The migration or upgrade from ESX/ESXi 4.x to ESXi 5.x results in several changes to the host firewall configuration.
- The existing enabled/disabled status.
- The allowedip added by esxcfg-firewall.
Ruleset files that are added by the user and customized firewall rules created in ESX 4.x. are not preserved after the migration. In the first boot after the migration, for those rulesets that don't have entries in the ESX 4.x /etc/vmware/esx.conf file, the ESXi 5.x firewall loads the default enabled status.
After the migration to ESXi 5.x, the default block policy is set to false (PASS all traffic by default) on ESXi 5.x only when both blockIncoming and blockOutgoing values of the default policy are false in the ESX 4.x /etc/vmware/esx.conf file. Otherwise the default policy is to deny all traffic.
Custom ports that were opened by using the ESX/ESXi 4.1 esxcfg-firewall command do not remain open after the upgrade to ESXi 5.x. The configuration entries are ported to the esx.conf file by the upgrade, but the corresponding ports are not opened. See the information about ESXi firewall configuration in the vSphere Security documentation.