ESXi.firewall-restrict-access The Configuration of the ESXi host firewall to restrict access to services running on the host is not as per the recommended value
search cancel

ESXi.firewall-restrict-access The Configuration of the ESXi host firewall to restrict access to services running on the host is not as per the recommended value

book

Article ID: 380049

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

After enabling vSphere Security Configuration Compliance on Aria Operations, the following Alert and Symptom Definitions are triggered:
Alert Definition: ESXi Host is violating VMware vSphere Security Configuration Guide for vCenter version 8 and above
Alert Definition: ESXi Host is violating VMware vSphere Security Configuration Guide for vCenter version 7 and above

The alert will contain reference to:
Symptom Definition: ESXi.firewall-restrict-access The Configuration of the ESXi host firewall to restrict access to services running on the host is not as per the recommended value.

Environment

Aria Operations 8.x

Cause

The Allowed IP addresses for the ESXi Host Firewall is not configured with allowed IP or IP ranges for the active services under IP List.

As per the vSphere Security Configuration Guide, for ESXi.firewall-restrict-access all active services must have an IP and/or IP ranges configured for secure access to be compliant with the Security Configuration Guide.

Aria Operations will not change property Configuration|Security|Firewall rule:Firewall Configured|Firewall Config for Services from false to true, until all services have been configured with an IP and or IP range(s). If any active service has a tick in the Allow connections from any IP address, the host is not compliant with ESXi.firewall-restrict-access compliance rules.

Resolution

Add IP addresses and/or IP ranges to IP List in Allowed IP Addresses in the ESXi Firewall settings in vCenter, as per documentation links below:

vCenter 7
vCenter 8

Note. Ensure that all active services have an IP address or IP range configured in IP List for all Incoming and Outgoing firewall rules. The Configuration|Security|Firewall rule:Firewall Configured|Firewall Config for Services property in Aria Operations will not change from false to true unless all active services have a configured IP address/range.

Additional Information