The new VMware Docs page has a cheatsheet of CLI commands but here’s what you need to list the rules enforced on a VMs vnic.
SSH to NSX Manager
{Note that you can enable SSH if needed from the “Summary” page of the appliance config page – but not from the Web Client.}
show cluster all (to get the cluster IDs)
manager> show cluster all No. Cluster Name Cluster Id Datacenter Name Firewall Status 1 NSXCluster domain-c7 Datacenter Enabled
show cluster <cluster-id> (to get the host IDs)
manager> show cluster domain-c7 Datacenter: Datacenter Cluster: NSXCluster No. Host Name Host Id Installation Status 1 esxitwo.corp.local host-21 Enabled 2 esxione.corp.local host-10 Enabled
show host <host-id> to get the VM IDs
manager> show host host-21 Datacenter: Datacenter Cluster: NSXCluster Host: esxitwo.corp.local No. VM Name VM Id Power Status 1 VMware vRealize Network Insight Platform vm-144 off 2 TinyOne vm-52 off 3 VMware vRealize Network Insight Proxy vm-145 off 4 Tiny10 vm-203 off 5 NSX_Controller_5d671e3b-91ca-4351-9c1b-e13277d873f7 vm-124 on
show vm <vm-id> to get the filters list
manager> show vm vm-60 Datacenter: Datacenter Cluster: NSXCluster Host: esxione.corp.local Host-ID: host-10 VM: Tiny10 Virtual Nics List: 1. Vnic Name Tiny10 - Network adapter 1 Vnic Id 5039be1d-ac25-cdda-5d37-2f5435146776.000 Filters nic-650978-eth0-vmware-sfw.2
what you want is the Filters nic-650978-eth0-vmware-sfw.2 as that with the host ID will get you the rules.
show dfw host <host-ID filter <filterID> rules
manager> show dfw host host-10 filter nic-650978-eth0-vmware-sfw.2 rules ruleset domain-c7 { # Filter rules rule 1006 at 1 inout protocol tcp from addrset ip-securitygroup-13 to addrset ip-securitygroup-10 port 443 accept; rule 1006 at 2 inout protocol tcp from addrset ip-securitygroup-13 to addrset ip-securitygroup-10 port 80 accept; rule 1005 at 3 inout protocol tcp from any to addrset ip-securitygroup-10 port 22 accept; rule 1003 at 4 inout protocol ipv6-icmp icmptype 136 from any to any accept; rule 1003 at 5 inout protocol ipv6-icmp icmptype 135 from any to any accept; rule 1002 at 6 inout protocol udp from any to any port 68 accept; rule 1002 at 7 inout protocol udp from any to any port 67 accept; rule 1001 at 8 inout protocol any from any to any accept; } ruleset domain-c7_L2 { # Filter rules rule 1004 at 1 inout ethertype any from any to any accept; }
show dfw host <host-ID filter <filterID> addrsets
manager> show dfw host host-10 filter nic-650978-eth0-vmware-sfw.2 addrsets addrset ip-securitygroup-10 { } addrset ip-securitygroup-13 { ip 192.168.100.20, ip 192.168.182.128, ip 192.168.182.197, ip 192.168.182.198, ip fe80::250:56ff:feb9:db4d, }
Note that powered off VMs won’t be included in the addrsets, neither will the VM’s own IP address even if its in the group.