1-800-691-1991 | 9am - 8pm ET
EN

Manual Firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

KB ID: 2299
Product: Veeam Backup & Replication 11, Veeam Backup & Replication 10a, Veeam Backup & Replication 9.5
Published: 2017-06-07
Last Modified: 2021-09-01

Challenge

This article describes making manual firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.

For details on how to perform these firewall changes using a predefined VMware ESXi extension please review KB2298

HyperFlex Version Specific Article

Please follow the KB below only if you are running a HyperFlex version below 3.0.

Starting with Cisco HyperFlex 3.0, the needed Firewall changes have been implemented in the OS image. Please review KB3075.

For new customers, we recommend installing HyperFlex cluster with that latest HX version, and for existing customers, we recommend upgrading to HX 3.0 or higher to benefit from the new Firewall changes.

Solution

To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing, it is needed to change the ESXi host firewall. See more background information here.

One of the methods to change the ESXi host firewall is by manual creation of an ESXi host firewall rule. This configuration is reset by an ESXi host reboot and can be used for test environments.

To open ports on ESX(i) hosts for Cisco HX < 2.5, add the following firewall rule to the services.xml file on an ESX(i) host. 
<!--Cisco Firewall configuration information -->
 <ConfigRoot>
   <service id='9230'>
     <id>VeeamCiscoFirewall</id>
     <rule id='0000'>
       <direction>inbound</direction>
       <protocol>tcp</protocol>
       <porttype>dst</porttype>
       <port>
         <begin>0</begin>
         <end>65535</end>
       </port>
     </rule>           
  </service> 
</ConfigRoot>

 
To open ports on ESX(i) hosts for Cisco HX >= 2.5, add the following firewall rule to the services.xml file on an ESX(i) host. 
<!--Cisco Firewall configuration information -->
 <ConfigRoot>
   <service id='9230'>

       <id>VeeamCiscoHXFirewall</id>
       <rule id='0000'>
         <direction>inbound</direction>
         <protocol>tcp</protocol>
         <porttype>dst</porttype>
         <port>111</port>
       </rule>
       <rule id='0001'>
         <direction>inbound</direction>
         <protocol>tcp</protocol>
         <porttype>dst</porttype>
         <port>2049</port>
       </rule>
       <rule id='0002'>
         <direction>inbound</direction>
         <protocol>tcp</protocol>
         <porttype>dst</porttype>
         <port>2449</port>
       </rule>
       <enabled>true</enabled>
       <required>false</required>
       </service>
</ConfigRoot>


The following example shows all steps required to open the firewall at an ESXi host SSH connection:
1. Back up the current services.xml file by running the command:
cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak

2. Modify the access permissions of the service.xml file to allow writes by running the chmod command:
chmod 644 /etc/vmware/firewall/service.xml
chmod +t /etc/vmware/firewall/service.xml
3. Open the service.xml file in a text editor:
vi /etc/vmware/firewall/service.xml
4. Add the rule to the service.xml file (see example above)
5. Revert the access permissions of the service.xml file to the read-only default by running the command:
chmod 444 /etc/vmware/firewall/service.xml
6. Refresh the firewall rules for the changes to take effect by running the command:
esxcli network firewall refresh
7. Enable the new firewall rule:
esxcli network firewall ruleset set -r "VeeamCiscoFirewall" -e true -a false 
8. Bind the firewall rule to all Veeam proxy server data network IPs. This is the IP on the HyperFlex “Storage Controller Data Network”. Repeat the command for each proxy server:
esxcli network firewall ruleset allowedip add -r "VeeamCiscoFirewall" -i "<yourVeeamProxyIP>"
9. Check the IP binding
esxcli network firewall ruleset allowedip list | grep -v "All"
10. Check if the firewall rule is enabled
esxcli network firewall ruleset list


 

More information

For more information about custom firewall rule creation, click here.
KB ID: 2299
Product: Veeam Backup & Replication 11, Veeam Backup & Replication 10a, Veeam Backup & Replication 9.5
Published: 2017-06-07
Last Modified: 2021-09-01

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Your report was sent to the responsible team. Our representative will contact you by email you provided.
We're working on it please try again later

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case.

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you for your interest in Veeam products!
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please go back try again later.