Host Profiles do not save firewall rulesets for non-default firewall rules
Article ID: 342622
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
- Firewall rulesets for non-default firewall rules are not saved in a host profile.
- Unable to extract custom firewall rules when a host profile is created from a host.
- If the host profile is edited to add a custom firewall rule, this rule is not applied to the host when the host profile is applied.
- Allowed IP address ranges are not set and show all IP addresses are allowed after applying compliance.
Environment
VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x
VMware vCenter Server 9.x
Resolution
This behavior is by design. In the host profile firewall profile implementation, these firewall rulesets are ignored by the host profile compliance check:
- iSCSI
- nfsClient
- fdm
- faultTolerance
- vpxHeartbeats
- netDump
- autodeploy
- vit
- ipv6spy
- iofiltervp
- rdt
- cmmds
- vsanvp
- vsanEncryption
- ntpClient
- vsanhealth-unicasttest
- dynamicruleset
- bfdDP
- 'bridgeHA
- 'hyperbus
- nsx-mpa
- nsx-opsagent
- nsxMPAPI
- nsxProxyRule
- nsxRMQ
- spherelet
- vShield-Endpoint-Mux
- vShield-Endpoint-Mux-Partners
- trusted-infrastructure-kmxa
- trusted-infrastructure-kmxd
- nsxOverlay
- etcdClientComm
- etcdPeerComm
- nsxIntel
- netopa
- CIMHttpsServer
These rulesets are controlled by their corresponding services, so any custom setting for these rulesets is ignored by the host profile engine.
All other firewall rules can be configured through the firewall profile.
Additional Information
For more information about using Host Profiles, refer to the link below:
vSphere Host Profiles
Feedback
Yes
No
Powered by
