Search the VMware Knowledge Base (KB)
View by Article ID

About the ESXi 5.x and 6.x firewall (2005284)

  • 38 Ratings

Purpose

This article provides information about the Firewall feature introduced in VMware vSphere ESXi 5.0 and later, which provides a new access control capability for ESXi.

Resolution

These are important points about the ESXi 5.x firewall:

  • ESXi 5.0 has a new firewall engine that is not based on iptables.
  • The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
  • The UI for configuring the firewall on ESXi 5.x and 6.x is similar to that used to configure the ESX firewall.
  • The firewall is service oriented.
  • You have the ability to restrict access to specific services based on IP address/Subnet Mask.
  • There is Host Profile support for the ESXi 5.x and 6.x firewall.
  • If you upgrade from ESX to ESXi 5.x, firewall settings are preserved.
A new esxcli interface named esxcfg-firewall is available in ESXi 5.x. This table summarizes the commands available in this interface:
 
Command Description
esxcli network firewall get Returns the enabled or disabled status of the firewall and lists default actions.
esxcli network firewall set --default-action Update default actions.
esxcli network firewall set --enabled Set to true to enable the firewall, set to false to disable the firewall.
esxcli network firewall load Load the firewall module and rule set configuration files.
esxcli network firewall refresh Refresh the firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unload Destroy filters and unload the firewall module.
esxcli network firewall ruleset list List rule sets information.
esxcli network firewall ruleset set --allowedall Set the allowedall flag.
esxcli network firewall ruleset set --enabled Enable or disable the specified rule set.
esxcli network firewall ruleset allowedip list List the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip add Allow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip remove Remove access to the rule set from the specified IP address or range of IP addresses.
 
For example:

To enable the sshClient firewall ruleset, run this command:

esxcli network firewall ruleset set --enabled true --ruleset-id=sshClient

Additional Information

For more information about the ESXi 5.0 firewall, see the vSphere Security Guide.

The firewall remains loaded, even when disabled.
 
For example:

Firewall enabled:

# esxcli network firewall set --enabled true
# esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true

Firewall disabled:

# esxcli network firewall set --enabled false
# esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true

See Also

Update History

10/16/2012 - Added ESXi 5.1 and vCenter Server 5.1 to Products 04/15/2014 - Added ESXi 5.5 and vCenter Server 5.5 to Products 06/04/2015 - Added 6.0 products.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 38 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 38 Ratings
Actions
KB: