vRops 6.7 security compliance "ESXi.config-ntp - NTP firewall rule is not configured"

Hi guys,

I've been playing around with vRops 6.7 to use the Security Configuration Guide compliance feature.

In the symptoms of non-compliance of my hosts I get the "ESXi.config-ntp - NTP firewall rule is not configured" alert because the firewall of the NTP service is set to allow "ALL".

The Security guide states the following:

From the vSphere web client select the host and click "Configure" -> "Time Configuration" and click the "Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall.

In summary "Configure NTP server(s)". Nowhere does it state that the firewall rule should restrict a set of IPs.

The goal is to get a secure environment so I looked online for guidance and best practice but the only thing I found was in the VCP guide (page 101).

Where it suggest to add the subnet on which the vCenter server is located. Not sure I get it.

Any one has insight or more info on this?
Tags (3)
0 Kudos
1 Reply

We've recently started stepping through the hardening dashboard as well.

Here is how I addressed this particular alarm, which has since cleared in vRops.

  1. Modify the host firewall rule for outbound NTP (NTP Client) connections.
  2. Uncheck Allow connections from any IP address, and input your NTP server IPs.

vRops cleared it within 5 minutes.

0 Kudos