How to configure and administer the ESXi firewall

Securing ESXi and vCenter servers is an essential part of any virtual infrastructure administrator’s responsibilities.

VMware makes available a several features to protect the servers, including the ability to set granular permissions, a directory authentication mechanism, a firewall, a virtual switch layer 2 security and more.

Knowing the capabilities of these features and how to use them is essential to administer ESXi and vCenter enviroments.

Some years ago, only ESX came with a firewall, but with vSphere 5, VMware added a firewall to ESXi 5.

First of all, we need to add a security configuration to the ESXi host.
It includes a firewall between the management interface and the network, the management of the access control is provided through a VMkernel network adapter(vmknik).
The firewall is enabled by default, it blocks all traffic by default , except for traffic for the management services.

Let’s start to manage the firewall of your host starting by disabling NTP Client, open your vSphere Web Client and select Hosts and Clusters from the Home menu:

How to configure and administer the ESXi firewall

Choose the ESXi Host:

How to configure and administer the ESXi firewall

Press Manage, Settings, expand System menu and choose Security Profile:

How to configure and administer the ESXi firewall

Here we can see the list of management services in the Incoming and Outgoing tab, including the TCP and UDP ports:

How to configure and administer the ESXi firewall

Locate the NTP Client entry in the listing of Outgoing Connection:

How to configure and administer the ESXi firewall

Press Edit:

How to configure and administer the ESXi firewall

Scroll down and select the NTP Client entry in the Name column and deselect it:

How to configure and administer the ESXi firewall

Review the list of Outgoing Connections, and verify that the NTP Client is no loger listed there:

How to configure and administer the ESXi firewall

Go back to Edit Security Profile pressing Edit, scroll down and choose NTP Client, verify that the Client status shows Stopped:

How to configure and administer the ESXi firewall

At this point, you have seen the steps for disabling the NTP Client. The same process can be used for other services in the ESXi firewall as well.

Now enable again the NTP Client and deselect Allow connections from any IP address, specify the IP or subnet used by the vCenter Server management intefarface (e.g. with IP address 192.168.2.105 and subnet 255.255.255.0 specify 192.168.2.0/24).

The adding of multiple networks are supported:

How to configure and administer the ESXi firewall

You can review the security policies from the Outgoing connections list:

How to configure and administer the ESXi firewall

Comments