ESXI-67-000056 - The ESXi host must configure the firewall to restrict access to services running on the host.


Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


From the vSphere Client, select the ESXi host and go to Configure >> System >> Firewall.

Under the 'Firewall' section, click 'Edit'.

For each enabled service, uncheck the check box to 'Allow connections from any IP address' and input the site-specific network(s) required.

Configure this for incoming and outgoing connections.

The following example formats are acceptable:, 2001::1/64


From a PowerCLI command prompt while connected to the ESXi host, run the following command:

$esxcli = Get-EsxCli -v2
#This disables the allow all rule for the target service. We are targeting the sshServer service in this example.
$arguments = $
$arguments.rulesetid = 'sshServer'
$arguments.allowedall = $false

#Next add the allowed IPs for the service. Note doing the 'vSphere Web Client' service this way may disable access but may be done through vCenter or through the console.
$arguments = $
$arguments.rulesetid = 'sshServer'
$arguments.ipaddress = ''

This must be done for each enabled service.

See Also

Item Details


References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239310r674859_rule, STIG-ID|ESXI-67-000056, Vuln-ID|V-239310

Plugin: Unix

Control ID: db6da17c4aabd2ee8d6fd614b0c3cf63ab8837eefca4dba166f87304bfcd475a