The export version of a Distributed Firewall (DFW) filter is a property of a vNIC. Before you start some migrations, the export version of DFW filters must be set to 1000 for the vNICs of all the VMs that will be migrated.

You must make this configuration change in the following situations:
  • You are doing a lift-and-shift migration.
  • You are doing an in-place migration and you need to manually migrate VMs from some NSX-V hosts to NSX-T hosts. Follow the procedure below to change the export version for only those NSX-V hosts before migrating the VMs.

Procedure

  1. Based on the VMs that will be migrated, determine the hosts that the VMs are running on.
  2. Perform either step 3 or step 4 below.
  3. For each host, perform the following steps to update, if necessary, the export version of DFW filters for all VM vNICs.
    Note: In https://github.com/dixonly/samples, the script updateDfwFilters.py will print out and optionally update the DFW filter's export version for the vNICs of all the VMs in a specific cluster or all clusters. Using the script can save some time if you have a large number of VMs to migrate.
    1. Log into the command-line interface.
    2. Get the DFW filter names for all the VM vNICs. For example,
      [root@esxi:~] vsipioctl getfilters | grep "Filter Name" | grep "sfw.2"
      Filter Name: nic-2112467-eth0-vmware-sfw.2
      Filter Name: nic-2112467-eth1-vmware-sfw.2
      Filter Name: nic-2112467-eth2-vmware-sfw.2
    3. For each filter, get the export version. For example,
      [root@esxi:~] vsipioctl getexportversion -f nic-2112467-eth0-vmware-sfw.2 
      Current export version: 500
    4. If the version is not 1000, set it to 1000. For example,
      [root@esxi:~] vsipioctl setexportversion -f nic-2112467-eth0-vmware-sfw.2 -e 1000
    5. Verify that the export version is updated. For example,
      [root@esxi:~] vsipioctl getexportversion  -f nic-2112467-eth0-vmware-sfw.2 
      Current export version: 1000
  4. Based on the hosts that you noted in step 1, determine the clusters that contain the hosts. For each cluster, do the following:
    From the vSphere Client, navigate to Networking and Security > Installation and Upgrade > Host Preparation. Select the cluster and click Actions > Disable Firewall. After the firewall is disabled, click Actions > Enable Firewall.