The migration or upgrade from ESX/ESXi 4.x to ESXi 5.x results in several changes to the host firewall configuration.

When you migrate from ESX 4.x to ESXi 5.x, the ESX 4.x rulesets list is replaced by the new rulesets list in ESXi 5.x. The following configuration from the /etc/vmware/esx.conf file is preserved:
  • The existing enabled/disabled status.
  • The allowedip added by esxcfg-firewall.

Ruleset files that are added by the user and customized firewall rules created in ESX 4.x. are not preserved after the migration. In the first boot after the migration, for those rulesets that don't have entries in the ESX 4.x /etc/vmware/esx.conf file, the ESXi 5.x firewall loads the default enabled status.

After the migration to ESXi 5.x, the default block policy is set to false (PASS all traffic by default) on ESXi 5.x only when both blockIncoming and blockOutgoing values of the default policy are false in the ESX 4.x /etc/vmware/esx.conf file. Otherwise the default policy is to deny all traffic.

Custom ports that were opened by using the ESX/ESXi 4.1 esxcfg-firewall command do not remain open after the upgrade to ESXi 5.x. The configuration entries are ported to the esx.conf file by the upgrade, but the corresponding ports are not opened. See the information about ESXi firewall configuration in the vSphere Security documentation.

Important: The ESXi firewall in ESXi 5.x does not allow per-network filtering of vMotion traffic. Therefore, you must install rules on your external firewall to ensure that no incoming connections can be made to the vMotion socket.