• After upgrading from ESXi host 8.0.x to 9.0, the VCP check compliance/precheck APIs might fail due to the presence of certain disallowed CIM firewall rulesets in the desired config document.
• The check compliance UI fails with the following errors for each of the hosts.
  
  'Desired configuration failed validation on the host. Check compliance is skipped.'
'Firewall ruleset name 'CIMHttpsServer' is not predefined user configurable ruleset.'
'Firewall ruleset name 'CIMHttpServer' is not predefined user configurable ruleset.'
'Firewall ruleset name 'CIMSLP' is not predefined user configurable ruleset.'




VCF 9.0

In pre-VCF 9.0 ESXi, CIM was enabled and as a result, a desired document generated using such hosts would include CIM firewall ruleset configurations. However, in VCF 9.0 onwards, these configurations are no longer valid as CIM is removed in VCF 9.0.

If the desired document had the below CIM configurations, they would cause validation errors in VCF 9.0:
  • CIMHttpsServer
  • CIMHttpServer
  • CIMSLP

There is no resolution at this time. As a workaround, perform following steps.

1. In the vCenter UI, select the Cluster.

2. Click on the Configure tab.

3. Click on Desired State > Configuration.

4. Go to Draft tab and click on Create Draft.

5. Remove the problem causing CIMHttpsServer/CIMHttpServer/CIMSLP from the draft config document.
     /profile/esx/network/firewall_rule_sets/1/name
    /profile/esx/network/firewall_rule_sets/0/name



6. Click on Run pre-check.

7. Click on Apply Changes.