• Verify that the distributed firewall VIBs have been successfully installed on each of the ESXi hosts in the cluster. To do this, on each of the ESXi hosts that are on the cluster, run this command:

• Verify the vShield-Stateful-Firewall service is in a running state. To do this, run this command:

• Verify that the message bus is communicating properly with the NSX Manager.

• Verify that port 5671 is opened for communication in the firewall configuration. You can validate that there is an active messaging bus connection by running this command on each of the ESXi hosts on the cluster:

• Verify that the firewall rules have been deployed on a host and are being applied to virtual machines as follows:

• Verify that VMware Tools is running on the virtual machines if firewall rules do not use IP addresses. For more information, see Distributed Firewall Rules in VMware NSX for vSphere 6.0.x continues to apply with virtual machines even if VMware Tools is stopped or removed (2084048) at http://kb.vmware.com/kb/2084048.

• The distributed firewall is activated as soon as the host preparation process is completed. If a virtual machine needs no distributed firewall service at all, it can be added in the exclusion list functionality (by default, NSX Manager, NSX Controllers and NSX Edge services gateways are automatically excluded from the distributed firewall function). There is a possibility that the vCenter Server access will be blocked after creating a Deny All rule in the distributed firewall.