1 Reply Latest reply on Feb 13, 2019 10:53 AM by Rpbarn

    vRops 6.7 security compliance "ESXi.config-ntp - NTP firewall rule is not configured"

    vXav Hot Shot
    vExpert

      Hi guys,

       

      I've been playing around with vRops 6.7 to use the Security Configuration Guide compliance feature.

       

      In the symptoms of non-compliance of my hosts I get the "ESXi.config-ntp - NTP firewall rule is not configured" alert because the firewall of the NTP service is set to allow "ALL".

       

      The Security guide states the following:

       

      From the vSphere web client select the host and click "Configure" -> "Time Configuration" and click the "Edit..." button. Provide the name/IP of your NTP servers, start the NTP service and change the startup policy to "Start and stop with host". Notes: verify the NTP firewall ports are open. It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall.

       

      In summary "Configure NTP server(s)". Nowhere does it state that the firewall rule should restrict a set of IPs.

      The goal is to get a secure environment so I looked online for guidance and best practice but the only thing I found was in the VCP guide (page 101).

      Where it suggest to add the subnet on which the vCenter server is located. Not sure I get it.

       

      Any one has insight or more info on this?