vCenter Server 9.0 (Broadcom/VMware vSphere)

Rationale

This rule allows vSphere administrators (compliant devices, restricted vCenter SSO groups) and automation tools (PowerCLI, Terraform vSphere, Ansible VMware) to reach the VCSA over HTTPS port 443 (vSphere Client HTML5 and REST API/SDK). Since the VCSA is a controlled internal server, ssl_inbound_inspection decrypts inbound traffic to detect exploits targeting vCenter Server (T1190 — many historical critical CVEs: CVE-2021-21985, CVE-2021-22005, CVE-2023-34048, etc.) and malicious uploaded files. Identity is restricted by vCenter SSO group (least privilege). Risk is critical (risk 5): compromising the VCSA enables pivoting to all ESXi hosts via vpxd↔vpxa (T1210). This rule also covers the redirect from HTTP port 80 (see rule 3).

Security profiles

Rationale

The VAMI (vCenter Appliance Management Interface, port 5480) is the only way to manage the VCSA system settings: backup, network configuration, NTP, TLS certificates, appliance OS updates, and SSH enable/disable. It is structurally mandatory (without it, the VCSA cannot be managed outside the vSphere Client) and distinct from the vSphere management interface on port 443. Access is restricted to system administrators only (a narrower directory group than rule 1). ssl_inbound_inspection covers exploits (T1190, T1078). Risk is critical (risk 5): VAMI access allows full reconfiguration of the VCSA, including SSH activation and SSO certificate modification.

Security profiles

Rationale

The VCSA automatically redirects port 80 to HTTPS 443 (vSphere Client). No application data is transmitted in clear text: the session is immediately redirected. IPS in block mode (high severity) detects exploitation attempts targeting the HTTP redirect layer. Decryption is not applicable: the HTTP flow is not encrypted and the redirect occurs before any data exchange.

Security profiles

Rationale

The VCSA drives ESXi hosts via the bidirectional vpxd↔vpxa channel. TCP port 902 (ESXi management port) carries data transfer, configuration, and VM console (MKS — Mouse/Keyboard/Screen via vSphere Client). TCP port 443 is used by vpxd for vpxa agent management APIs on the ESXi side. The UDP 902 availability heartbeat is covered by rule 4b. Decryption is disabled (cert_pinned_app exclusion): ESXi hosts present vSphere device certificates and a MITM proxy would break the mutual authentication channel vpxd↔vpxa. IPS detects exploits targeting ESXi management services (T1210). Risk is critical (risk 5): this channel is the main pivot vector from the VCSA to ESXi hosts.

Security profiles

Rationale

The UDP 902 availability heartbeat between the VCSA (vpxd) and ESXi hosts (vpxa) enables rapid detection of unavailable hosts in vSphere. This flow is fundamental for vSphere HA high-availability management and ESXi host health monitoring in vCenter. IPS in default mode detects protocol anomalies on this UDP flow without blocking legitimate vpxd probes.

Security profiles

Rationale

DNS resolution is structurally mandatory for the VCSA: installation fails if A/PTR records for its FQDN cannot be resolved. In operation, DNS is required to reach managed ESXi hosts, Active Directory controllers (vCenter SSO integration), and the dl.broadcom.com service (vLCM updates). The flow is restricted to a controlled internal resolver (no direct Internet resolution). The dns_security profile with sinkhole mitigates DNS tunneling from the VCSA if it were compromised. TCP/53 (DNSSEC or >512-byte responses) is handled by the same rule if the firewall supports multi-protocol; otherwise duplicate for tcp/53.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if direct NTP synchronisation is configured on the VCSA (via VAMI or vcsa-util). The VCSA can synchronise its clock via the ESXi host hypervisor (VMware Tools mode), but direct NTP synchronisation is strongly recommended in production. NTP is critical for vSphere TLS certificate validity, vCenter SSO/Kerberos authentication, event log consistency, and vSphere HA operation (master election). IPS in default mode detects NTP protocol anomalies (amplification, non-standard mode).

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the VCSA SSH service has been explicitly activated via the VAMI for a maintenance operation. SSH is disabled by default on the VCSA in vSphere 9.0 (Broadcom security best practice) and must be re-disabled after the operation. This rule should be activated with a time-limited policy (maintenance window). The ssh_proxy decryption mode allows inspection of commands executed over the SSH tunnel (detection of exfiltration or suspicious commands on the VCSA root shell). Access is restricted to compliant management hosts and the narrowest administration group (T1133). log_start is enabled to trace every SSH session opening.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if vCenter Auto Deploy is in place for stateless ESXi host automated deployment. Auto Deploy distributes ESXi images, configuration profiles, and vSphere assignment rules to hosts being provisioned: hosts connect to the VCSA on TCP ports 6501 (Auto Deploy HTTP service) and 6502 (Auto Deploy HTTPS service) to receive their system image. Antivirus and IPS inspect inbound flows. Decryption is disabled (cert_pinned_app) as ESXi hosts network-booting use vSphere device certificates that a proxy cannot impersonate. If provisioning uses UEFI HTTPS Boot (modern ESXi 7+ boot), it goes through TCP 443 (rule 1) and this rule can remain disabled.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if vCenter Auto Deploy uses legacy PXE boot (BIOS or classic iPXE). TFTP (UDP 69) enables download of the iPXE boot file when an ESXi host being provisioned PXE-boots. This rule is unnecessary if UEFI HTTPS Boot (new default from ESXi 7+) is configured, as it operates entirely over HTTPS (rule 1 or rule 8). TFTP is an unencrypted protocol: restrict its use to the segmented management network and consider migrating to UEFI HTTPS boot to eliminate this flow.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if vSphere Lifecycle Manager (vLCM) is activated to drive updates and check compliance of managed ESXi hosts. vLCM exposes an HTTPS patch/ESXi image repository from the VCSA to hosts. If this flow is blocked, vLCM compliance checks and remediations fail silently. HTTPS port 9087: the primary flow since vSphere 7/vLCM (replaces legacy HTTP port 9084). ssl_inbound_inspection enables antivirus and sandboxing inspection of distributed content (supply-chain vector if the VCSA is compromised).

Security profiles

Rationale

CONDITIONAL — Enable ONLY if vLCM still uses the legacy HTTP port (9084) for compatibility-mode ESXi hosts, or the host configuration store access port (8083). In vSphere 7+/current vLCM, the main flow goes through HTTPS 9087 (rule 10); these ports are legacy residues. Note: since 9084 is unencrypted HTTP, consider migrating to 9087/HTTPS to eliminate this unencrypted flow and close this rule.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if vSphere Replication is deployed (VR Appliance). This SOAP flow (TCP 8043) allows the VCSA to control the vSphere Replication Appliance: replication policy configuration, monitoring, failover orchestration. It is distinct from inter-ESXi replication data traffic (NBD/NFC), which belongs to a dedicated ESXi host profile. ssl_inbound_inspection inspects inbound HTTPS SOAP flows to the VCSA.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the VCSA's SNMP agent is activated and a network management system (NMS) performs polling. SNMPv3 with authentication and encryption is strongly recommended for a vSphere infrastructure (vCenter MIBs expose sensitive infrastructure information). Access must be restricted to the NMS IP address. IPS in default mode monitors SNMP protocol anomalies (unauthorised walk attempts).

Security profiles

Rationale

CONDITIONAL — Enable ONLY if SNMP trap sending is configured on the VCSA toward a trap receiver (NMS). The VCSA emits SNMP UDP traps to the NMS to report vSphere infrastructure events. Prefer SNMPv3 with authentication. IPS in default mode monitors anomalies.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if unencrypted syslog collection is configured on the VCSA AND the current version is vCenter Server 9.x (supported). VERSION WARNING: unencrypted syslog on UDP/TCP 514 is supported in vCenter Server 9.x but is blocked and unsupported from vCenter Server 9.1 onward. If an upgrade to 9.1+ is planned, migrate to syslog TLS (rule 16, port 1514) BEFORE upgrading the VCSA. Unencrypted syslog exposes vCenter logs to interception and tampering on the management network — prefer rule 16 in all circumstances. IPS monitors flow anomalies.

Security profiles

Rationale

CONDITIONAL — Enable if encrypted TLS syslog log collection is configured on the VCSA. Recommended in vCenter Server 9.x, and mandatory from vCenter Server 9.1 onward (unencrypted syslog on 514 is blocked from that version). Recommended migration path from rule 15. Decryption is disabled (cert_pinned_app) as the TLS syslog collector uses a vSphere device certificate for mutual authentication.

Security profiles

Rationale

The VCSA and vLCM download vCenter Server updates and ESXi patches/images from dl.broadcom.com, Broadcom's authenticated repository (per-support-account token, KB 431697). This is the only outbound Internet flow and a critical supply-chain vector (T1195.002): ssl_forward_proxy is mandatory to allow antivirus and sandboxing to inspect downloaded packages. url_filtering blocks risky categories and uncategorised sites. DEPLOYMENT ALLOW-LIST: authorise only dl.broadcom.com (active repository since April 2025). DO NOT authorise the retired legacy VMware domains (depot.vmware.com, hostupdate.vmware.com, vapp-updates.vmware.com — HTTP 403 since 23 April 2025, KB 390098). Deployment note: dl.broadcom.com uses a per-support-account authentication token; configure the SSL inspection exclusion for this specific domain at the proxy level (KB 431697), not a general decryption exclusion in this rule. High risk (risk 4): supply-chain vector with wide blast radius on the VCSA and all managed ESXi hosts.

Security profiles

Rationale

Hardening: clear-text (HTTP) communication attempts toward ESXi host management interfaces are silently dropped. Modern ESXi hosts (vSphere 7+) expose their management interfaces only over HTTPS (port 443, rule 4 — vpxd↔vpxa channel); an HTTP flow toward an ESXi host is either a legacy configuration residue or an attempt to bypass encryption (T1557 — in-flight interception, vCenter/ESXi credential theft). High-priority logging flags every attempt for investigation. Note: this rule targets internal VCSA <-> ESXi host flows; the HTTP 80 to HTTPS redirect for administrator clients (vSphere Client) is covered by rule 3 (inbound direction).