required firewall service details

Jump to solution


Dear Team,

Following services are selected on ESXi firewall , just want to know which service is safe to stop as we have audit in our environment also want to know the the detail info related to these services

Firewall.JPG

regards

Mr Vmware

0 Kudos
1 Solution

Accepted Solutions
zXi_Gamer
Virtuoso
Virtuoso

Well, it all depends upon the environment need your server is placed.

For ex: if you dont want users to meddle with ssh to the server, then you can stop the SSH,

NTP is not configured, then you can stop NTP.

N1KV* does note to Cisco switch. So I wouldnt recommend to stop it, if you are using Cisco N1K

Do refer to the VMware Security Hardening Guides | United States

on the required services for ESXi to work and securing them Smiley Happy

View solution in original post

0 Kudos
3 Replies
zXi_Gamer
Virtuoso
Virtuoso

Well, it all depends upon the environment need your server is placed.

For ex: if you dont want users to meddle with ssh to the server, then you can stop the SSH,

NTP is not configured, then you can stop NTP.

N1KV* does note to Cisco switch. So I wouldnt recommend to stop it, if you are using Cisco N1K

Do refer to the VMware Security Hardening Guides | United States

on the required services for ESXi to work and securing them Smiley Happy

0 Kudos
lakshya32
Enthusiast
Enthusiast

Hi

Welcome to communities.

DHCP client if you are not running DHCP server and NTP client if not using

Global NTP server for synchronisation.

King_Robert
Hot Shot
Hot Shot

When you install ESXi 5 the firewall is enabled by default, with it only allowing the essential traffic, and denying the rest. You can manage the firewall using the vSphere client, or from the CLI.

In the vSphere client the firewall settings can be accessed from the Security Profile section of the Configuration tab:

esxi_firewall

By accessing the firewall properties you can see which ports are open and which services are started:

esxi_firewall2

Clicking the ‘Firewall’ button will allow you to allow connections only from specific IP addresses/ranges:

esxi_firewall3

Service Automation

You can choose how to start services by clicking on the services properties:

esxi_firewall4

Clicking options will allow you to change how the service starts:

esxi_firewall5

You have the following options for starting services:

  1. Start automatically if any ports are open, and stop when all ports are closed
  2. Start and stop with host
  3. Start and stop manually (Select this to effectively disable the service)

Working with the Firewall using the GUI is fairly straight forward so, for the rest of this post I’ll focus on interacting with the ESXi firewall using the CLI.

Using ESXCLI to Configure the ESXi Firewall

With ESXi 5 the esxcfg-firewall command has been replaced by the esxcli network firewall command/namespace. You can list the current status of the firewall by running:

esxcli network firewall get

esxi_firewall6

To enable and disable the firewall service we can use the following commands:

esxcli network firewall set  –enabled false

esxcli network firewall set  –enabled true

To list the current firewall rules you can run:

esxcli network firewall rulesset list

esxi_firewall7

We can enable a rule by running

esxcli network firewall ruleset –enabled true –ruleset-id rulesetName