This content is part of the Essential Guide: The ins and outs of VMware security products and features
Tip

Manage an ESXi firewall with PowerCLI and ESXCLI

Regardless of whether you prefer ESXCLI or PowerCLI, learning to manage firewalls via the command line can save you time when making changes to firewalls on multiple hosts.

When making ESXi firewall changes to many hosts at once, using PowerCLI or ESXCLI is more efficient than managing them one by one.

For one-off tasks, the vSphere Web Client can be useful. For users who prefer not to go through the comparatively lengthy process of logging in through a web browser, though, the command line is king.

In vSphere, workloads run on ESXi hosts. Securing ESXi hosts should be a primary objective for any organization, so you must determine which ports to allow in and out of the firewall on those hosts. VMware has certain ports open by default so normal communication can occur between the hosts, vCenter and storage.

For Windows or PowerShell users, PowerCLI is the best option for managing ESXi hosts and vSphere in general. VMware recommends using PowerCLI for automation purposes to simplify massive changes.

View ESXi firewall configurations

When using PowerCLI, connect to vCenter first so you can then connect to any ESXi host or VM without authenticating again.

C:\> Connect-VIServer vcenter

Name                           Port  User
----                           ----  ----
vcenter                        443   DOMAIN\admin

From there, to view all of the current exceptions on the ESXi firewall, you can run the cmdlet Get-VMHostFirewallException and specify a hostname.

Securing ESXi hosts should be a primary objective for any organization.

Running this command gets you a lot of great information. You can see the names of services, whether a rule is enabled, incoming/outgoing ports, the protocols used and whether the service is currently running.

A handy parameter for this cmdlet is -Enabled, which filters out any ESXi firewall rule that is not currently on.

Set ESXi firewall configurations

To enable or disable ESXi firewall rules on a host, use the Set-VMHostFirewallException cmdlet.

You can use the Get-VMHostFirewallException cmdlet to specify the Secure Shell (SSH) client service and then pipe that to Set-VMHostFirewallException to enable that exception.

You can also automate the opening of the SSH server port with PowerCLI on all your ESXi hosts by first placing all of the SSH server exceptions into the variable $Exceptions and then piping that to Set-VMHostFirewallException.

Use the ESXCLI command line

Linux administrators or non-PowerShell users might prefer the ESXCLI command line to run commands when needed.

With ESXCLI, begin by connecting to the ESXi hosts via SSH.

Dans-MacBook-Pro:~ dan$ ssh root@VMHost-1
Password:

Next, use the same exception you used in PowerCLI, which is for the SSH server. To do this, make sure you use the ruleset namespace. Otherwise, ESXCLI will attempt to work with the entire ESXi firewall instead of the individual exceptions.

[root@VMHost-1:~] esxcli network firewall ruleset list | grep 'sshServer'
sshServer                  true

In the example, the exception is enabled, offering access to the host on port 22. If you're connected on this port, you don't want to disable this firewall exception; instead, choose another rule: updateManager.

[root@VMHost-1:~] esxcli network firewall ruleset set --enabled true --ruleset-id updateManager
[root@VMHost-1:~] esxcli network firewall ruleset list | grep 'updateManager'
updateManager              true

ESXCLI can configure specific IP addresses' access to the ESXi firewall with the cmdlets in the example, which PowerCLI can't. If you want to restrict access to the updateManager exception to the network 172.16.0.0/24 range, begin by disallowing all IP addresses by setting --allowed-all to false:

[root@VMHost-1:~] esxcli network firewall ruleset set --allowed-all false --ruleset-id=updateManager

Then, run allowedip add with the IP address range.

[root@VMHost-1:~] esxcli network firewall ruleset allowedip add --ip-address=172.16.0.0/24 --ruleset-id=updateManager

Use ESXCLI via PowerCLI

An additional option for working with ESXI firewalls is to use ESXCLI through PowerCLI via the cmdlet Get-ESXCLI. This cmdlet exposes ESXCLI functionality in PowerCLI.

To work with this feature, start by placing an ESXi host into a variable.

C:\> $VMHost = Get-ESXCLI -VMHost VMhost-1

Then you can view current ESXi firewall rules by invoking a list method on the firewall.

Dig Deeper on VMware ESXi, vSphere and vCenter

Virtual Desktop
Data Center
Cloud Computing
Close