Operational Defect Database
BugZero found this defect 2539 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb2299
Manual Firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing
Last update date:
9/1/2021
Affected products:
Veeam Backup & Replication
Affected releases:
10
Fixed releases:
No fixed releases provided.
Description:
Challenge
This article describes making manual firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing. For details on how to perform these firewall changes using a predefined VMware ESXi extension please review KB2298.
Solution
To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing, it is needed to change the ESXi host firewall. See more background information here.One of the methods to change the ESXi host firewall is by manual creation of an ESXi host firewall rule. This configuration is reset by an ESXi host reboot and can be used for test environments.To open ports on ESX(i) hosts for Cisco HX < 2.5, add the following firewall rule to the services.xml file on an ESX(i) host. <!--Cisco Firewall configuration information --> <ConfigRoot> <service id='9230'> <id>VeeamCiscoFirewall</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port> <begin>0</begin> <end>65535</end> </port> </rule> </service> </ConfigRoot> To open ports on ESX(i) hosts for Cisco HX >= 2.5, add the following firewall rule to the services.xml file on an ESX(i) host. <!--Cisco Firewall configuration information --> <ConfigRoot> <service id='9230'> <id>VeeamCiscoHXFirewall</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>111</port> </rule> <rule id='0001'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>2049</port> </rule> <rule id='0002'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>2449</port> </rule> <enabled>true</enabled> <required>false</required> </service></ConfigRoot>The following example shows all steps required to open the firewall at an ESXi host SSH connection:1. Back up the current services.xml file by running the command: cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak 2. Modify the access permissions of the service.xml file to allow writes by running the chmod command: chmod 644 /etc/vmware/firewall/service.xml chmod +t /etc/vmware/firewall/service.xml 3. Open the service.xml file in a text editor: vi /etc/vmware/firewall/service.xml 4. Add the rule to the service.xml file (see example above)5. Revert the access permissions of the service.xml file to the read-only default by running the command: chmod 444 /etc/vmware/firewall/service.xml 6. Refresh the firewall rules for the changes to take effect by running the command: esxcli network firewall refresh 7. Enable the new firewall rule: esxcli network firewall ruleset set -r "VeeamCiscoFirewall" -e true -a false 8. Bind the firewall rule to all Veeam proxy server data network IPs. This is the IP on the HyperFlex “Storage Controller Data Network”. Repeat the command for each proxy server: esxcli network firewall ruleset allowedip add -r "VeeamCiscoFirewall" -i "<yourVeeamProxyIP>" 9. Check the IP binding esxcli network firewall ruleset allowedip list | grep -v "All" 10. Check if the firewall rule is enabled esxcli network firewall ruleset list
More Information
For more information about custom firewall rule creation, click here.
