I've been playing around with vRops 6.7 to use the Security Configuration Guide compliance feature.
In the symptoms of non-compliance of my hosts I get the "ESXi.config-ntp - NTP firewall rule is not configured" alert because the firewall of the NTP service is set to allow "ALL".
The Security guide states the following:
From the vSphere web client select the host and click "Configure" -> "Time Configuration" and click the "Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall.
In summary "Configure NTP server(s)". Nowhere does it state that the firewall rule should restrict a set of IPs.
The goal is to get a secure environment so I looked online for guidance and best practice but the only thing I found was in the VCP guide (page 101).
Where it suggest to add the subnet on which the vCenter server is located. Not sure I get it.
Any one has insight or more info on this?
We've recently started stepping through the hardening dashboard as well.
Here is how I addressed this particular alarm, which has since cleared in vRops.
vRops cleared it within 5 minutes.