If your environment includes multiple ESXi hosts, automate firewall configuration by using ESXCLI commands or the vSphere Web Services SDK.
Firewall Command Reference
You can use the ESXi Shell or ESXCLI commands to configure ESXi at the command line to automate a firewall configuration. To manipulate firewalls and firewall rules, see Getting Started with ESXCLI for an introduction, and ESXCLI Concepts and Examples for examples of using ESXCLI.
In ESXi 7.0 and later, access to the service.xml file, used to create custom firewall rules, is restricted. See VMware Knowledge Base article 2008226 for information about creating custom firewall rules using the /etc/rc.local.d/local.sh file.
| Command | Description |
|---|---|
| esxcli network firewall get | Return the enabled or disabled status of the firewall and lists default actions. |
| esxcli network firewall set --default-action | Set to true to set the default action to pass. Set to false to set the default action to drop. |
| esxcli network firewall set --enabled | Enable or disable the ESXi firewall. |
| esxcli network firewall load | Load the firewall module and the rule set configuration files. |
| esxcli network firewall refresh | Refresh the firewall configuration by reading the rule set files if the firewall module is loaded. |
| esxcli network firewall unload | Destroy filters and unload the firewall module. |
| esxcli network firewall ruleset list | List rule sets information. |
| esxcli network firewall ruleset set --allowed-all | Set to true to allow all access to all IPs. Set to false to use a list of allowed IP addresses. |
| esxcli network firewall ruleset set --enabled --ruleset-id=<string> | Set enabled to true to enable the specified ruleset. Set enabled to false to disable the specified ruleset. |
| esxcli network firewall ruleset allowedip list | List the allowed IP addresses of the specified rule set. |
| esxcli network firewall ruleset allowedip add | Allow access to the rule set from the specified IP address or range of IP addresses. |
| esxcli network firewall ruleset allowedip remove | Remove access to the rule set from the specified IP address or range of IP addresses. |
| esxcli network firewall ruleset rule list | List the rules of each ruleset in the firewall. |
