Originally posted by: BobMeyer

The security folks in our enterprise have started using the Rapid7 Nexpose security vulnerability scanner.  Something we get tagged for is vulnerabilities on the Open Pegasus port on our HMCs.  I had gone around to all our HMCs and removed the firewall rule allowing access to it from everyone on the network.  After upgrading the HMC, that rule is back, and we just got tagged on a new scan.  I really don't want to keep going around to all our HMCs and updating the firewalls using the HMC web interface every time we install a new level of HMC software.  I have a script that runs a bunch of commands on the HMC to bring it to a standard configuration with regard to accounts, time servers, Kerberos settings, etc.  I'd like to add something to it to improve our vulnerability scanning situation. One possibility would to be able to control the Open Pegasus firewall rules using commands.  An even better possibility would be to shut the thing down and set a switch somewhere to stop it from starting again on reboot.  Can anyone provide advice on doing one of these things?  Thanks!

Originally posted by: sashok

"After upgrading the HMC..." - What level was the HMC at before upgrade, and what level did you upgrade to?  Was save upgrade data performed before or after the firewall rule was removed?

When you say "removed the firewall rule", do you mean disabling inbound and outbound data for port 5989?  Did you do this for all network interfaces using the GUI?

Starting with V8R8.4, this port is disabled by default.  That being said, a CLI to to manage the firewall would be a nice to-have, and something we'll look into for an upcoming release.