How to create custom firewall rules on ESXi 5.0

While studying for the VCAP5-DCD I was working on Objective 7.2 that covers the built in firewall for ESXi 5.0. I needed to be comfortable with creating custom rules on the host firewall. At first I figured well there must be a ESXCLI command that I can just use to add and remove these rules much like other tasks. Well there certainly is a ESXCLI Firewall command but it does not go as far as allowing you to create and remove the rules from the firewall. The command is more about turning on and off already defined rules and refreshing the rule set.

The rule list is kept in an XML file located here – /etc/vmware/firewall/service.xml

The first thing that you should do is create a backup copy of this file to protect yourself from any mistakes. Then you are going to need to change the permissions on the file to allow you to edit the file. You can do this with CHMOD or WinSCP if that is easier for you.

Once you have changed the permissions you should edit the file with a plain text editor, use what is available and you are comfortable with. The most common options available for me usually are VI or WinSCP again. I tend to lean towards the second one because its easier for me. Once you open the service.xml file you will see a rule list something like the one listed below. The two sections at the end in bold are an example that I placed in for my practice.

<ConfigRoot>
<service id=’0000′>
<id>serviceName</id>
<rule id = ‘0000’>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>80</port>
</rule>
<rule id=’0001′>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>
<begin>1020</begin>
<end>1050</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>

<service id=”0050″>
    <id>suhr1</id>
    <rule id=’0000′>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>src</porttype>
      <port>2100</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
<service id=”0051″>
    <id>suhr2</id>
    <rule id=’0000′>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>2000</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>

</ConfigRoot>

Simply create your new rule(s) by following the same format that is shown above or in the file. Once completed save the file and then you will need to enable the new rule set.

To refresh the rules and make them take effect you need to use the following command. Now is the time for the ESXCLI command line fun that you have been waiting for.

# esxcli network firewall refresh

Now that you have refreshed the rules you should have a look and make sure they are showing up and there are a couple of ways to accomplish this.

The first way to check is to fire up the vSphere client and select the host that you modified the rules on. Go to the configuration tab and then security profile option under the software section. You can see from the image below that I created two different rules one incoming and one outgoing rule.

The second way to verify that your new rules are showing up is to use the command line and ESXCLI. You need to use the command listed below to display the rule set.

# esxcli network firewall rule set list

One thing that I came across while researching different ways to add rules  was there a lot of discussion on how to make the rules persist after a host reboot.  If you use this method you should do some testing, but in my home lab using this method the rules did persist host reboots.  I used the method listed in the follow VMware KB.

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

My VCAP5-DCD Testing experience

I recently took the VCAP5-DCD exam and wanted to write a brief summary on my experience. In case you are new to the VCAP certification track it stands for VMware Certified Advanced Professional. There are currently two VCAP options the DCD or Datacenter Design exam is focused specifically on designs around vSphere. I am proud to say that I passed the exam, it’s not something that I would have looked forward to taking again anytime soon.

This VCAP is focused on vSphere and vCenter 5 and the exam is made up of 100 questions and you have 4 hours. I heard a bunch of others state that they needed every minuted of the 4 hours and maybe even ran out of time. This is no joke, I remember being about an hour into the exam and I was only on question 10 or so. At this point I was like damn I’m never going to finish this at this rate. So I started speeding up my reading and trying to skim things more and answer without fully ready the stories. The questions on the VCAP5-DCD are pretty wordy, most questions have a lot of background information that you need to consider in your answer. It does help to be a fast reader which is something that I am not that good at. I did end up finishing the exam with about 5 minutes left.

The exam is made up partially of text based questions much like the VCP but are more design focused. Another type of question is the drag and drop type questions that will ask you to read about a design and place your answers based on the questions. Then there are several questions that are more of a Visio style where you have to actually diagram out your answer based on the requirements or question that was presented to you. I’ve heard many complain about these, I did not mind them and actually thought they were better than the drag and drop ones. Either way you will need to budget your time based on the style of questions. I sort of followed advice that others have said about answering all the text questions first, then do the drag and drops questions and finish up with the Visio ones with whatever time you have left over. I tried to follow this model but was not exact, I adjusted based on time and frustration.

Something that I hear asked a lot is what should I study to become a VCAP-DCD. I don’t believe that their as any book or class that you can take to prepare. Certainly some would help you, but since this is design focused exam. You really need to have worked in a role for some period of time that is design focused. Its not just about knowing every crazy detail about weird VMware settings, you have to understand how to design and work with customers. This is mostly something that comes with experience. This is not to say that if you work in an engineering or admin role that you could not pass the exam, its just not focused on those roles.

Anyway I am happy to be done with the exam for this version of vSphere and wish you good luck if you are preparing for a VCAP yourself. There are good resources out there like the Brownbag sessions that are lead by a number of smart community members.

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

PHD Virtual Monitoring application review – Sponsored Post

I was contact by PHD to test and review their monitoring application. In all honesty I have never really paid much attention to PHD in the past. I had never come across their product in any customers so the need had never come up. But I had seen their ads and hear others discuss them so I was interested when asked. I will not attempt to sell you on the product or convince you otherwise, what I will try to do is give you an honest review of what I thought of the product and let you make your own choice.

The testing for this product was done in my home lab on a couple of hosts. So you might have a difference experience in your environment.

Product pitch:

 PHD Virtual Monitor is a comprehensive virtualization monitoring solution that gives you complete visibility across your entire virtual IT infrastructure at all levels including virtual, physical and application. Only with a complete view can you effectively ensure application availability.

I’m skipping the setup of the product, did not want to focus on that part. The image below shows the dashboard view of all the hosts, VMs and datastores that are being monitored. I think the dashboard was probably one of the things that I like most of the product. Now a dashboard view is not unique to this product, as most products these days offer one. I think PHD has provided a pretty simple to interpret display that lets me know the health of my environment. I can click on the icons for each item to drill down deeper. The information is organized into sections for hosts, virtual machines, storage and networking. I did not setup anything for storage or networking.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

VMware VCP 5 study guide book review

I was contacted by Brian Atkinson to review his new VCP 5 study guide book from Sybex. They sent me a copy that I plan on giving away in some fashion now that I’ve examined the book. I was never a big fan of books focused just on helping you pass an exam. I tend to come from the school of work hard gain the knowledge through actual hands on experience and pass the test. I was surprised by the in depth content that Brian put into this book, its not an exam cram type book.

The study guide is 700+ pages of VMware content that would be very useful to admins even if you are not studying for the VCP. It covers a huge amount of topics from installs to setting networking and store. These chapters are not small high level ones, they really go into a good amount of info and spell out the details for you.

Each of the chapters has questions at the end to help you review the information that you just gained. This seems like a decent approach to learning tech info. Overall I would say that the book is worth the price to anyone studying for the exam and it is currently selling for around $30 on Amazon.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

VMware vShield App best practices list

After a couple of recent projects that implemented vShield app in various ways I thought it would be good to start building a list of best practices. These are some of the suggestions that I have collected in working with different customers and VMware people. I will continue to update as new things come to light.

Consider reading my list of vCloud best practices when you are done with this list, since they are used together often.

vShield Manager

  • Do not deploy vShield manager appliance to a cluster that it will be protecting, can cause connection to itself and vCenter to be lost. (With vShield 5.0.1 you can exclude the appliance from protection, but I would still avoid)
  • Access to default services like DNS, syslog, NTP and other similar services that all your VMs need access to should be created as Layer 3 low precedence rules at the datacenter level.
  • To provide additional resiliency beyond HS considering using Fault Tolerance (FT) for protecting vShield Manager

 

vShield App instances (Appliances)

  •  When deploying use local datastore on host if available to prevent accidental vMotion
  • Consider setting DRS host affinity to make sure the vShield app appliance does not get vMotioned off of host, DRS is disabled by default for the appliance VM.
  • Follow vSphere hardening recommendations for virtual switches
  • Use Security Groups to group together server of same functions (Domain controllers, Web server, DB server etc.)
  • Ensure that the HA restart priority for the vShield App appliance is set to high to ensure it is the first to restart, making sure that its running before the VMs its protecting are started.

 

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

VMware Orchestrator ideas for workflow automation samples

I’ve been talking to a lot of customers lately on the  possibilities of VMware Orchestrator. Things like do they use it now, what they might be able to use if for in their current environment. But most of the discussions are in tandem with a vCloud design. Orchestrator has been a mystery for the last few years but VMware has been working on changing that since vSphere 5 was released. It is now being talked about more and 3rd parties are actively developing plug-ins to expand its abilities to automate other infrastructure.

I don’t plan on teaching you how to use Orchestrator, there is a good book by written by Cody Bunch on Orchestrator. What I do want to talk about is some ideas of what you might be able to use Orchestrator for and get your creativity flowing.

Orchestrator ideas:

Idea 1:

A workflow that clones a VM from a template , nothing exciting right. Well what if you could have the workflow do the customization part for you? So what does this mean, well the workflow could look at the template you are deploying from and then select a License Key for the proper OS that is being used. Then it could place the VM in the Active Directory OU of your choosing. Try doing this type stuff with standard vCenter customization templates, the licensing would take multiple customization files and the OU part would require the template to already belong to the OU you want it to end up in. This would add a lot of layers of complexity to your environment doing it the old way. But with a Orchestrator workflow you can accomplish this and make your admins lifes easier.

Idea 2:

The idea here is not that much different from Idea 1, but it involves VCD. So the idea would be that we have several Organizations setup inside of VCD and the VMs from each Org need to belong to a different OU in Active Directory. Well you probably say there is no easy way to do that. You are right but with Orchestrator we can create a blocking task and a workflow with logic in it that will listen to the request coming from VCD and do a look up for which Org is requesting the VM and match that to logic provided in the workflow that will let it know with OU to use.

Idea 3:

This idea came from one of the local VMware reps that I work with. The idea is to use Infoblox for IP and DNS management for vCloud. To make this work a blocking task would be created that would step in when a new vApp was created and use the Infoblox plug-in for Orchestrator. To give you an idea of how this would work in simple terms. You would deploy vApp and select that it grab an IP from a static pool in VCD. This allows the VM to be created but the IP is only temp and is taken from a small pool that is used just for this purpose. Then the blocking task will step in and request a permanent IP from Infoblox and register it with DNS. The workflow will then go back into VCD and change the IP address selection method to static-manual because it was now being provided from Infoblox.

These are some basic ideas but ones that I know people might be able to use. The whole idea is to get you thinking about what types of automation you might be able to accomplish with Orchestrator by providing some examples.

 

Update 10/29/2012

I thought it would be good to get others to submit their VCO automation ideas. I would like to find out what others are doing already with VCO or list ideas that you would like to try and automate with VCO. These should be tasks or things that are required in your environment on a regular basis that automation could be used to save time. You may already do these today with Powershell or something else. Lets share and help the community benefit.

As incentive I have a code for access to the online content from VMworld 2012. This will allow you to download the PDF versions of the slide decks and listen to the recorded sessions, there is also probably some other benefits that I have missed. I will award this to the best idea that seems both possible with VMware tools and would be beneficial to VMware shops.

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More
Page 10 of 43« First...89101112...203040...Last »