VCAP-DCA 5 Objective 7.2–Configure and Maintain the ESXi Firewall

By on July 6, 2012 in VCAP-DCA, VMware

Objective 7.2 – Configure and Maintain the ESXi Firewall

For this objective I used the following resources:

  • VMware “What’s New in VMware vSphere 5.0 – Platform
  • VMware KB Article 2005284 “About the ESXi 5.0 Firewall”
  • Eric Sloof’s Blog
  • William Lam’s Blog

Knowledge

Identify esxcli firewall configuration commands

New in ESXi 5 is a esxcli firewall command namespace. The diagram below taken from VMware “What’s New in VMware vSphere 5.0 – Platform” outlines the new commands that are available:

esxcli_firewall

For additional informational on the firewall namespaces see VMware KB Article 2005284 “About the ESXi 5.0 Firewall”

Explain the three firewall security levels

  • High Security (Default) – Firewall is configured to block all incoming and outgoing traffic, except for ports 22,123,427,443,902,5989, and 5988. These are ports used for basic ESXi communication
  • Medium Security – All incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not blocked
  • Low Security – There are no ports blocked on either incoming or outgoing traffic. This setting is equivalent to removing the fireall

Skills and Abilities

Enable/Disable pre-configured services

Configure service behavior automation

I am going to combine these two sections as you will end up in the same place to to accomplish both of these tasks.

Procedure

  • Log into a vCenter Server system using the vSphere Client
  • Select a host in the inventory panel
  • Click the Configurationtab
  • Under the Software section select Security Profile
  • In the upper right hand corner of the Services section click Properties to see a list of services:

ServiceProperties

  • Select the service you wish to edit and click Options in the lower right hand corner:

ServiceProperties2

  • The service options dialog will be displayed. From here you can select to start/stop/restart the service and configure the services startup policy:

ServiceProperties3

Open/Close ports in the firewall

Procedure

  • Log into a vCenter Server system using the vSphere Client
  • Select a host in the inventory panel
  • Click the Configurationtab
  • Under the Software section select Security Profile
  • Towards the center of your screen in the Firewall section click Properties
  • The Firewall Properties page will be displayed:

Firewall

  • Open or close a firewall port “check” the box next to the name of the service and click “OK” to apply the change. In the example below I am closing the firewall port for the “SSH Server’”:

Firewall2

Eric Sloof (blog / twitter) has put together outline the above steps. That video is located HERE.

Create a custom service

William Lam (blog / twitter) has  a blog post outlining this procedure. Instead of reinventing the wheel (and probably not as good) have a look at William’s post located HERE.

About Jason

Jason works for a VMware partner in the PacNW as a Senior Solutions Engineer.He has obtained several VMware certifcations inlcuding VCP, VCAP-DCA, and VCAP-DCD. For his contributions to the VMware community he was awarded VMware vExpert status for 2012.
View all posts by Jason

, ,

One Response to VCAP-DCA 5 Objective 7.2–Configure and Maintain the ESXi Firewall

  1. Gregg Robertson October 20, 2012 at 3:56 am #

    For the custom service piece there is also a really good kb article http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2008226

    Thanks for the resources! Can you also please start a VCP5-IaaS one and a VCAP-CID ;0)

    Gregg

    Reply

Leave a Reply