VMware Cloud Community
deepsecurity
Contributor
Contributor
‎11-10-2013 02:32 AM
Jump to solution

Security Profile / Firewall Possible to Disable from the Host itself?

Hello,


I am using a fixed IP which is given by my ISP and accessing my ESXi host. In my configuration, only 1 IP allowed to access the hosts using the vsphere client. I just wanted secure my host and I believe I made a big mistake because now my ISP changed my fixed IP without informing me and they cannot reassign it back. So, I cannot access my host now. Apparently I forgot to add one more IP to the security profile and I locked myself out. I can see the host's screen so I want to add another IP or remove the IP restriction from the host's screen itself. Is this possible? I cannot find option for this. SSH has disabled and also restricted with the same IP. Lockdown mode has not been enabled. I have 2 important VMs running on the host's hard drive so I don't want to reset the configuration. I need some suggestions please if you know any other way thru the host's screen. I really feel stupid to not having any other IP on the security profile. Do I have to reset the configuration to set everything back?

Regards,

DP

1 Solution

Accepted Solutions
abhilashhb
VMware Employee
VMware Employee
‎11-10-2013 08:53 AM
Jump to solution

Hi deepsecurity,


Welcome to the community.


Go to your direct access UI(the gray and yellow one) and click Alt+F1. You will enter local esxi shell. You can enter the command : esxcli network firewall ruleset allowedip add   and add a new IP.

Let me know if it works.

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

View solution in original post

6 Replies
admin
Immortal
Immortal
‎11-10-2013 08:37 AM
Jump to solution

Yes you can go to the Host profile and then security option to do any changes you want to do.

Click on Host----Configuration from right pane of the host properties.

Security profile----from the software section---Firewall and properties of Firewall

0 Kudos
abhilashhb
VMware Employee
VMware Employee
‎11-10-2013 08:53 AM
Jump to solution

Hi deepsecurity,


Welcome to the community.


Go to your direct access UI(the gray and yellow one) and click Alt+F1. You will enter local esxi shell. You can enter the command : esxcli network firewall ruleset allowedip add   and add a new IP.

Let me know if it works.

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

tomtom901
Commander
Commander
‎11-10-2013 10:06 AM
Jump to solution

@Abhilash: Should work, but you forgot one portion (ruleset and allowed IP).

@deepsecurity: The commands you need to use, replace 192.168.2.1 with your own WAN IP:

esxcli network firewall ruleset allowedip add -r sshServer -i 192.168.2.1

esxcli network firewall ruleset allowedip add -r vSphereClient -i 192.168.2.1

For the rest of the procedure, you can stick to the post from Abhilash, just make sure to use the commands above in restoring your connectivity.

abhilashhb
VMware Employee
VMware Employee
‎11-10-2013 07:18 PM
Jump to solution

Thanks for completing the command. I had to specify the option but just wanted to leave it to the user. And if vsphere client is updated with new IP the SSH can be anyway updated later Smiley Happy

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

0 Kudos
deepsecurity
Contributor
Contributor
‎11-10-2013 08:51 PM
Jump to solution

Abhilash and tomtom901 thanks a lot! I was looking exactly for this shell. You saved me.

It was enough to enter "esxcli network firewall ruleset allowedip add -r vSphereClient -i MYIPADDRESS" on the shell and I have vsphere client access now.

I fixed all my IP access and at least now I know how to fix it if this happens again.

Thank you both for this valuable information.

Regards.


0 Kudos
tomtom901
Commander
Commander
‎11-10-2013 10:27 PM
Jump to solution

Great to see it was resolved. Nice (team)work Abhilash! Smiley Happy

0 Kudos