VMware vSphere SDKs and Tools 8.0

8.0 7.0 6.7 6.5

Manage the
ESXi
 Firewall

To minimize the risk of an attack through the management interface,
ESXi
 includes a firewall between the management interface and the network.
To ensure the integrity of the host, only a small number of firewall ports are open by default. The
vSphere Security
 documentation explains how to set up firewalls for your environment and which ports you might have to temporarily enable for certain traffic.
You manage firewalls by setting up firewall rulesets. The
vSphere Security
 documentation explains how to perform these tasks by using the
vSphere Client
. You can also
use esxcli network firewall
 to manage firewall rulesets and to retrieve information about them. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of
<conn_options>
.
  1. Check firewall status and sshServer ruleset status. 
    esxcli <conn_options> network firewall get


    Default Action: DROP
Enabled: true
Loaded: true
    

esxcli <conn_options> network firewall ruleset list --ruleset-id sshServer


    Name       Enabled
---------  -------
sshServer     true
  2. Enable the sshServer ruleset if it is disabled. 
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --enabled true
  3. Obtain access to the
    ESXi Shell
     and check the status of the
    allowedAll
     flag. 
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer


    Ruleset    Allowed IP Addresses
---------  --------------------
sshServer  All
    See
    Getting Started with ESXCLI
     for information on accessing the
    ESXi Shell
    .
  4. Set the status of the
    allowedAll
     flag to
    false
    . 
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --allowed-all false
  5. Add the list of allowed IP addresses. 
    esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.1.0/24
esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.10.10
  6. Check the allowed IP address list. 
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer


    Ruleset    Allowed IP Addresses
---------  -----------------------------
sshServer  192.XXX.10.10, 192.XXX.1.0/24

Content feedback and comments