BACKGROUND IMAGE: stock.adobe.com
When making ESXi firewall changes to many hosts at once, using PowerCLI or ESXCLI is more efficient than managing them one by one.
For one-off tasks, the vSphere Web Client can be useful. For users who prefer not to go through the comparatively lengthy process of logging in through a web browser, though, the command line is king.
In vSphere, workloads run on ESXi hosts. Securing ESXi hosts should be a primary objective for any organization, so you must determine which ports to allow in and out of the firewall on those hosts. VMware has certain ports open by default so normal communication can occur between the hosts, vCenter and storage.
View ESXi firewall configurations
When using PowerCLI, connect to vCenter first so you can then connect to any ESXi host or VM without authenticating again.
C:\> Connect-VIServer vcenter
Name Port User
---- ---- ----
vcenter 443 DOMAIN\admin
From there, to view all of the current exceptions on the ESXi firewall, you can run the cmdlet Get-VMHostFirewallException and specify a hostname.
Running this command gets you a lot of great information. You can see the names of services, whether a rule is enabled, incoming/outgoing ports, the protocols used and whether the service is currently running.
A handy parameter for this cmdlet is -Enabled, which filters out any ESXi firewall rule that is not currently on.
Set ESXi firewall configurations
To enable or disable ESXi firewall rules on a host, use the Set-VMHostFirewallException cmdlet.
You can use the Get-VMHostFirewallException cmdlet to specify the Secure Shell (SSH) client service and then pipe that to Set-VMHostFirewallException to enable that exception.
You can also automate the opening of the SSH server port with PowerCLI on all your ESXi hosts by first placing all of the SSH server exceptions into the variable $Exceptions and then piping that to Set-VMHostFirewallException.
Use the ESXCLI command line
Linux administrators or non-PowerShell users might prefer the ESXCLI command line to run commands when needed.
With ESXCLI, begin by connecting to the ESXi hosts via SSH.
Dans-MacBook-Pro:~ dan$ ssh root@VMHost-1
Next, use the same exception you used in PowerCLI, which is for the SSH server. To do this, make sure you use the ruleset namespace. Otherwise, ESXCLI will attempt to work with the entire ESXi firewall instead of the individual exceptions.
[root@VMHost-1:~] esxcli network firewall ruleset list | grep 'sshServer'
In the example, the exception is enabled, offering access to the host on port 22. If you're connected on this port, you don't want to disable this firewall exception; instead, choose another rule: updateManager.
[root@VMHost-1:~] esxcli network firewall ruleset set --enabled true --ruleset-id updateManager
[root@VMHost-1:~] esxcli network firewall ruleset list | grep 'updateManager'
ESXCLI can configure specific IP addresses' access to the ESXi firewall with the cmdlets in the example, which PowerCLI can't. If you want to restrict access to the updateManager exception to the network 172.16.0.0/24 range, begin by disallowing all IP addresses by setting --allowed-all to false:
[root@VMHost-1:~] esxcli network firewall ruleset set --allowed-all false --ruleset-id=updateManager
Then, run allowedip add with the IP address range.
[root@VMHost-1:~] esxcli network firewall ruleset allowedip add --ip-address=172.16.0.0/24 --ruleset-id=updateManager
Use ESXCLI via PowerCLI
An additional option for working with ESXI firewalls is to use ESXCLI through PowerCLI via the cmdlet Get-ESXCLI. This cmdlet exposes ESXCLI functionality in PowerCLI.
To work with this feature, start by placing an ESXi host into a variable.
C:\> $VMHost = Get-ESXCLI -VMHost VMhost-1
Then you can view current ESXi firewall rules by invoking a list method on the firewall.