Re: vRops 6.7 security compliance "ESXi.config-ntp...

vXav · ‎07-18-2018

Hi guys,

I've been playing around with vRops 6.7 to use the Security Configuration Guide compliance feature.

In the symptoms of non-compliance of my hosts I get the "ESXi.config-ntp - NTP firewall rule is not configured" alert because the firewall of the NTP service is set to allow "ALL".

The Security guide states the following:

From the vSphere web client select the host and click "Configure" -> "Time Configuration" and click the "Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall.

In summary "Configure NTP server(s)". Nowhere does it state that the firewall rule should restrict a set of IPs.

The goal is to get a secure environment so I looked online for guidance and best practice but the only thing I found was in the VCP guide (page 101).

Where it suggest to add the subnet on which the vCenter server is located. Not sure I get it.

Any one has insight or more info on this?

Blog - Linkedin

Rpbarn · ‎02-13-2019

We've recently started stepping through the hardening dashboard as well.

Here is how I addressed this particular alarm, which has since cleared in vRops.

Modify the host firewall rule for outbound NTP (NTP Client) connections.
Uncheck Allow connections from any IP address, and input your NTP server IPs.

vRops cleared it within 5 minutes.

tbosnad · ‎09-20-2022

Let me confirm with you the type of license you have for vRops. Are you using standard, advanced or enterprise edition.

All

vRops 6.7 security compliance "ESXi.config-ntp - NTP firewall rule is not configured"