ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the security profile of the host. You manage the firewall using the vSphere Client, the CLI, and the API.

As you open ports on the firewall, consider that unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to enable access only from authorized networks.

Note: The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.

You can manage ESXi firewall ports as follows:

  • Use Configure > Firewall for each host in the vSphere Client. See Manage ESXi Firewall Settings.
  • Use ESXCLI commands from the command line or in scripts. See Using ESXCLI Firewall Commands to Configure ESXi Behavior.
  • Use a custom VIB if the port you want to open is not included in the security profile.

    To install the custom VIB, you have to change the acceptance level of the ESXi host to CommunitySupported.

    Note: If you engage VMware Technical Support to investigate a problem on an ESXi host with a CommunitySupported VIB installed, VMware Support can request you to uninstall this VIB. Such a request is a troubleshooting step to determine if that VIB is related to the problem being investigated.

The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses. See NFS Client Firewall Behavior for more information.

Manage ESXi Firewall Settings

You can configure incoming and outgoing firewall connections for a service or a management agent from the vSphere Client or at the command line.

This task describes how to use the vSphere Client to configure ESXi firewall settings. You can use the ESXi Shell or ESXCLI commands to configure ESXi at the command line to automate the firewall configuration. See Using ESXCLI Firewall Commands to Configure ESXi Behavior for examples of using ESXCLI to manipulate firewalls and firewall rules.

Note: If different services have overlapping port rules, enabling one service might implicitly activate other services. You can specify which IP addresses are allowed to access each service on the host to avoid this problem.

Procedure

  1. Log in to the vCenter Server by using the vSphere Client.
  2. Browse to the host in the inventory.
  3. Click Configure, then click Firewall under System.
    You can toggle between incoming and outgoing connections by clicking Incoming and Outgoing.
  4. In the Firewall section, click Edit.
  5. Select from one of the service groups, Ungrouped, Secure Shell, and Simple Network Management Protocol.
  6. Select the rule sets to be activated, or deselect the rule sets to be deactivated.
  7. For some services, you can also manage service details by navigating to Configure > System > Services.
    For more information about starting, stopping, and restarting services, see Activate or Deactivate an ESXi Service.
  8. For some services, you can explicitly specify IP addresses from which connections are allowed.
  9. Click OK.

Add Allowed IP Addresses for an ESXi Host

By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. You can also deselect some services if your environment does not use them.

To update the Allowed IP list for a service you can use the vSphere Client, ESXCLI, or PowerCLI. This task describes how to use the vSphere Client. See Manage the ESXi Firewall in ESXCLI Concepts and Examples for instructions on using ESXCLI.

Procedure

  1. Log in to the vCenter Server by using the vSphere Client.
  2. Browse to the ESXi host.
  3. Click Configure, then click Firewall under System.
    You can toggle between incoming and outgoing connections by clicking Incoming and Outgoing.
  4. In the Firewall section, click Edit.
  5. Select from one of the three service groups, Ungrouped, Secure Shell, and Simple Network Management Protocol.
  6. To display the Allowed IP Addresses section, expand a service.
  7. In the Allowed IP Addresses section, deselect Allow connections from any IP address and enter the IP addresses of networks that are allowed to connect to the host.
    Separate IP addresses with commas. You can use the following address formats:
    • 192.168.0.0/24
    • 192.168.1.2, 2001::1/64
    • fd3e:29a6:0a81:e478::/64
  8. Ensure that the service itself is selected.
  9. Click OK.
  10. Verify your change in the Allowed IP addresses column for the service.

Incoming and Outgoing Firewall Ports for ESXi Hosts

The vSphere Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses.

ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the host's security profile. For the list of supported ports and protocols in the ESXi firewall, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/.

The VMware Ports and Protocols Tool lists port information for services that are installed by default. If you install other VIBs on your host, additional services and firewall ports might become available. The information is primarily for services that are visible in the vSphere Client but the VMware Ports and Protocols Tool includes some other ports as well.

NFS Client Firewall Behavior

The NFS Client firewall rule set behaves differently than other ESXi firewall rule sets. ESXi configures NFS Client settings when you mount or unmount an NFS datastore. The behavior differs for different versions of NFS.

When you add, mount, or unmount an NFS datastore, the resulting behavior depends on the version of NFS.

NFS v3 Firewall Behavior

When you add or mount an NFS v3 datastore, ESXi checks the state of the NFS Client (nfsClient) firewall rule set.

  • If the nfsClient rule set is deactivated, ESXi activates the rule set and deactivates the Allow All IP Addresses policy by setting the allowedAll flag to FALSE. The IP address of the NFS server is added to the allowed list of outgoing IP addresses.
  • If the nfsClient rule set is activated, the state of the rule set and the allowed IP address policy are not changed. The IP address of the NFS server is added to the allowed list of outgoing IP addresses.
Note: If you manually activate the nfsClient rule set or manually set the Allow All IP Addresses policy, either before or after you add an NFS v3 datastore to the system, your settings are overridden when the last NFS v3 datastore is unmounted. The nfsClient rule set is deactivated when all NFS v3 datastores are unmounted.

When you remove or unmount an NFS v3 datastore, ESXi performs one of the following actions.

  • If none of the remaining NFS v3 datastores are mounted from the server of the datastore being unmounted, ESXi removes the server's IP address from the list of outgoing IP addresses.
  • If no mounted NFS v3 datastores remain after the unmount operation, ESXi deactivates the nfsClient firewall rule set.

NFS v4.1 Firewall Behavior

When you mount the first NFS v4.1 datastore, ESXi activates the nfs41client rule set and sets its allowedAll flag to TRUE. This action opens port 2049 for all IP addresses. Unmounting an NFS v4.1 datastore does not affect the firewall state. That is, the first NFS v4.1 mount opens port 2049 and that port remains activated unless you close it explicitly.

Using ESXCLI Firewall Commands to Configure ESXi Behavior

If your environment includes multiple ESXi hosts, automate firewall configuration by using ESXCLI commands or the vSphere Web Services SDK.

Firewall Command Reference

You can use the ESXi Shell or ESXCLI commands to configure ESXi at the command line to automate a firewall configuration. To manipulate firewalls and firewall rules, see Getting Started with ESXCLI for an introduction, and ESXCLI Concepts and Examples for examples of using ESXCLI.

In ESXi 7.0 and later, access to the service.xml file, used to create custom firewall rules, is restricted. See VMware Knowledge Base article 2008226 for information about creating custom firewall rules using the /etc/rc.local.d/local.sh file.

Table 1. Firewall Commands
Command Description
esxcli network firewall get Return the status of the firewall and list the default actions.
esxcli network firewall set --default-action Set to true to set the default action to pass. Set to false to set the default action to drop.
esxcli network firewall set --enabled Activate or deactivate the ESXi firewall.
esxcli network firewall load Load the firewall module and the rule set configuration files.
esxcli network firewall refresh Refresh the firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unload Destroy filters and unload the firewall module.
esxcli network firewall ruleset list List rule sets information.
esxcli network firewall ruleset set --allowed-all Set to true to allow all access to all IPs. Set to false to use a list of allowed IP addresses.
esxcli network firewall ruleset set --enabled --ruleset-id=<string> Set enabled to true to activate the specified ruleset. Set enabled to false to deactivate the specified ruleset.
esxcli network firewall ruleset allowedip list List the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip add Allow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip remove Remove access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset rule list List the rules of each ruleset in the firewall.