When you create a host profile using a reference host for which a service's firewall rule is disabled, the service might be enabled on the target host after you apply the host profile and restart the host.

For example, disable the SSH Server firewall rule set on a reference host and create a host profile from that host. When you apply the host profile and boot the host, the SSH Server firewall rule set is enabled.

VMware vCenter Server 5.0.x
VMware vSphere ESXi 5.0

To ensure that a firewall rule set for a service remains disabled when the target host is restarted, disable the service by using the Firewall Properties dialog box and select the startup policy Start and Stop Manually.

To disable the service by using the Firewall Properties dialog box and select the startup policy Start and Stop Manually:

1. In the vSphere Client, select the host and click the Configuration tab.
2. Click Security Profile and select Firewall Properties.
3. Deselect the check box for the service that you want to disable.
4. Click Options.
5. Select Start and Stop Manually.
6. Click OK.
7. Create the host profile and apply it to the target host.

When you boot the target host, the service is disabled until you enable it and start it manually.