ESX includes a firewall between the service console and the network. To ensure the integrity of the service console, VMware has reduced the number of firewall ports that are open by default.

At installation time, the service console firewall is configured to block all incoming and outgoing traffic, except for ports 22, 123, 427, 443, 902, 5989, 5988, which are used for basic communication with ESX. This setting enforces a high level of security for the host.


The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.

In trusted environments, you might decide that a lower security level is acceptable. If so, you can set the firewall for either medium or low security.

Medium security

All incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not blocked.

Low security

There are no blocks on either incoming or outgoing traffic. This setting is equivalent to removing the firewall.

Because the ports open by default are strictly limited, you might be required to open additional ports after installation. For a list of commonly used ports that you might open, see TCP and UDP Ports for Management Access.

As you add the supported services and management agents required to operate ESX effectively, you open other ports in the service console firewall. You add services and management agents through vCenter Server as described in Configuring Firewall Ports for Supported Services and Management Agents.

In addition to the ports you open for these services and agents, you might open other ports when you configure certain devices, services, or agents such as storage devices, backup agents, and management agents. For example, if you are using Veritas NetBackup™ 4.5 as a backup agent, open ports 13720, 13724, 13782, and 13783, which NetBackup uses for client-media transactions, database backups, user backups or restores, and so forth. To determine which ports to open, see vendor specifications for the device, service, or agent.


Do not modify default firewall rules for the service console using any command or utility other than esxcfg-firewall. If you modify the defaults by using a Linux command, your changes will be ignored and overwritten by the defaults specified for that service by the esxcfg-firewall command.