"Firewall ruleset name <ruleName> is not predefined user configurable ruleset", firewall rulesets not supported by the vSphere Configuration Profile (VCP)
search cancel

"Firewall ruleset name <ruleName> is not predefined user configurable ruleset", firewall rulesets not supported by the vSphere Configuration Profile (VCP)

book

Article ID: 312028

calendar_today

Updated On:

Products

VMware vSphere ESX 8.x

Issue/Introduction

  • This article is to inform users that four firewall rulesets mentioned below are not supported by the vSphere Configuration Profile (VCP) on vCenter Server:

    • faultTolerance
    • fdm
    • httpClient
    • updateManager

  • Manually adding these rules in VCP profiles will result in pre-check failure :

    Precheck is failed, displaying the error message such as "Firewall ruleset name 'httpClient' is not a predefined user configurable ruleset" on the VC UI.



    For example, if a user manually adds the following "firewall_rule_sets" configuration in the desired document and attempts to update the 'httpClient' ruleset with allowed IPs as specified in the following example configuration, it will fail with the aforementioned error message.

    -------------------------------------

    Cluster Desired Configuration:
    {
    ...
            "vmknics": [
                {
                    "ip": {
                        "dhcp": true,
                        "ipv6": {
                            "dhcp": false,
                            "dhcp_dns": false,
                            "auto_configuration_enabled": true
                        },
                        "dhcp_dns": true,
                        "ipv6_enabled": true
                    },
                    "nic": "vmnic0",
                    "device": "vmk0",
                    "enabled": true,
                    "mac_mode": "PNIC_BASED",
                    "port_group": "<Mgmt Port Group Name>",
                    "enabled_services": {
                        "management": true
                    },
                    "port_connection_type": "VSS_PORT_GROUP",
                    "net_stack_instance_key": "defaultTcpipStack"
                }
            ],
            "net_stacks": [
                {
                    "key": "defaultTcpipStack",
                    "name": "defaultTcpipStack"
                }
            ],
            "firewall_rule_sets": [ 
                { 
                    "name": "httpClient", <================== manually added httpClient config to the desired doc.
                    "allowed_ips": [ 
                        { 
                            "address": "<IP>" 
                        }, 
                        { 
                            "address": "<IP>"
                        }
                    ], 
                    "allow_all_ip": false 
                }
            ]
    ...
    }

 

Environment

VMware vSphere ESXi 8.0 U2

VMware vSphere ESXi 8.0 U3

Resolution

Currently there is no resolution as these rulesets are not yet supported by VCP.

It is not recommended to use these four rulesets to alter the VCP desired document. 


To Workaround:

Manually modify the unsupported firewall rulesets using the vSphere Client or using 'esxcli' commands.

Refer to Configuring the ESXi Firewall for more details.

Additional Information