VMware Cloud Community
Loc750
Contributor
Contributor
‎06-02-2012 03:22 PM
Jump to solution

Script to comply with config-firewall-access hardening setting

We're trying to work on ESXi 5 hardening setting ID config-firewall-access. With the vSphere Client, VMware's hardening guide says "For each enabled service,  (e.g. ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks" and provide a range of authorized IP addresses." Naturally, we'd like to script this but I'm new to PowerCLI scripting so it is not going well. Has anyone been able to come up with some code to comply with this setting?

There is a link to the guide at http://communities.vmware.com/docs/DOC-19056.

Reply
0 Kudos
1 Solution

Accepted Solutions
RvdNieuwendijk
Leadership
Leadership
‎06-02-2012 11:10 PM
Jump to solution

Welcome to the VMware VMTN Communities!

The following PowerCLI script will select "Only allow connections from the following networks" and set the allowed IP range to 192.168.0.0/24 and will also set the allowed IP address 192.168.1.2 to all enabled services on all hosts in your environment.

$spec = New-Object VMware.Vim.HostFirewallRulesetRulesetSpec
$spec.allowedHosts = New-Object VMware.Vim.HostFirewallRulesetIpList
$spec.allowedHosts.ipAddress = New-Object System.String[] (1)
$spec.allowedHosts.ipAddress[0] = "192.168.1.2"
$spec.allowedHosts.ipNetwork = New-Object VMware.Vim.HostFirewallRulesetIpNetwork[] (1)
$spec.allowedHosts.ipNetwork[0] = New-Object VMware.Vim.HostFirewallRulesetIpNetwork
$spec.allowedHosts.ipNetwork[0].network = "192.168.0.0"
$spec.allowedHosts.ipNetwork[0].prefixLength = 24
$spec.allowedHosts.allIp = $false

$VMHost = Get-VMHost |
ForEach-Object {
  if ($_)
  {
    $FirewallSystem = Get-View -Id $VMHost.ExtensionData.ConfigManager.Firewallsystem
    $FirewallSystem.FirewallInfo.RuleSet |
    Where-Object {$_.Enabled} |
    ForEach-Object {
      if ($_)
      {
        $FirewallSystem.UpdateRuleset($_.Key, $spec)
      }
    }
  }
}

To generate the lines in the script that start with $spec I used VMware Project Onyx. This is a very easy tool that allows you to do something in the vSphere client and generate the corresponding PowerCLI code. Like a macro recorder. You can use Onyx to generate the specific HostFirewallRulesetRulesetSpec for your environment.

Regards, Robert

Blog: https://rvdnieuwendijk.com/ | Twitter: @rvdnieuwendijk | Author of: https://www.packtpub.com/virtualization-and-cloud/learning-powercli-second-edition

View solution in original post

Reply
0 Kudos
2 Replies
RvdNieuwendijk
Leadership
Leadership
‎06-02-2012 11:10 PM
Jump to solution

Welcome to the VMware VMTN Communities!

The following PowerCLI script will select "Only allow connections from the following networks" and set the allowed IP range to 192.168.0.0/24 and will also set the allowed IP address 192.168.1.2 to all enabled services on all hosts in your environment.

$spec = New-Object VMware.Vim.HostFirewallRulesetRulesetSpec
$spec.allowedHosts = New-Object VMware.Vim.HostFirewallRulesetIpList
$spec.allowedHosts.ipAddress = New-Object System.String[] (1)
$spec.allowedHosts.ipAddress[0] = "192.168.1.2"
$spec.allowedHosts.ipNetwork = New-Object VMware.Vim.HostFirewallRulesetIpNetwork[] (1)
$spec.allowedHosts.ipNetwork[0] = New-Object VMware.Vim.HostFirewallRulesetIpNetwork
$spec.allowedHosts.ipNetwork[0].network = "192.168.0.0"
$spec.allowedHosts.ipNetwork[0].prefixLength = 24
$spec.allowedHosts.allIp = $false

$VMHost = Get-VMHost |
ForEach-Object {
  if ($_)
  {
    $FirewallSystem = Get-View -Id $VMHost.ExtensionData.ConfigManager.Firewallsystem
    $FirewallSystem.FirewallInfo.RuleSet |
    Where-Object {$_.Enabled} |
    ForEach-Object {
      if ($_)
      {
        $FirewallSystem.UpdateRuleset($_.Key, $spec)
      }
    }
  }
}

To generate the lines in the script that start with $spec I used VMware Project Onyx. This is a very easy tool that allows you to do something in the vSphere client and generate the corresponding PowerCLI code. Like a macro recorder. You can use Onyx to generate the specific HostFirewallRulesetRulesetSpec for your environment.

Regards, Robert

Blog: https://rvdnieuwendijk.com/ | Twitter: @rvdnieuwendijk | Author of: https://www.packtpub.com/virtualization-and-cloud/learning-powercli-second-edition
Reply
0 Kudos
AureusStone
Expert
Expert
‎06-05-2012 07:03 PM
Jump to solution

The guide you have linked to is now out of date.

Please refer to the official release

http://communities.vmware.com/docs/DOC-19605

This release include PowerCLI, vCLI, shell examples for all of the recommendations.

It is a great doco imo. Smiley Happy

Reply
0 Kudos