By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. You might also deselect some services if your environment does not use them.

You can use the vSphere Client, vSphere Web Client, vCLI, or PowerCLI to update the Allowed IP list for a service. By default, all IP addresses are allowed for a service. This task describes how to use either the vSphere Client or the vSphere Web Client. See the topic on managing the firewall in vSphere Command-Line Interface Concepts and Examples at for instructions on using the vCLI.


  1. Browse to the host in the inventory.
  2. Navigate to the Firewall section.
    Option Description
    vSphere Client
    1. Click Configure.
    2. Under System, click Firewall.
    vSphere Web Client
    1. Click Configure.
    2. Under System, click Security Profile.
    3. If necessary, scroll to the Firewall section.
  3. In the Firewall section, click Edit and select a service from the list.
  4. In the Allowed IP Addresses section, deselect Allow connections from any IP address and enter the IP addresses of networks that are allowed to connect to the host.
    Separate IP addresses with commas. You can use the following address formats:
    •, 2001::1/64
    • fd3e:29a6:0a81:e478::/64
  5. Click OK.