How to reset ESXi firewall rules to defaults using PowerCLI
search cancel

How to reset ESXi firewall rules to defaults using PowerCLI

book

Article ID: 379504

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article details the steps to reset all ESXi firewall rules to defaults using PowerCLI.

Environment

vSphere 7.x

vSphere 8.x

Resolution

List out all the current ESXi firewall rules of an ESXi host using the below script (Define the IP address of the ESXi host under the -VMHost flag)

# Get ESXCLI object for the firewall
$esxcli = (Get-EsxCli -VMHost ESXi_IP_Address).network.firewall

# Combine the commands
$rulesetInfo = $esxcli.ruleset.list() | ForEach-Object {
    # Get the allowed IPs for each ruleset
    $allowedIPs = $esxcli.ruleset.allowedip.list($_.Name) | Where-Object { $_.AllowedIPAddresses } | Select-Object -ExpandProperty AllowedIPAddresses

    # Create a custom object for output
    [PSCustomObject]@{
        Name                     = $_.Name
        Enabled                  = $_.Enabled
        AllowedIPconfigurable    = $_.AllowedIPconfigurable
        AllowedIPAddresses       = if ($allowedIPs) { $allowedIPs -join ', ' } else { "None" }
    }
}

# Output the combined results
$rulesetInfo | Format-Table -AutoSize

This outputs the name and status of all rulesets (enabled or disabled), if the ip address is configurable and if there exists a value for it.

Sample output:

Name                        Enabled AllowedIPconfigurable AllowedIPAddresses
----                        ------- --------------------- ------------------
sshServer                   true    true                  All
sshClient                   false   true                  All
nfsClient                   false   false                 All
nfs41Client                 false   false                 All
dhcp                        false   true                  All
dns                         true    true                  All
snmp                        false   true                  All


To enable or disable a firewall ruleset, you can run the snippet below:
Note: Replace the rulesetid (sshClient in this example) with the firewall rule that you want and $true / $false to toggle the rule.

# Get ESXCLI object for the firewall
$esxcli = Get-EsxCli -VMHost ESXi_IP_Address -V2

# Create arguments for enabling the ruleset
$arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()
$arguments.rulesetid = "sshClient"  
$arguments.enabled = $true

# Invoke the command to set the ruleset
$esxcli.network.firewall.ruleset.set.Invoke($arguments)


If the AllowedIPAddresses is not "ALL" for a ruleset, you can set it to ALL using:

# Get ESXCLI object for the firewall
$esxcli = Get-EsxCli -VMHost ESXi_IP_Address -V2

# Specify the ruleset ID (e.g., "sshServer")
$rulesetId = "sshServer"  # Replace with your actual ruleset ID

# Create arguments for setting the ruleset
$arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()
$arguments.rulesetid = $rulesetId
$arguments.allowedall = $true  # Set to allow all IP addresses

# Invoke the command to set the ruleset
try {
    $esxcli.network.firewall.ruleset.set.Invoke($arguments)
    Write-Host "Updated '$rulesetId' ruleset to allow all IP addresses."
} catch {
    Write-Host "Failed to update '$rulesetId': $_"
}



Powered by Wolken Software