Knowledge
- Identify esxcli firewall configuration commands
- Explain the three firewall security levels
Skills and Abilities
- Enable/Disable pre-configured services
- Configure service behavior automation
- Open/Close ports in the firewall
- Create a custom service
- Set firewall security level
Enable/Disable pre-configured services
Official Documentation:
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, section “Automating Service Behavior Based on Firewall Settings”, page 37.
ESXi can automate whether services start based on the status of firewall ports.
Automation helps ensure that services start if the environment is configured to enable their function. For example, starting a network service only if some ports are open can help avoid the situation where services are started, but are unable to complete the communications required to complete their intended purpose.
In addition, having accurate information about the current time is a requirement for some protocols, such as Kerberos. The NTP service is a way of getting accurate time information, but this service only works when required ports are opened in the firewall. The service cannot achieve its goal if all ports are closed. The NTP services provide an option to configure the conditions when the service starts or stops. This configuration includes options that account for whether firewall ports are opened, and then start or stop the NTP service based on those conditions. Several possible configuration options exist, all of which are also applicable to the SSH server.
NOTE The settings described in this section only apply to service settings configured through the vSphere Client or applications created with the vSphere Web services SDK. Configurations made through other means, such as the ESXi Shell or configuration files in /etc/init.d/, are not affected by these settings.
- Start automatically if any ports are open, and stop when all ports are closed: The default setting for these services that VMware recommends. If any port is open, the client attempts to contact the network resources pertinent to the service in question. If some ports are open, but the port for a particular service is closed, the attempt fails, but there is little drawback to such a case. If and when the applicable outgoing port is opened, the service begins completing its tasks.
- Start and stop with host: The service starts shortly after the host starts and closes shortly before the host shuts down. Much like Start automatically if any ports are open, and stop when all ports are closed, this option means that the service regularly attempts to complete its tasks, such as contacting the specified NTP server. If the port was closed but is subsequently opened, the client begins completing its tasks shortly thereafter.
- Start and stop manually: The host preserves the user-determined service settings, regardless of whether ports are open or not. When a user starts the NTP service, that service is kept running as long as the host is powered on. If the service is started and the host is powered off, the service is stopped as part of the shutdown process, but as soon as the host is powered on, the service is started again, preserving the userdetermined state.
NOTE ESXi firewall automates when rule sets are enabled or disabled based on the service startup policy.
When a service starts, its corresponding rule set is enabled. When a service stops, the rule set is disabled.
Set Service or Client Startup Options
By default, daemon processes start when any of their ports are opened and stop when all of their ports are closed. You can change this startup policy for the selected service or client.
Procedure
- Log in to a vCenter Server system using the vSphere Client.
- Select the host in the inventory panel.
- Click the Configuration tab and click Security Profile.
- In the Firewall section, click Properties.
The Firewall Properties dialog box lists all the services and management agents you can configure for the host.
- Select the service or management agent to configure and click Options.
The Startup Policy dialog box determines when the service starts. This dialog box also provides information about the current state of the service and provides an interface for manually starting, stopping, or restarting the service.
- Select a policy from the Startup Policy list.
- Click OK.
Configure service behavior automation
Official Documentation:
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, section “Automating Service Behavior Based on Firewall Settings”, page 37.
See previous objective.
Open/Close ports in the firewall
Official Documentation:
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 34.
ESXi includes a firewall between the management interface and the network. The firewall is enabled by default.
At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for the default services listed in “TCP and UDP Ports for Management Access,” on page 19 or table below.
NOTE The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
Supported services and management agents that are required to operate the host are described in a rule set configuration file in the ESXi firewall directory /etc/vmware/firewall/. The file contains firewall rules and lists each rule’s relationship with ports and protocols.
You cannot add a rule to the ESXi firewall unless you create and install a VIB that contains the rule set configuration file. The VIB authoring tool is available to VMware partners.
NOTE The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses. See “NFS Client Rule Set Behavior,” on page 36 for more information.
TCP and UDP Ports for Management Access
vCenter Server, ESXi hosts, and other network components are accessed using predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.
The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default).
Table. TCP and UDP Ports
Port | Purpose | Traffic Type |
22 (Default) | SSH Server | Incoming TCP |
53 (Default) | DNS Client | Incoming andoutgoing UDP |
68 (Default) | DHCP Client | Incoming andoutgoing UDP |
161 (Default) | SNMP Server | Incoming UDP |
80 (Default) | vSphere Fault Tolerance (FT) (outgoing TCP, UDP)HTTP accessThe default non-secure TCP Web port typically used in conjunction with port 443
as a front end for access to ESXi networks from the Web. Port 80 redirects traffic to an HTTPS landing page (port 443). WS-Management |
Incoming TCPOutgoing TCP, UDP |
123 | NTP Client | Outgoing UDP |
427 (Default) | The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIMservers. | Incoming andoutgoing UDP |
443 (Default) | HTTPS accessvCenter Server access to ESXi hostsDefault SSL Web port
vSphere Client access to vCenter Server vSphere Client access to ESXi hosts WS-Management vSphere Client access to vSphere Update Manager Third-party network management client connections to vCenter Server Third-party network management clients access to hosts |
Incoming TCP |
902 (Default) | Host access to other hosts for migration and provisioningAuthentication traffic for ESXi and remote console traffic (xinetd/vmware-authd)vSphere Client access to virtual machine consoles
(UDP) Status update (heartbeat) connection from ESXi to vCenter Server |
Incoming andoutgoing TCP,outgoing UDP |
903 | Remote console traffic generated by user access to virtual machines on a specifichost.vSphere Client access to virtual machine consoles
MKS transactions (xinetd/vmware-authd-mks) |
Incoming TCP |
1234, 1235(Default) | vSphere Replication | Outgoing TCP |
2049 | Transactions from NFS storage devicesThis port is used on the VMkernel interface. | Incoming andoutgoing TCP |
3260 | Transactions to iSCSI storage devices | Outgoing TCP |
5900-5964 | RFB protocol, which is used by management tools such as VNC | Incoming andoutgoing TCP |
5988 (Default) | CIM transactions over HTTP | Incoming TCP |
5989 (Default) | CIM XML transactions over HTTPS | Incoming andoutgoing TCP |
8000 (Default) | Requests from vMotion | Incoming andoutgoing TCP |
8100, 8200(Default) | Traffic between hosts for vSphere Fault Tolerance (FT) | Incoming andoutgoing TCP, UDP |
8182 | Traffic between hosts for vSphere High Availability (HA) | Incoming andoutgoing TCP,incoming and
outgoing UDP |
Create a custom service
Official Documentation:
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, section “Rule Set Configuration Files”, page 34.
A rule set configuration file contains firewall rules and describes each rule’s relationship with ports and protocols. The rule set configuration file can contain rule sets for multiple services.
Rule set configuration files are located in the /etc/vmware/firewall/ directory. To add a service to the host security profile, VMware partners can create a VIB that contains the port rules for the service in a configuration file. VIB authoring tools are available to VMware partners only.
Each set of rules for a service in the rule set configuration file contains the following information.
- A numeric identifier for the service, if the configuration file contains more than one service.
- A unique identifier for the rule set, usually the name of the service.
- For each rule, the file contains one or more port rules, each with a definition for direction, protocol, port type, and port number or range of port numbers.
- An indication of whether the service is enabled or disabled when the rule set is applied.
- An indication of whether the rule set is required and cannot be disabled.
Other exam notes
- The Saffageek VCAP5-DCA Objectives http://thesaffageek.co.uk/vcap5-dca-objectives/
- Paul Grevink The VCAP5-DCA diaries http://paulgrevink.wordpress.com/the-vcap5-dca-diaries/
- Edward Grigson VCAP5-DCA notes http://www.vexperienced.co.uk/vcap5-dca/
- Jason Langer VCAP5-DCA notes http://www.virtuallanger.com/vcap-dca-5/
- The Foglite VCAP5-DCA notes http://thefoglite.com/vcap-dca5-objective/
VMware vSphere official documentation
VMware vSphere Basics Guide | html | epub | mobi | |
vSphere Installation and Setup Guide | html | epub | mobi | |
vSphere Upgrade Guide | html | epub | mobi | |
vCenter Server and Host Management Guide | html | epub | mobi | |
vSphere Virtual Machine Administration Guide | html | epub | mobi | |
vSphere Host Profiles Guide | html | epub | mobi | |
vSphere Networking Guide | html | epub | mobi | |
vSphere Storage Guide | html | epub | mobi | |
vSphere Security Guide | html | epub | mobi | |
vSphere Resource Management Guide | html | epub | mobi | |
vSphere Availability Guide | html | epub | mobi | |
vSphere Monitoring and Performance Guide | html | epub | mobi | |
vSphere Troubleshooting | html | epub | mobi | |
VMware vSphere Examples and Scenarios Guide | html | epub | mobi |
Disclaimer.
The information in this article is provided “AS IS” with no warranties, and confers no rights. This article does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.