# Firewall Ruleset

## Overview

**Evidence:** Firewall Ruleset\
**Description:** ESXi Firewall Ruleset\
**Category:** Network\
**Platform:** esxi\
**Short Name:** fwruleset\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

ESXi's built-in firewall protects management interfaces by controlling inbound and outbound network traffic. Firewall rules define which services are accessible and from where, making rule configuration critical for preventing unauthorized remote access and detecting rule tampering.

## Data Collected

This collector gathers structured data about firewall ruleset.

### Firewall Ruleset Data

| Field     | Description | Example       |
| --------- | ----------- | ------------- |
| `Name`    | Name        | Example value |
| `Enabled` | Enabled     | Example value |

## Collection Method

This collector parses firewall ruleset configuration, extracting rule names, enabled/disabled status, allowed IP addresses or networks, port numbers, protocol types, and direction specifications for each defined firewall rule.

## Forensic Value

Firewall rule analysis reveals security policy violations, detects unauthorized rule modifications that enable remote access, identifies overly permissive rules, and exposes attempts to disable security controls. Comparing rules against security baselines helps identify compromise indicators and policy violations.