This article describes making manual firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.
For details on how to perform these firewall changes using a predefined VMware ESXi extension please review KB2298.
Please follow the KB below only if you are running a HyperFlex version below 3.0.
Starting with Cisco HyperFlex 3.0, the needed Firewall changes have been implemented in the OS image. Please review KB3075.
For new customers, we recommend installing HyperFlex cluster with that latest HX version, and for existing customers, we recommend upgrading to HX 3.0 or higher to benefit from the new Firewall changes.
cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak
chmod 644 /etc/vmware/firewall/service.xml chmod +t /etc/vmware/firewall/service.xml3. Open the service.xml file in a text editor:
vi /etc/vmware/firewall/service.xml4. Add the rule to the service.xml file (see example above)
chmod 444 /etc/vmware/firewall/service.xml6. Refresh the firewall rules for the changes to take effect by running the command:
esxcli network firewall refresh7. Enable the new firewall rule:
esxcli network firewall ruleset set -r "VeeamCiscoFirewall" -e true -a false8. Bind the firewall rule to all Veeam proxy server data network IPs. This is the IP on the HyperFlex “Storage Controller Data Network”. Repeat the command for each proxy server:
esxcli network firewall ruleset allowedip add -r "VeeamCiscoFirewall" -i "<yourVeeamProxyIP>"9. Check the IP binding
esxcli network firewall ruleset allowedip list | grep -v "All"10. Check if the firewall rule is enabled
esxcli network firewall ruleset list
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case