Manual Firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

KB ID: 2299
Product: Veeam Backup & Replication
Version:
Published:
Last Modified: 2017-10-14

Challenge

This article describes making manual firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

Solution

To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing, it is needed to change the ESXi host firewall. See more background information here.

One of the methods to change the ESXi host firewall is by manual creation of an ESXi host firewall rule. This configuration is reset by an ESXi host reboot and can be used for test environments.
To open ports on ESX(i) hosts, add the following firewall rule to the services.xml file on an ESX(i) host. 
<!--Cisco Firewall configuration information -->
 <ConfigRoot>
   <service id='9230'>
     <id>VeeamCiscoFirewall</id>
     <rule id='0000'>
       <direction>inbound</direction>
       <protocol>tcp</protocol>
       <porttype>dst</porttype>
       <port>
         <begin>0</begin>
         <end>65535</end>
       </port>
     </rule>           
  </service> 
</ConfigRoot>

The following example shows all steps required to open the firewall at an ESXi host SSH connection:
1. Back up the current services.xml file by running the command:

cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak

2. Modify the access permissions of the service.xml file to allow writes by running the chmod command:
chmod 644 /etc/vmware/firewall/service.xml
chmod +t /etc/vmware/firewall/service.xml
3. Open the service.xml file in a text editor:
vi /etc/vmware/firewall/service.xml
4. Add the rule to the service.xml file (see example above)
5. Revert the access permissions of the service.xml file to the read-only default by running the command:
chmod 444 /etc/vmware/firewall/service.xml
6. Refresh the firewall rules for the changes to take effect by running the command:
esxcli network firewall refresh
7. Enable the new firewall rule:
esxcli network firewall ruleset set -r "VeeamCiscoFirewall" -e true -a false 
8. Bind the firewall rule to all Veeam proxy server data network IPs. This is the IP on the HyperFlex “Storage Controller Data Network”. Repeat the command for each proxy server:
esxcli network firewall ruleset allowedip add -r "VeeamCiscoFirewall" -i "<yourVeeamProxyIP>"
9. Check the IP binding
esxcli network firewall ruleset allowedip list | grep -v "All"
10. Check if the firewall rule is enabled
esxcli network firewall ruleset list


 

More Information

For more information about custom firewall rule creation, click here.
0 / 5 (0 votes cast)

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Request new content

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system