ESXi: esxi-8.firewall-restrict-access

Information

Configure the ESXi host firewall to only allow traffic from authorized networks. Ensures that all incoming and outgoing network traffic is blocked unless explicitly allowed, reducing the attack surface and helping to prevent unauthorized access to the host. As of vSphere 8.0.2, firewall rules are categorized as 'user' or 'system' owned, where only 'user' owned rules are configurable. Beginning in vSphere 8 Update 2b and PowerCLI 13.2.1 there are additional queryable parameters to automate setting and checking for configurable rules.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

# This is an example which you will want to customize!
$ESXcli = Get-EsxCli -VMHost $ESXi -V2
# Deactivate firewall temporarily so we don't lose connectivity
$arguments = $ESXcli.network.firewall.set.CreateArgs()
$arguments.enabled = $false
$ESXcli.network.firewall.set.Invoke($arguments)

# Unset the "allow all" flag
$arguments = $ESXcli.network.firewall.ruleset.set.CreateArgs()
$arguments.allowedall = $false
$arguments.rulesetid = "sshServer"
$ESXcli.network.firewall.ruleset.set.Invoke($arguments)

# Add an IP range
$arguments = $ESXcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$arguments.ipaddress = "192.168.0.0/16"
$arguments.rulesetid = "sshServer"
$ESXcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)

# Enable the firewall
$arguments = $ESXcli.network.firewall.set.CreateArgs()
$arguments.enabled = $true
$ESXcli.network.firewall.set.Invoke($arguments)

See Also

https://github.com/vmware/vcf-security-and-compliance-guidelines/raw/refs/heads/main/security-configuration-hardening-guide/vsphere/8.0/