How to Specific Allowed IP Addresses in ESXi Firewall by PowerCLI

In recent LAB environment reviewing, I noticed my LAB ESXi hosts allow connections from all IP address for NTP services. This is not the best practices for the solid environment. I want to specify certain IP addresses are allowed in case of vulnerabilities in NTP services. There are a lot of blogs talking about how to enable/disable firewall ruleset but no one talks about how to do so. Following is what I figured out. Please let me know if you see anything I can improve.

# Please connect to vCenter Server by Connect-ViServer before use this script.
$vmhosts = Get-VMHost -Location esxiCluster
foreach($vmhost in $vmhosts){
$esxcli=get-esxcli -vmhost $vmhost -V2
$ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
$ntpRuleSet.allowedall="false"
$ntpRuleSet.rulesetid="ntpClient"
$esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet)
$ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$ntpAllowIP.rulesetid="ntpClient"
$ntpAllowIP.ipaddress="192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
$ntpAllowIP.ipaddress="192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
}

The red text is customized parameters. Please change accordingly.

The script gets all ESXi hosts details in the specified location, you can use a cluster name, ESXi name, or folder. Then it disables “Allow connections from any IP address” option of the ruleset, and add 2 IP addresses to the ruleset.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.