How to Edit Firewall Settings of vCenter Server Appliance

After you deploy a vCenter Server Appliance, you can edit vCenter firewall settings to accept or reject connections and secure the vSphere environment.


By Delia / Updated on January 30, 2023

Share this: instagram reddit

What is vCenter Server Appliance firewall

It is critical to secure the entire vSphere environment by restricting and monitoring access to the vCenter Server Appliance (VCSA).

Generally, if you access an ESXi host via vCenter Server, a firewall is used to protect the vCenter Server. This VCSA Firewall is configured per IP or Network (USING CIDR Notation) to Accept or Reject all connections. And customers can create firewall rules that allow or block access to the VCSA from specific servers, hosts, or virtual machines.

In this article, I will introduce how to edit vCenter firewall settings, as well as some other security tips.

vCenter Server Appliance firewall settings

Do you need to edit vCenter Appliance firewall settings

After you deploy a vCenter Server Appliance, you can edit vCenter firewall settings and create firewall rules using the vSphere Web Client. But do you need to do that necessarily?

In fact, as the best practice suggested by VMware, the access to the VCSA should only be allowed from trusted hosts or virtual machines, and access to the remaining devices should be blocked. *Also note that some 3rd party VMware backup products or vROPs, SRM etc. should be considered when blocking access to the VCSA.

For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool at

vCenter Server Appliance

How to edit the settings of vCenter Appliance firewall

Before you edit vCenter Appliance firewall settings, you need to verify that the user who logs in to the vCenter Server instance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.

Since vCenter 7.0, you can directly click Firewall in vCenter Server Management Interface to edit firewall settings.

edit firewall settings

If you are using older versions, the path will take a little detour:

vCenter 6.7 firewall settings:

Home > Administration > System Configuration > Nodes > Manage > Firewall

vCenter 6.5 firewall settings:

Home > System Configuration > Nodes > Manage > Firewall

Then, you can start the vCenter firewall configuration.

Add a VCSA firewall rule

1. First, you can click Add to create a firewall rule,

2. Select a network interface of the virtual machine, and enter the IP address (could be IPv4 or IPv6 address) of the network to apply this rule to.

3. Enter a subnet prefix length.

4. From the Action drop-down menu, choose AcceptIgnoreReject, or Return the connection between vCenter Server and the specified network.

vcsa firewall rule actions

 5. Click Save to apply the vCenter firewall configuration.

👉To configure an existing VCSA firewall rule: Click Edit to change the settings, and click Save to confirm it.

👉To delete a VCSA firewall rule: Select the rule, click Delete. Then click Delete again at the prompt.

Reorder VCSA firewall rules

The vCenter Appliance firewall rules are applied in the order they appear in the rule table. You can move a custom rule up or down in the table to change the order or application.

Note that the default rule at the bottom of the table cannot be moved.

1. Select a rule and click Reorder.

reorder firewall rules

2. Then, select the rule to move. Click Move Up or Move Down.

3. Click Save to confirm the changes.

Configure firewall settings without vCenter Server

If your environment does not include vCenter Server, yet you want to use a firewall to protect your ESXi layer, you can directly connect to the ESXi network via the following ways:

  • VMware Host Client
  • ESXCLI interface
  • vSphere Web Services SDK or vSphere Automation SDKs

The firewall requirements for standalone ESXi hosts are similar to the ones for vCenter Server.

Monitor vCenter Server Appliance firewall

VCSA does not log firewall (iptables related activity) by default. If you want to monitor VCSA firewall activities, you need to execute these commands at the shell of VCSA.

# iptables -N LOGGER
# iptables -A LOGGER -j LOG –log-prefix ‘iptable log: ’ ‘ --log-level 7
# iptables -A OUTPUT -j LOGGER
# iptables -I OUTPUT -j LOGGER
# iptables -I INPUT -j LOGGER

After this, you can monitor firewall logs by this command:

# journalctl -k |grep “iptable”

Addition: other security tips for vCenter Server

VMware vCenter Server is the primary control center for your vSphere environment. Whether you install it on a Windows or Linux operating system it is important to keep it in a secure state. Besides editing vCenter Appliance firewall settings, here are some best practices you can try:

Uses a static IP address and hostname for your vCenter Server system. Each IP address must have a valid internal DNS registration, including reverse name resolution.

The password of vpxuser account expires after 30 days. You can change it to comply with your security policy.

Ensure the security patches for the operating system up to date, and install an anti-virus solution.

Do not allow users to log on directly to the vCenter Server host. Thus a user can only log in with permissions assigned directly on that host.

Adopt a reliable backup solution for vCenter Server. VCSA contains a file-based backup function to recover your environment after any failure, you can use it before you perform some major operations on the VCSA.

vcsa file-based backup

✍Note that this file-based backup function does not protect the virtual machines managed by vCenter. If you want to back up your VMs on a regular basis to avoid data-loss and restore the VMs to a usable state (or even to another place) quickly, you can use a dedicated VMware backup solution.

Backup virtual machines managed by vCenter easily and flexibly

Here I will recommend a reliable VMware VM backup software - AOMEI Cyber Backup. It works for VMware ESXi 6.0 and above versions (free ESXi is also supported), offering you the following benefits with the easiest operation:

Backup in batch: Add a standalone ESXi host or vCenter Server to back up virtual machines managed by it.
Hot backup: Simply backup VMware virtual machines while running. No need to suspend running operations and ongoing access during the process.
Automation: Create VMware backup schedule to automate VM protection, and enable retention policy to auto delete old backup files.
Restore to new location: Besides in-place recovery, you can restore a VM to new location in the same or another datastore/host/vCenter.

Click the button below to enjoy a fully-functional free trial:

Download Free TrialVMware ESXi & Hyper-V
Secure Download

*You can choose to install this VM backup software on either Windows or Linux system.

Select virtual machines vCenter


This article introduces how to edit and manage vCenter Appliance firewall settings. In addition to this, you can take some more measures to ensure network security.

If your virtual machines are loaded with some critical business or data, it’s also important to back them up in case of any accidents. To minimize the possible loss, it’s best to adopt an efficient VMware backup solution beforehand to enhance risk resistance.

Delia · Editor
Delia owns extensive experience in writing technology-related blog posts, and has been a part of AOMEI since 2020 to provide expertise in data security and disaster recovery. She works with Windows operating systems, SQL databases, and virtualization platforms such as VMware and Hyper-V, specializing in troubleshooting and advising on data protection and migration.