«

»

Sep 13 2016

Disable ESXi host firewall ports using PowerCLI

“VMTurbo"
Updated 2017-07-06 to match ESXi 6.5 FW Rule names

One thing i do for the majority of my vSphere implementations, today and previous over the years, has been to disable ESXi firewall ports not being used. There are at least a few, not always the same though, ports that will never be used no matter what environment we are talking about. The ports actually specified with their related services names i disabled during my last vSphere ESXi implementation will be included in this script.

To get all the options you can simply run the PowerCLI command “get-vmhostfirewallexception | select name” and this will be your output.

screen-shot-2016-09-13-at-18-37-47

The script that was tested using the following software versions:

  • VMware vCenter Server 6.0
  • VMware ESXi 6.0
  • VMware PowerCLI 6.3 R1

As usual, change the red marked text to your required/specific values.

#
# PowerCLI to test vMotion functionality
# Version 1.0
# Magnus Andersson – Staff Solution Architect @Nutanix
#
# Specify vCenter Server, vCenter Server username, vCenter Server user password, esxi hosts you want to disable FW rules for.
$vCenter=”vcenter01.npx5.local
$vCenterUser=”magander@npx5.local
$vCenterUserPassword=”not-secret
$esxihosts=”get-vmhost

#
# Specify FW ports to be closed
$fwdisable = (“vSAN Clustering Service“,”vSAN Transport“,”WOL“,”vSphere Web Access“,”DHCP Client“, “HBR“, “vvold“)
#
#
#Connect to vCenter Server
write-host Connecting to vCenter Server vcenter01.npx5.local -foreground green
Connect-viserver $vCenter -user $vCenterUser -password $vCenterUserPassword -WarningAction 0 | out-null
#
write-host ——–
write-host Starting the process of disabling ESXi host firewall ports
write-host ——–
#
# Close FW-ports
foreach ($esxihost in (get-vmhost $esxihosts | ? { $_.ConnectionState -eq “Connected”} |sort)){
Get-vmhostfirewallexception -VMhost $esxihost $fwdisable | Set-VMHostFirewallException -enabled:$false | out-null
}
#
# Disconnect from vCenter Server
write-host “Disconnecting to vCenter Server vcenter01.npx5.local” -foreground green
disconnect-viserver -confirm:$false | out-null

Below is the script output when running in my lab environment.

screen-shot-2016-09-13-at-18-34-21

This is what you’ll see if connecting to an ESXi host using the vSphere Client when the script is running.

screen-shot-2016-09-13-at-18-30-04

Happy PowerCLI scripting:)

1 comment

  1. vikrant

    PowerCLI scripting is always the best tool I have ever used . I always used this powerCLI to manage my vsphere environment. The way you described each and everything about how to disable ESXi host firewall ports using PowerCLI is really is very good. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">