VMware vSphere SDKs and Tools 6.5

8.0 7.0 6.7 6.5

Manage the
Firewall

To minimize the risk of an attack through the management interface,
includes a firewall between the management interface and the network.
To ensure the integrity of the host, only a small number of firewall ports are open by default. The
vSphere Security
 documentation explains how to set up firewalls for your environment and which ports you might have to temporarily enable for certain traffic.
You manage firewalls by setting up firewall rulesets.
vSphere Security
 documentation explains how to perform these tasks with the
. You can also
use esxcli network firewall
 to manage firewall rulesets and to retrieve information about them. Specify one of the options listed in Connection Options for vCLI Host Management Commands in place of
<conn_options>
.
  1. Check firewall status and sshServer ruleset status. 
    esxcli <conn_options> network firewall get


    Default Action: DROP
Enabled: true
Loaded: true
    

esxcli <conn_options> network firewall ruleset list --ruleset-id sshServer


    Name       Enabled
---------  -------
sshServer     true
  2. Enable the sshServer ruleset if it is disabled. 
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --enabled true
  3. Obtain access to the
    and check the status of the
    allowedAll
     flag. 
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer


    Ruleset    Allowed IP Addresses
---------  --------------------
sshServer  All
    See
    Getting Started with vSphere Command-Line Interfaces
     for information on accessing the
    .
  4. Set the status of the
    allowedAll
     flag to
    false
    . 
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --allowed-all false
  5. Add the list of allowed IP addresses. 
    esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.1.0/24
esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.10.10
  6. Check the allowed IP address list. 
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer


    Ruleset    Allowed IP Addresses
---------  -----------------------------
sshServer  192.XXX.10.10, 192.XXX.1.0/24

Content feedback and comments