VCAP5-DCA Objective 7.2 – Configure and Maintain the ESXi firewall

Objectives

  • Enable/Disable pre-configured services
  • Configure service behaviour automation
  • Open/Close ports in the firewall
  • Create a custom service
  • Set firewall security level

Enable/Disable pre-configured services

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 37.

Summary:
An ESXi host has a group of preconfigured services, which can be found via: Configuration, Software, Security Profile, Services Section.

Figure 1 – ESXi Services

Behaviour can be changed by selecting a service and choosing “Options”.
Services can be stopped or (re)started and the “Startup Policy” can be adjusted.

Figure 2 – Service Options

The default and recommended Startup Policy is “Start automatically if any ports are open, and stop when all ports are closed”.
If any port is open, the client attempts to contact the network resources pertinent to the service in question. If some ports are open, but the port for a particular service is closed, the attempt fails, but there is little drawback to such a case. If and when the applicable outgoing port is opened, the service begins completing its tasks. In other words, service behaviour depends on the firewall settings.

Policy “Start and stop with host” means: The service starts shortly after the host starts and closes shortly before the host shuts down.

Policy “Start and stop manually”: The host preserves the user-determined service settings, regardless of whether ports are open or not. This setting is preserved after rebooting a host.

Important NOTE: ESXi firewall automates when rule sets are enabled or disabled based on the service Startup policy. When a service starts, its corresponding rule set is enabled. When a service stops, the rule set is disabled.

Other references:

  • A

Configure service behaviour automation

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 38.

Summary:
See previous one.

Other references:

  • A

Open/Close ports in the firewall

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 34.

Summary:
An overview of the ESXI firewall configuration can be found via: Configuration, Software, Security Profile, Firewall Section.

Figure 3 – Firewall overview

After selecting a Service or Client, you can adjust the Firewall settings and depending on the Service, the Service Options become available (see previous section).

Figure 4

You can specify which networks are allowed to connect to each service that is running on the host.

You can use the vSphere Client or the command line to update the Allowed IP list for a service. By default, all IP addresses are allowed.

Other references:

  • A

Create a custom service

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, section “Rule Set Configuration Files”, page 34.

Summary:
The firewall rule set definitions are stored on the ESXi host in the folder: /etc/vmware/firewall.

The default file is service.xml. Depending on your configuration, additional rule sets can be found. E.g.: Adding an ESXi host to an HA enabled Cluster adds the fdm.xml rule set.

The vSphere Security Guide contains detailed information how to create a new configuration file.

Tip: you can create a new ruleset by copying an existing rule set and start editing. If you are familiar with the vi editor, stay on the ESXI host, otherwise use WinSCP to copy back-and-forth to your favourite Management station.

After adding a service, you need to refresh the firewall settings. On the ESXi host, use the following command:

# esxcli network firewall refresh

Other references:

Set firewall security level

???

Summary:
The following esxcli command shows some important ESXi firewall settings:

# esxcli network firewall get
   Default Action: DROP
   Enabled: true
   Loaded: true
#

For troubleshooting purposes, you can temporarily disable the firewall with this command:

# esxcli network firewall set --enabled false
# esxcli network firewall get
   Default Action: DROP
   Enabled: false
   Loaded: true
#

The default policy can also be adjusted from DROP to PASS (Not a good idea) with:

# esxcli network firewall set --default-action true
# esxcli network firewall get
   Default Action: PASS
   Enabled: true
   Loaded: true
#

You can also completely shut down the firewall:

# esxcli network firewall unload
# esxcli network firewall get
   Default Action: PASS
   Enabled: true
   Loaded: false
#

Figure 5- Firewall Unloaded

Other references:

  • A
About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 348 other followers

%d bloggers like this: