After enabling vSphere Security Configuration Compliance on Aria Operations, the following Alert and Symptom Definitions are triggered:
Alert Definition: ESXi Host is violating VMware vSphere Security Configuration Guide for vCenter version 8 and above
Alert Definition: ESXi Host is violating VMware vSphere Security Configuration Guide for vCenter version 7 and above
The alert will contain reference to:
Symptom Definition: ESXi.firewall-restrict-access The Configuration of the ESXi host firewall to restrict access to services running on the host is not as per the recommended value.
Aria Operations 8.x
The Allowed IP addresses for the ESXi Host Firewall is not configured with allowed IP or IP ranges for the active services under IP List.
As per the vSphere Security Configuration Guide, for ESXi.firewall-restrict-access
all active services must have an IP and/or IP ranges configured for secure access to be compliant with the Security Configuration Guide.
Aria Operations will not change property Configuration|Security|Firewall rule:Firewall Configured|Firewall Config for Services
from false
to true
, until all services have been configured with an IP and or IP range(s). If any active service has a tick in the Allow connections from any IP address
, the host is not compliant with ESXi.firewall-restrict-access compliance rules.
Add IP addresses and/or IP ranges to IP List in Allowed IP Addresses in the ESXi Firewall settings in vCenter, as per documentation links below:
vCenter 7
vCenter 8
Note. Ensure that all active services have an IP address or IP range configured in IP List for all Incoming and Outgoing firewall rules. The Configuration|Security|Firewall rule:Firewall Configured|Firewall Config for Services
property in Aria Operations will not change from false to true unless all active services have a configured IP address/range.