How to Specific Allowed IP Addresses in ESXi Firewall by PowerCLI

In recent LAB environment reviewing, I noticed my LAB ESXi hosts allow connections from all IP address for NTP services. This is not the best practices for the solid environment. I want to specify certain IP addresses are allowed in case of vulnerabilities in NTP services. There are a lot of blogs talking about how to enable/disable firewall ruleset but no one talks about how to do so. Following is what I figured out. Please let me know if you see anything I can improve.

# Please connect to vCenter Server by Connect-ViServer before use this script.
$vmhosts = Get-VMHost -Location esxiCluster
foreach($vmhost in $vmhosts){
$esxcli=get-esxcli -vmhost $vmhost -V2
$ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
$ntpRuleSet.allowedall="false"
$ntpRuleSet.rulesetid="ntpClient"
$esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet)
$ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$ntpAllowIP.rulesetid="ntpClient"
$ntpAllowIP.ipaddress="192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
$ntpAllowIP.ipaddress="192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
}

The red text is customized parameters. Please change accordingly.

The script gets all ESXi hosts details in the specified location, you can use a cluster name, ESXi name, or folder. Then it disables “Allow connections from any IP address” option of the ruleset, and add 2 IP addresses to the ruleset.

2 Replies to “How to Specific Allowed IP Addresses in ESXi Firewall by PowerCLI”

  1. tested this script and it ran great, one question, does the firewall service or ntp client service need to be run again or does this rule become effective immediately?

Leave a Reply