STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 7.0 ESXi Security Technical Implementation Guide

V-256417

CAT II (Medium)

The ESXi host must configure the firewall to restrict access to services running on the host.

Rule ID

SV-256417r959010_rule

STIG

VMware vSphere 7.0 ESXi Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-000366

Discussion

Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.

Check Content

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Firewall.

Under the "Allowed IP addresses" column, review the allowed IPs for each service.

Check this for "Incoming" and "Outgoing" sections.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}}

If for an enabled service "Allow connections from any IP address" is selected, this is a finding.

Fix Text

From the vSphere Client, go to Hosts and Clusters. 

Select the ESXi Host >> Configure >> System >> Firewall.

Click "Edit...". For each enabled service, uncheck the check box to "Allow connections from any IP address" and input the site-specific network(s) required.

The following example formats are acceptable:

192.168.0.0/24
192.168.1.2, 2001::1/64
fd3e:29a6:0a81:e478::/64

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
#This disables the allow all rule for the target service. We are targeting the sshServer service in this example.
$arguments = $esxcli.network.firewall.ruleset.set.CreateArgs()
$arguments.rulesetid = "sshServer"
$arguments.allowedall = $false
$esxcli.network.firewall.ruleset.set.Invoke($arguments)

#Next add the allowed IPs for the service. Note doing the "vSphere Web Client" service this way may disable access but may be done through vCenter or through the console.
$arguments = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$arguments.rulesetid = "sshServer"
$arguments.ipaddress = "10.0.0.0/8"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)

This must be done for each enabled service.