Loc750
Contributor
Contributor

Script to comply with config-firewall-access hardening setting

Jump to solution

We're trying to work on ESXi 5 hardening setting ID config-firewall-access. With the vSphere Client, VMware's hardening guide says "For each enabled service,  (e.g. ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks" and provide a range of authorized IP addresses." Naturally, we'd like to script this but I'm new to PowerCLI scripting so it is not going well. Has anyone been able to come up with some code to comply with this setting?

There is a link to the guide at http://communities.vmware.com/docs/DOC-19056.

0 Kudos
1 Solution

Accepted Solutions
RvdNieuwendijk
Leadership
Leadership

Welcome to the VMware VMTN Communities!

The following PowerCLI script will select "Only allow connections from the following networks" and set the allowed IP range to 192.168.0.0/24 and will also set the allowed IP address 192.168.1.2 to all enabled services on all hosts in your environment.

$spec = New-Object VMware.Vim.HostFirewallRulesetRulesetSpec
$spec.allowedHosts = New-Object VMware.Vim.HostFirewallRulesetIpList
$spec.allowedHosts.ipAddress = New-Object System.String[] (1)
$spec.allowedHosts.ipAddress[0] = "192.168.1.2"
$spec.allowedHosts.ipNetwork = New-Object VMware.Vim.HostFirewallRulesetIpNetwork[] (1)
$spec.allowedHosts.ipNetwork[0] = New-Object VMware.Vim.HostFirewallRulesetIpNetwork
$spec.allowedHosts.ipNetwork[0].network = "192.168.0.0"
$spec.allowedHosts.ipNetwork[0].prefixLength = 24
$spec.allowedHosts.allIp = $false

$VMHost = Get-VMHost |
ForEach-Object {
  if ($_)
  {
    $FirewallSystem = Get-View -Id $VMHost.ExtensionData.ConfigManager.Firewallsystem
    $FirewallSystem.FirewallInfo.RuleSet |
    Where-Object {$_.Enabled} |
    ForEach-Object {
      if ($_)
      {
        $FirewallSystem.UpdateRuleset($_.Key, $spec)
      }
    }
  }
}

To generate the lines in the script that start with $spec I used VMware Project Onyx. This is a very easy tool that allows you to do something in the vSphere client and generate the corresponding PowerCLI code. Like a macro recorder. You can use Onyx to generate the specific HostFirewallRulesetRulesetSpec for your environment.

Regards, Robert

Blog: https://rvdnieuwendijk.com/ | Twitter: @rvdnieuwendijk | Author of: https://www.packtpub.com/virtualization-and-cloud/learning-powercli-second-edition

View solution in original post

0 Kudos
2 Replies
RvdNieuwendijk
Leadership
Leadership

Welcome to the VMware VMTN Communities!

The following PowerCLI script will select "Only allow connections from the following networks" and set the allowed IP range to 192.168.0.0/24 and will also set the allowed IP address 192.168.1.2 to all enabled services on all hosts in your environment.

$spec = New-Object VMware.Vim.HostFirewallRulesetRulesetSpec
$spec.allowedHosts = New-Object VMware.Vim.HostFirewallRulesetIpList
$spec.allowedHosts.ipAddress = New-Object System.String[] (1)
$spec.allowedHosts.ipAddress[0] = "192.168.1.2"
$spec.allowedHosts.ipNetwork = New-Object VMware.Vim.HostFirewallRulesetIpNetwork[] (1)
$spec.allowedHosts.ipNetwork[0] = New-Object VMware.Vim.HostFirewallRulesetIpNetwork
$spec.allowedHosts.ipNetwork[0].network = "192.168.0.0"
$spec.allowedHosts.ipNetwork[0].prefixLength = 24
$spec.allowedHosts.allIp = $false

$VMHost = Get-VMHost |
ForEach-Object {
  if ($_)
  {
    $FirewallSystem = Get-View -Id $VMHost.ExtensionData.ConfigManager.Firewallsystem
    $FirewallSystem.FirewallInfo.RuleSet |
    Where-Object {$_.Enabled} |
    ForEach-Object {
      if ($_)
      {
        $FirewallSystem.UpdateRuleset($_.Key, $spec)
      }
    }
  }
}

To generate the lines in the script that start with $spec I used VMware Project Onyx. This is a very easy tool that allows you to do something in the vSphere client and generate the corresponding PowerCLI code. Like a macro recorder. You can use Onyx to generate the specific HostFirewallRulesetRulesetSpec for your environment.

Regards, Robert

Blog: https://rvdnieuwendijk.com/ | Twitter: @rvdnieuwendijk | Author of: https://www.packtpub.com/virtualization-and-cloud/learning-powercli-second-edition
0 Kudos
AureusStone
Expert
Expert

The guide you have linked to is now out of date.

Please refer to the official release

http://communities.vmware.com/docs/DOC-19605

This release include PowerCLI, vCLI, shell examples for all of the recommendations.

It is a great doco imo. Smiley Happy

0 Kudos