Q. How Do I Add a Non-Default Firewall Exception to ESX?

Keep looking around the vSphere client for a GUI-based way to open non-default firewall ports. You won’t find one. The vSphere client, whether pointed to a vSphere server or directly to an ESX host only enables access to modify the default, built-in firewall ports. If your needs require a port that isn’t already in the interface, you’ll need to open a hole for it using the Service Console.

You accomplish this with the esxcfg-firewall command. This command requires knowing the protocol (TCP versus UDP), port number, and direction (in versus out) for the traffic you want to allow to pass. You’ll also need a label for the exception.

For example, if your WidgetABC application requires bidirectional port 12345 over both TCP and UDP, you’ll need to run the command four times:

esxcfg-firewall --openPort 12345,tcp,in,WidgetABC

esxcfg-firewall --openPort 12345,tcp,out,WidgetABC

esxcfg-firewall --openPort 12345,udp,in,WidgetABC

esxcfg-firewall --openPort 12345,udp,out,WidgetABC

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.