfw.2 -e 1000
      • Method 2: Disable and then enable Distributed Firewall on the cluster.

        In the vSphere Client, navigate to Networking and Security > Installation and Upgrade > Host Preparation. Select the cluster and click Actions > Disable Firewall. After the firewall is disabled, click Actions > Enable Firewall.

    5. Verify that the export version is updated.
      [root@esxi:~] vsipioctl getexportversion  -f nic-2112467-eth0-vmware-sfw.2 
      Current export version: 1000