How to create custom firewall rules on ESXi 5.0

While studying for the VCAP5-DCD I was working on Objective 7.2 that covers the built in firewall for ESXi 5.0. I needed to be comfortable with creating custom rules on the host firewall. At first I figured well there must be a ESXCLI command that I can just use to add and remove these rules much like other tasks. Well there certainly is a ESXCLI Firewall command but it does not go as far as allowing you to create and remove the rules from the firewall. The command is more about turning on and off already defined rules and refreshing the rule set.

The rule list is kept in an XML file located here – /etc/vmware/firewall/service.xml

The first thing that you should do is create a backup copy of this file to protect yourself from any mistakes. Then you are going to need to change the permissions on the file to allow you to edit the file. You can do this with CHMOD or WinSCP if that is easier for you.

Once you have changed the permissions you should edit the file with a plain text editor, use what is available and you are comfortable with. The most common options available for me usually are VI or WinSCP again. I tend to lean towards the second one because its easier for me. Once you open the service.xml file you will see a rule list something like the one listed below. The two sections at the end in bold are an example that I placed in for my practice.

<ConfigRoot>
<service id=’0000′>
<id>serviceName</id>
<rule id = ‘0000’>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>80</port>
</rule>
<rule id=’0001′>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>
<begin>1020</begin>
<end>1050</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>

<service id=”0050″>
    <id>suhr1</id>
    <rule id=’0000′>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>src</porttype>
      <port>2100</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
<service id=”0051″>
    <id>suhr2</id>
    <rule id=’0000′>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>2000</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>

</ConfigRoot>

Simply create your new rule(s) by following the same format that is shown above or in the file. Once completed save the file and then you will need to enable the new rule set.

To refresh the rules and make them take effect you need to use the following command. Now is the time for the ESXCLI command line fun that you have been waiting for.

# esxcli network firewall refresh

Now that you have refreshed the rules you should have a look and make sure they are showing up and there are a couple of ways to accomplish this.

The first way to check is to fire up the vSphere client and select the host that you modified the rules on. Go to the configuration tab and then security profile option under the software section. You can see from the image below that I created two different rules one incoming and one outgoing rule.

The second way to verify that your new rules are showing up is to use the command line and ESXCLI. You need to use the command listed below to display the rule set.

# esxcli network firewall rule set list

One thing that I came across while researching different ways to add rules  was there a lot of discussion on how to make the rules persist after a host reboot.  If you use this method you should do some testing, but in my home lab using this method the rules did persist host reboots.  I used the method listed in the follow VMware KB.

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

My VCAP5-DCD Testing experience

I recently took the VCAP5-DCD exam and wanted to write a brief summary on my experience. In case you are new to the VCAP certification track it stands for VMware Certified Advanced Professional. There are currently two VCAP options the DCD or Datacenter Design exam is focused specifically on designs around vSphere. I am proud to say that I passed the exam, it’s not something that I would have looked forward to taking again anytime soon.

This VCAP is focused on vSphere and vCenter 5 and the exam is made up of 100 questions and you have 4 hours. I heard a bunch of others state that they needed every minuted of the 4 hours and maybe even ran out of time. This is no joke, I remember being about an hour into the exam and I was only on question 10 or so. At this point I was like damn I’m never going to finish this at this rate. So I started speeding up my reading and trying to skim things more and answer without fully ready the stories. The questions on the VCAP5-DCD are pretty wordy, most questions have a lot of background information that you need to consider in your answer. It does help to be a fast reader which is something that I am not that good at. I did end up finishing the exam with about 5 minutes left.

The exam is made up partially of text based questions much like the VCP but are more design focused. Another type of question is the drag and drop type questions that will ask you to read about a design and place your answers based on the questions. Then there are several questions that are more of a Visio style where you have to actually diagram out your answer based on the requirements or question that was presented to you. I’ve heard many complain about these, I did not mind them and actually thought they were better than the drag and drop ones. Either way you will need to budget your time based on the style of questions. I sort of followed advice that others have said about answering all the text questions first, then do the drag and drops questions and finish up with the Visio ones with whatever time you have left over. I tried to follow this model but was not exact, I adjusted based on time and frustration.

Something that I hear asked a lot is what should I study to become a VCAP-DCD. I don’t believe that their as any book or class that you can take to prepare. Certainly some would help you, but since this is design focused exam. You really need to have worked in a role for some period of time that is design focused. Its not just about knowing every crazy detail about weird VMware settings, you have to understand how to design and work with customers. This is mostly something that comes with experience. This is not to say that if you work in an engineering or admin role that you could not pass the exam, its just not focused on those roles.

Anyway I am happy to be done with the exam for this version of vSphere and wish you good luck if you are preparing for a VCAP yourself. There are good resources out there like the Brownbag sessions that are lead by a number of smart community members.

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

The VCAP4-DCA Exam Blueprint is now available to download

The first exam in the new VMware intermediate series has released the Blueprint document. Blueprints are intended to give you a list of topics that are covered on the exam. So that if you are well versed in these topics you should do well on your exam. For this type of exam there is no substitute for real world experience or hundreds of hours of lab time.

The VCAP4-DCA is the VMware Certified Advanced Professional exam focused on Datacenter Administration. This is going to raise the level for VCP’s who want to show that they know their stuff. The exam is 100% hands on lab based exam material.  The VDCA410 exam consists of approximately 40 live lab activities and a short pre‐exam survey consisting of 9 questions. Live lab activities consist of multiple tasks, where each task is scored. The total number of activities provided is based on the total number of tasks. Because of this, the actual number of lab activities may vary slightly between exams.

The scoring for the exam is not fully worked out until after the Beta period is over. The scale for scoring this exam will be like other exams and will have a range from 100-500.

For now the exam is available in English and countries where English is one of the languages will get an additional 15 minutes of time for the exam.  The retake policy will require someone to wait 10 business days before they are able to try again. Something different or at least I have not noticed this before is that once you achieve a passing score you are not allowed to take the exam again.

Since you cannot yet book this exam the pricing is not yet available. According to earlier estimates from John Hall of VMware this exam should be in the $400 range depending on your location and exam provider.

You can find out all of the details on VCAP and download the blueprint from here.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More
%d bloggers like this: