ESXi Firewall – How to secure ESXi host by allowing only certain IP adresses or IP ranges. After a fresh installation of ESXi, the host's firewall isn't configured with the best possible security for your environment. You usually adapt it for your own environment in order to secure those ESXi servers even more.
ESXi firewall is a full blown firewall which is built-in. It sits between the management interface and the network. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for the default services. Those services, like DNS, DHCP, 8O…. You can find all the default open ports in the Online user guide here: TCP and UDP Ports for Management Access.
New video on VMware Techpubs will teach you on how to add an IP address (or range) to the list of allowed IP adresses which can access the server's host services. You'll see that it can be easily done through the vSphere client, but also it can be done remotely via the CLI.
Through the vSphere client it's a two or three click process.
ESXi Firewall – How to Add allowed IP adresses into ESXi Firewall through the vSphere client:
01. Select your ESXi host and click the Configuration TAB
02. Click on the firewall properties and select the service in the firewall properties
03. Click the firewall button, and in the dialog box, enter the IP adress or range IP adresses. Separated by the coma. (Note: you can also enter IP addresses in IP v6 format.
By default the ESXi Firewall is enabled.
There is also a way to configure the firewall rules, and adding an allowed IP address (s) to the ESXi Firewall, through the command line.
ESXi Firewall – How to Add Allowed IP addresses through the CLI:
Step 0: To list the rule sets information already configured: esxcli network firewall ruleset list
Step 1: To set a ruleset to false(true): esxcli network firewall ruleset set-a=false -r=fdm
Step 2: Add the IP address as an allowed IP address, to the ruleset.
esxcli network firewall ruleset allowedip add -i=10.10.7.20 -r=fdm
ESXi Firewall Commands:
esxcli network firewall get – Returns the enabled or disabled status of the ESXi firewall and lists default actions.
esxcli network firewall set –defaultaction – Update default actions.
esxcli network firewall set –enabled -Enable or disable the ESXi firewall.
esxcli network firewall load -Load the ESXi firewall module and rule set configuration files.
esxcli network firewall refresh -Refresh the ESXi firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unload -Destroy filters and unload the firewall module.
esxcli network firewall ruleset list -List rule sets information from the ESXi Firewall.
esxcli network firewall ruleset set –allowedall -Set the allowedall flag.
esxcli network firewall ruleset set –enabled -Enable or disable the specified rule set on the ESXi Firewall.
esxcli network firewall ruleset allowedip list -List the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip add -Allow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip remove -Remove access to the rule set from the specified IP address or range of IP addresses.
ESXi Firewall – Adding Allowed IP Addresses to the ESXi Firewall
Interesting KB: ESXi Firewall – kb.vmware.com/kb/2005284
Interesting PDF: Secure ESXi host – https://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf
The ESXi Firewall was a post published on ESX Virtualization
Enjoy… -:)
Hopefully this chapter will help you to study towards VMware VCP-DCV Certification based on vSphere 8.x. Find other chapters on the main page of the guide – VCP8-DCV Study Guide Page.
More posts from ESX Virtualization:
- Homelab v 8.0 (NEW)
- vSphere 8.0 Page (NEW)
- Veeam Bare Metal Recovery Without using USB Stick (TIP)
- ESXi 7.x to 8.x upgrade scenarios
- A really FREE VPN that doesn’t suck
- Patch your ESXi 7.x again
- VMware vCenter Server 7.03 U3g – Download and patch
- Upgrade VMware ESXi to 7.0 U3 via command line
- VMware vCenter Server 7.0 U3e released – another maintenance release fixing vSphere with Tanzu
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster
Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)
Hello and thank you for this article. I have a question. I installed ESXi and build 4 virtual servers on it. If I use ESXi firewall, do I need to turn off Windows Server 2012 firwalls on these virtual servers? As you can see, Im not sure, still study and can not figure this out. Thank You. S
Thanks for this article. Keep up the good work. I am experience problem with my newly installed ESXi 6.
I installed the ESXi 6.0 on my HP Proliant server. I set the root password during the installation process. The problem now is I am unable to log in through VSphere client with the same password even though the username and password were both correct. I keep getting the following message:
Cannot complete login due to an incorrect username or password.
Please I need your help. I have contacted VMware but they can’t help because I haven’t got a support contract. This problem is stopping me from moving on with my CCIE studies.
I look forward to hearing from you.
Thanks
Perhaps you used different language keyboard during the installation? The fastest would be to reinstall the host… Otherwise there is a way to reset the password via host profiles.
Best luck
Hello,
is it also possible to enter dyndns into the firewall settings? Did you try that?
And another question:
For example I have the following network topology:
Windows 10 (VM) IP: 192.168.100.10 –> pfsense –> ESXi –> WAN
What if I have a hosted ESXi with a public IP like described above, can I enter a private IP address in the firewall settings like “192.168.100.0/24” and can connect from the Win10 VM to the esxi and manage it?
Would be glad when you reply!