VCAP-DCA 5 Objective 7.2–Configure and Maintain the ESXi Firewall

Objective 7.2 – Configure and Maintain the ESXi Firewall

For this objective I used the following resources:

  • VMware “What’s New in VMware vSphere 5.0 – Platform
  • VMware KB Article 2005284 “About the ESXi 5.0 Firewall”
  • Eric Sloof’s Blog
  • William Lam’s Blog

Knowledge

Identify esxcli firewall configuration commands

New in ESXi 5 is a esxcli firewall command namespace. The diagram below taken from VMware “What’s New in VMware vSphere 5.0 – Platform” outlines the new commands that are available:

esxcli_firewall

For additional informational on the firewall namespaces see VMware KB Article 2005284 “About the ESXi 5.0 Firewall”

Explain the three firewall security levels

  • High Security (Default) – Firewall is configured to block all incoming and outgoing traffic, except for ports 22,123,427,443,902,5989, and 5988. These are ports used for basic ESXi communication
  • Medium Security – All incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not blocked
  • Low Security – There are no ports blocked on either incoming or outgoing traffic. This setting is equivalent to removing the fireall

Skills and Abilities

Enable/Disable pre-configured services

Configure service behavior automation

I am going to combine these two sections as you will end up in the same place to to accomplish both of these tasks.

Procedure

  • Log into a vCenter Server system using the vSphere Client
  • Select a host in the inventory panel
  • Click the Configurationtab
  • Under the Software section select Security Profile
  • In the upper right hand corner of the Services section click Properties to see a list of services:

ServiceProperties

  • Select the service you wish to edit and click Options in the lower right hand corner:

ServiceProperties2

  • The service options dialog will be displayed. From here you can select to start/stop/restart the service and configure the services startup policy:

ServiceProperties3

Open/Close ports in the firewall

Procedure

  • Log into a vCenter Server system using the vSphere Client
  • Select a host in the inventory panel
  • Click the Configurationtab
  • Under the Software section select Security Profile
  • Towards the center of your screen in the Firewall section click Properties
  • The Firewall Properties page will be displayed:

Firewall

  • Open or close a firewall port “check” the box next to the name of the service and click “OK” to apply the change. In the example below I am closing the firewall port for the “SSH Server’”:

Firewall2

Eric Sloof (blog / twitter) has put together outline the above steps. That video is located HERE.

Create a custom service

William Lam (blog / twitter) has  a blog post outlining this procedure. Instead of reinventing the wheel (and probably not as good) have a look at William’s post located HERE.

%d bloggers like this: