How to Disable "dynamicruleset" Firewall Rule on ESXi Host
search cancel

How to Disable "dynamicruleset" Firewall Rule on ESXi Host

book

Article ID: 412954

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • The dynamicruleset firewall rule is managed by the system and cannot be disabled using the standard methods through the vSphere Client or command line. When attempting to disable this rule, users encounter the following error message: 
    • Cannot change the host configuration. Invalid operation requested: Can not enable/disable this ruleset, it is owned by system service.
  • Attempting to disable it via the command line also fails with the following error:
    • [root@Localhost:~ ] esxcli network firewall ruleset set -- ruleset-id=dynamicruleset --enabled=false
      Invalid operation requested: Can not enable/disable this ruleset, it is owned by system service.

Environment

  • VMware vSphere ESXi 7.X
  • VMware vSphere ESXi 8.X

Cause

  • The ESX have a lot of predefined system firewall ruleset, the definition of such firewall ruleset are under /etc/vmware/firewall as xml.
  • There is one special rule set "dynamicruleset", it was not defined in xml files but it should be marked as system owned.
  • To check the current firewall ruleset list, run the below command. 
    • esxcli network firewall ruleset list
  • Run the below command to check the firewall ruleset definitions. 
    • configstorecli config current get -c esx -g network -k firewall_ruleset_definitions
      • Example output from the command:
        • [root@Localhost:~] configstorecli config current get -c esx -g network -k firewall_ruleset_definitions
[
  ...
  {
     "name": "dynamicruleset",
     "system_allow_ip": true,
     "system_enable": true
  },
  • To check the current state of the dynamicruleset, use the following command:
    • configstorecli config current get -c esx -g network -k firewall_rule_sets
      • Example output from the command:
        • [root@Localhost:~] configstorecli config current get -c esx -g network -k firewall_rule_sets
[
  {
     "name": "dynamicruleset",
     "system_setting": [
        {
           "allow_all_ip": false,
           "allowed_ip_list": [
              "IP_Address"
           ],
           "enabled": false,
           "service_name": "system"
        }
     ]
  },

Resolution

Although the dynamicruleset cannot be disabled through the vSphere Client or using esxcli network firewall commands, it can be managed using the localcli utility on the ESXi host. Follow the steps below:

  • Take SSH of the ESXi host and login with root credentials. 
  • To Disable the dynamicruleset 
    • localcli --plugin-dir /usr/lib/vmware/esxcli/int/ networkinternal firewall firewallRuleset set -s system -e 0 -r dynamicruleset
  • To Enable the dynamicruleset again, 
    • localcli --plugin-dir /usr/lib/vmware/esxcli/int/ networkinternal firewall firewallRuleset set -s system -e 1 -r dynamicruleset
  • To refresh the firewall rule. 
    • esxcli network firewall refresh
Powered by Wolken Software