ESXI-67-000056 - The ESXi host must configure the firewall to restrict access to services running on the host.
Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
From the vSphere Client, select the ESXi host and go to Configure >> System >> Firewall. Under the 'Firewall' section, click 'Edit'. For each enabled service, uncheck the check box to 'Allow connections from any IP address' and input the site-specific network(s) required. Configure this for incoming and outgoing connections. The following example formats are acceptable: 192.168.0.0/24 192.168.1.2, 2001::1/64 fd3e:29a6:0a81:e478::/64 or From a PowerCLI command prompt while connected to the ESXi host, run the following command: $esxcli = Get-EsxCli -v2 #This disables the allow all rule for the target service. We are targeting the sshServer service in this example. $arguments = $esxcli.network.firewall.ruleset.set.CreateArgs() $arguments.rulesetid = 'sshServer' $arguments.allowedall = $false $esxcli.network.firewall.ruleset.set.Invoke($arguments) #Next add the allowed IPs for the service. Note doing the 'vSphere Web Client' service this way may disable access but may be done through vCenter or through the console. $arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $arguments.rulesetid = 'sshServer' $arguments.ipaddress = '10.0.0.0/8' $esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments) This must be done for each enabled service.