The distributed firewall enforces firewall rules on each vNic of each VM. To find which rules are effectively enforced on a VM the following commands can be used on the transport node (hypervisor) where the virtual machine is running.
For ESXi
To access the list of firewall rules we first need to find the name of the dvfilter used on the VM's network adapter. Use the following command to access the full list:
summarize-dvfilter
You can use the less pager (summarize-dvfilter | less) to be able to scroll through the output and search for what you need. (Use h for help in the less pager, for example to see how you can search through the output). The output in the image below shows the name of two network adapters for the Test-Web virtual machine.
To find the name of the filter driver for a specific VM with a single command use this command:
summarize-dvfilter | grep -i <your-vm-name> -A 3
This will do a non-case sensitive search (-i) for your virtual machine and will show the trailing three lines (-A 3) so that you will see all used network adapters for the virtual machine. The output in the image below shows the name of two network adapters for the Test-Web virtual machine. It is the same output from the previous image but because of the grep-filter only the relevant information is displayed.
The information you need from the output is the name of the filter driver that is on slot 2 of the vNic, this is always where the distributed firewall is placed.
With the following command you can access the effective firewall rules for the nic:
vsipioctl getrules -f <filter-name>
See the image below for an example based on the the Test-Web virtual machine:
For KVM
To access the list of firewall rules for a virtual machine we first need to find the ID of the VM's vNic. Use the following command to find it:
virsh dumpxml <vm-name> | grep interfaceid
Next use the ID in the following command:
ovs-appctl -t /var/run/vmware/nsx-agent/nsxa-ctl dfw/rules <ID>