Skip to content
AIR Knowledge Base

Firewall Ruleset

Overview

Section titled “Overview”

Evidence: Firewall Ruleset
Description: ESXi Firewall Ruleset
Category: Network
Platform: esxi
Short Name: fwruleset
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

ESXi’s built-in firewall protects management interfaces by controlling inbound and outbound network traffic. Firewall rules define which services are accessible and from where, making rule configuration critical for preventing unauthorized remote access and detecting rule tampering.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about firewall ruleset.

Firewall Ruleset Data

Section titled “Firewall Ruleset Data”
FieldDescriptionExample
NameNameExample value
EnabledEnabledExample value

Collection Method

Section titled “Collection Method”

This collector parses firewall ruleset configuration, extracting rule names, enabled/disabled status, allowed IP addresses or networks, port numbers, protocol types, and direction specifications for each defined firewall rule.

Forensic Value

Section titled “Forensic Value”

Firewall rule analysis reveals security policy violations, detects unauthorized rule modifications that enable remote access, identifies overly permissive rules, and exposes attempts to disable security controls. Comparing rules against security baselines helps identify compromise indicators and policy violations.