[vSphere][7.0][ESXI-70-000056] ESXi Firewall Rules Need to be configured for ALL enabled services.

[ben219brown]

Is your feature request related to a problem? Please describe.

Issue with the ESXi firewall rules. Hosts would disconnect.

Describe the solution you'd like

When running the ESXi firewall rules remediation, if all services are not restricted, this is a finding. Trying to remediate anything over 443,902 would disconnect the hosts.

Solution was to set the firewall to default to pass traffic instead of block while the rules are being modifed, and then set the default back to block. Also added in some If statements to account for IP addresses already being in the allowed list, allowed all already being configured. This allows for repeated runs of the remediation without seeing errors. Please review my proposed solution.

Part 1: Remove

Describe alternatives you've considered

Part 1: Move "allowed_ip:" from within "esxi_hosts:" in \var\main.yml . I think this is the simpler approach, as to not have to configure this line item for each individual host

allowed_ip: | '192.168.1.2','192.168.1.3','192.168.1.4','10.49.200.65','172.26.48.1','9.163.72.15','10.0.0.0/24','10.0.0.57','1.1.1.1/1','10.0.0.1'

esxi_hosts: esxi_one: hostname: esxi1.bens.lab # ESXi Hostname (switch to IP if hostname is not supported/setup) username: root # Needed for ansible module call password: "{{ vault_esxi_password }}" # Needed for ansible module call

---

Part 2:

Modify powershell script in \tasks\esxi.yml with the following:

• name: ESXI-70-000056 - The ESXi host must configure the firewall to restrict access to services running on the host ansible.builtin.shell: cmd: |

  
    Connect-VIServer -Server {{ vcenter_hostname }} -User {{ vcenter_username }} -Password {{ vcenter_password }};
    $allowedips = {{ allowed_ip }}
    $fwservices = Get-VMHost -Name {{ item.value.hostname }} | Get-VMHostFirewallException | Where-Object {$_.Enabled -eq $True};
    $esxcli = Get-EsxCli -VMHost {{ item.value.hostname }} -V2;
    $fwargs = $esxcli.network.firewall.set.CreateArgs()
    $fwargs.defaultaction = $true
    $esxcli.network.firewall.set.Invoke($fwargs)
    $esxcli.network.firewall.refresh.Invoke()
    ForEach($fwservice in $fwservices){
     $fwsvcname = $fwservice.extensiondata.key;
     $fwargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs();
     $fwargs.rulesetid = $fwsvcname;       
     $checkAllowAll = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($fwargs)
     If($CheckAllowAll."AllowedIpAddresses" -eq 'All'){
      $fwargs = $esxcli.network.firewall.ruleset.set.CreateArgs();
      $fwargs.allowedall = $false;
      $fwargs.rulesetid = $fwsvcname;
      $fwargs.enabled = $true;
      $esxcli.network.firewall.ruleset.set.Invoke($fwargs);
     }
     ForEach($allowedip in $allowedips){
     $fwsvcname = $fwservice.extensiondata.key;
     $fwargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs();
     $fwargs.rulesetid = $fwsvcname;
     $checkAllowIp = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($fwargs);
     If(!$checkAllowIp."AllowedIpAddresses"){
     $fwargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs();
     $fwargs.ipaddress = $allowedip;
     $fwargs.rulesetid = $fwsvcname;
     $esxcli.network.firewall.ruleset.allowedip.add.Invoke($fwargs)
     }
    }
    ForEach($allowedip in $allowedips){ 
     If($checkAllowIp."AllowedIpAddresses".Contains($allowedip)){
     }else{
     $fwargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs();
     $fwargs.ipaddress = $allowedip;
     $fwargs.rulesetid = $fwsvcname;
     $esxcli.network.firewall.ruleset.allowedip.add.Invoke($fwargs)
     } 
     }     
    }
    $fwargs = $esxcli.network.firewall.set.CreateArgs()
    $fwargs.defaultaction = $false
    $esxcli.network.firewall.set.Invoke($fwargs)
    $esxcli.network.firewall.refresh.Invoke()
  args:
  executable: /usr/bin/pwsh
  with_dict:
  - "{{ esxi_hosts }}"
  when:
  - esxi_70_000056 | bool
  tags:
  - ESXI-70-000056
  register: ps

• debug: var=ps.stdout_lines

This will stop the host from disconnecting prior completing the firewall rules configuration.

Additional context

The only other issue I noticed, was that with DHCP configured on my hosts, they would lose their IP addresses. I do not notice the issue with statically IP'd hosts.

[rlakey]

@HerbBoy In the PowerCLI remediation script we specifically exclude some services because of the way PowerCLI does this operation. It first removes the All IP configuration, then adds the IP range but when done for some services this causes hosts to be disconnected because the operation isn't completed.

See https://github.com/vmware/dod-compliance-and-automation/blob/master/vsphere/7.0/vsphere/powercli/VMware_vSphere_7.0_STIG_ESXi_Remediation.ps1#L1657

[rlakey]

Closing since the contributor of these two particular playbooks hasn't been maintaining them. I put a note in the readme of both that VMware does not maintain them.