After upgrading a cluster to ESXi 8.0.3 or later, the configuration status of the hosts may be reported as Non-compliant. Specifically, the following configuration paths (or similar) are reported as mismatches:

• /profile/esx/network/firewall_rule_sets

This Non-compliance status occurs because Firewall Rule Sets are now included in vSphere Configuration Profiles (VCP) management starting with version 8.0.3.

• In versions prior to 8.0.3: VCP did not manage firewall settings. As a result, your original configuration "Draft" or "Desired State" does not contain any firewall-related information.
• In version 8.0.3 and later: VCP now monitors and enforces the firewall configuration on the host.
• The Conflict: After upgrading to 8.0.3 or later, VCP starts checking the firewall configuration. It detects that firewall rule sets exist in the Actual Settings on the ESXi host, but these rule sets are completely missing from the cluster's Desired State. This discrepancy between the host's actual settings and the empty/missing configuration in the Desired State triggers the Non-compliance error.

To resolve this and achieve a Compliant status, you must update the cluster's Desired State to include the firewall rules from the upgraded version.
Steps:

• Log in to the vSphere Client and navigate to Cluster > Configure > Desired State.
• Click Create Draft and select "Import from host".
• Choose a reference host that has already been upgraded to the new ESXi version. This will pull the current firewall configuration into the new draft.
• Apply the newly created draft to the cluster.

Note: For more detailed information on using the "Import from host" feature, please search for "Create a Draft by Importing Configuration from a Host" in the official vSphere Product Documentation.