Symptoms

After upgrading to ESXi 8.0 U2, the allowed IP configured for the firewall CIMHttpServer lost and reverted to the ALL.

Before

$ esxcli network firewall ruleset allowedip list | grep CIMHttpServer
CIMHttpServer                ###.###.###.###/24

After

$ esxcli network firewall ruleset allowedip list | grep CIMHttpServer
CIMHttpServer                All

VMware ESXi 8.0 U2 build-22380479

This is only expected behavior on ESXi 8.0 U2.
This issue does not occur in ESXi 8.0 U2b and later.

In ESXi 8.0 Update 2, the firewall ruleset management plane received a significant enhancement. This update introduced a classification system where firewall rulesets are divided into two distinct categories: User Owned and System Owned.

For User Owned ruleset, it is allowed that a user sets the allowed IP list by UI, esxcli or API.
For System Owned ruleset, it is not allowed that a user sets the allowed IP list by UI, esxcli or API.


Since CIMHttpServer has been classified as System Owned, setting the Allowed IP list is no longer permitted, resulting in the configuration defaulting to ALL.

Upgrade to ESXi 8.0 U2b or later.

In ESXi 8.0 U2b and later, user can modify allowed IP list for system owned firewall rulesets.