ESXi host is establishing connections with the IPs that are blocked in firewall rules
search cancel

ESXi host is establishing connections with the IPs that are blocked in firewall rules

book

Article ID: 345410

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

ESXi host is establishing connections with the IPs that are blocked in firewall rules

For example, the below setting will not block any IPs other than the IPs under IP list even though Allow connections from any IP address is not checked.

 

Cause

This will occur if the default firewall action is set to "PASS".  This system default value is "DROP" 


To get the current default action, run the below command.

esxcli network firewall get

   Default Action: PASS 
   Enabled: true
   Loaded: true

Resolution


Set the default firewall action to "DROP" using the below command. 

esxcli network firewall set -d FALSE

 

Possible actions:

True:    PASS : It will allow the packets from the all the hosts despite the deny list
False:  DROP: It will deny the packets from the hosts that are set under deny list

Additional Information

If the vCenter IP is not listed under vSphere Web Client ( Port 443, 903) your host might lose the connection to vCenter. Make sure to add vCenter before you apply the setting.

 

Powered by Wolken Software