VMware vShield - 5.0 Administrator’s Guide
vShield Administration Guide
vShield Manager 5.0
vShield App 5.0
vShield Edge 5.0
vShield Endpoint 5.0
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000694-01
vShield Administration Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010, 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
About This Book 7
Overview of vShield 9
1
About vShield Components 9
Migration of vShield Components 11
About VMware Tools on vShield Components 11
Ports Required for vShield Communication 11
vShield Manager User Interface Basics 13
2
Log in to the vShield Manager User Interface 13
About the vShield Manager User Interface 14
Management System Settings 17
3
Connect to Your vCenter Server 17
Register the vShield Manager as a vSphere Client Plug-In 18
Identify DNS Services 18
Set the vShield Manager Date and Time 19
Download a Technical Support Log from a Component 19
View vShield Manager Status 19
Add an SSL Certificate to Identify the vShield Manager Web Service 20
User Management 21
4
Managing User Accounts 21
Managing the Default User Account 22
Add a User Account 22
Edit a User Account 23
Change a User Role 23
Disable or Enable a User Account 24
Delete a User Account 24
VMware, Inc.
Updating System Software 25
5
View the Current System Software 25
Upload an Update 25
Backing Up vShield Manager Data 27
6
Back Up Your vShield Manager Data on Demand 27
Schedule a Backup of vShield Manager Data 28
Restore a Backup 29
System Events and Audit Logs 31
7
View the System Event Report 31
3
vShield Administration Guide
vShield Manager Virtual Appliance Events 31
vShield App Events 32
About the Syslog Format 33
View the Audit Log 33
vShield Edge Management 35
8
View the Status of a vShield Edge 35
Specify a Remote Syslog Server 36
Managing the vShield Edge Firewall 36
Managing NAT Rules 40
Managing DHCP Service 41
Managing VPN Service 42
Add a Static Route 45
Manage Load Balancer Service 45
Start or Stop vShield Edge Services 46
Upgrade vShield Edge Software 46
Re-deploy vShield Edge 47
vShield App Management 49
9
Send vShield App System Events to a Syslog Server 49
View the Current System Status of a vShield App 50
vShield App Flow Monitoring 51
10
Understanding the Flow Monitoring Display 51
Change the Date Range of the Flow Monitoring Charts 52
View a Specific Application in the Flow Monitoring Charts 52
View the Flow Monitoring Report 53
Delete All Recorded Flows 54
vShield App Firewall Management 55
11
Using App Firewall 55
Working with Applications 57
Grouping Objects 58
Working with Application Firewall Rules 59
Using SpoofGuard 61
vShield Endpoint Events and Alarms 65
12
View vShield Endpoint Status 65
vShield Endpoint Alarms 66
vShield Endpoint Events 66
vShield Endpoint Audit Messages 67
vShield Data Security Management 69
13
vShield Data Security User Roles 69
Defining a Data Security Policy 70
Editing a Data Security Policy 72
Running a Data Security Scan 72
Analyzing Results 73
4 VMware, Inc.
Creating Regular Expressions 74
Available Regulations 75
Available Content Blades 90
Supported File Formats 109
Contents
Troubleshooting 115
14
Troubleshoot vShield Manager Installation 115
Troubleshooting Operational Issues 116
Troubleshooting vShield Edge Issues 117
Troubleshoot vShield Endpoint Issues 119
Troubleshooting vShield Data Security Issues 120
Index 123
VMware, Inc. 5
vShield Administration Guide
6 VMware, Inc.
About This Book
This manual, the vShield Administration Guide, describes how to install, configure, monitor, and maintain the
VMware®vShield™ system by using the vShield Manager user interface, the vSphere Client plug-in, and
command line interface (CLI). The information includes step-by-step configuration instructions, and suggested
best practices.
Intended Audience
This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
The information in this manual is written for experienced system administrators who are familiar with virtual
machine technology and virtual datacenter operations. This manual assumes familiarity with VMware
Infrastructure 4.x, including VMware ESX, vCenter Server, and the vSphere Client.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions
of terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs.
Document Feedback
VMware welcomes your suggestions for improving our documentation. If you have comments, send your
feedback to docfeedback@vmware.com.
Technical Support and Education Resources
The following technical support resources are available to you. To access the current version of this book and
other books, go to http://www.vmware.com/support/pubs.
Online and Telephone
Support
Support Offerings
VMware Professional
Services
VMware, Inc. 7
To use online support to submit technical support requests, view your product
and contract information, and register your products, go to
http://www.vmware.com/support.
Customers with appropriate support contracts should use telephone support
for the fastest response on priority 1 issues. Go to
http://www.vmware.com/support/phone_support.html.
To find out how VMware support offerings can help meet your business needs,
go to http://www.vmware.com/support/services.
VMware Education Services courses offer extensive hands-on labs, case study
examples, and course materials designed to be used as on-the-job reference
tools. Courses are available onsite, in the classroom, and live online. For onsite
pilot programs and implementation best practices, VMware Consulting
vShield Administration Guide
Services provides offerings to help you assess, plan, build, and manage your
virtual environment. To access information about education classes,
certification programs, and consulting services, go to
http://www.vmware.com/services.
8 VMware, Inc.
Overview of vShield 1
VMware® vShield is a suite of security virtual appliances built for VMware vCenter Server and VMware ESX
integration. vShield is a critical security component for protecting virtualized datacenters from attacks and
misuse helping you achieve your compliance-mandated goals.
This guide assumes you have administrator access to the entire vShield system. The viewable resources in the
vShield Manager user interface can differ based on the assigned role and rights of a user, and licensing. If you
are unable to access a screen or perform a particular task, consult your vShield administrator.
n
About vShield Components on page 9
vShield includes components and services essential for protecting virtual machines. vShield can be
configured through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI),
and REST API.
n
Migration of vShield Components on page 11
The vShield Manager and vShield Edge virtual appliances can be automatically or manually migrated
based on DRS and HA policies. The vShield Manager must always be up, so you must migrate the vShield
Manager whenever the current ESX host undergoes a reboot or maintenance mode routine.
n
About VMware Tools on vShield Components on page 11
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of
VMware Tools included with a vShield virtual appliance.
n
Ports Required for vShield Communication on page 11
About vShield Components
vShield includes components and services essential for protecting virtual machines. vShield can be configured
through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI), and REST API.
To run vShield, you need one vShield Manager virtual machine and at least one vShield App or vShield Edge
module.
vShield Manager
The vShield Manager is the centralized network management component of vShield and is installed from OVA
as a virtual machine by using the vSphere Client. Using the vShield Manager user interface, administrators
install, configure, and maintain vShield components. A vShield Manager can run on a different ESX host from
your vShield App and vShield Edge modules.
The vShield Manager leverages the VMware Infrastructure SDK to display a copy of the vSphere Client
inventory panel.
For more on the using the vShield Manager user interface, see Chapter 2, “vShield Manager User Interface
Basics,” on page 13.
VMware, Inc.
9
vShield Administration Guide
vShield Edge
vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port
group, vDS port group, or Cisco® Nexus 1000V. The vShield Edge connects isolated, stub networks to shared
(uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud
environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).
NOTE You must obtain an evaluation or full license to use vShield Edge.
Standard vShield Edge
Services (Including
n
Firewall: Supported rules include IP 5-tuple configuration with IP and port
ranges for stateful inspection for TCP, UDP, and ICMP.
Cloud Director)
n
Network Address Translation: Separate controls for Source and
Destination IP addresses, as well as TCP and UDP port translation.
n
Dynamic Host Configuration Protocol (DHCP): Configuration of IP pools,
gateways, DNS servers, and search domains.
Advanced vShield Edge
Services
n
Site-to-Site Virtual Private Network (VPN): Uses standardized IPsec
protocol settings to interoperate with all major firewall vendors.
n
Load Balancing: Simple and dynamically configurable virtual IP addresses
and server groups.
vShield Edge supports syslog export for all services to remote servers.
vShield App
vShield App is an interior, vNIC-level firewall that allows you to create access control policies regardless of
network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual
machines in the same port group. vShield App includes traffic analysis and container-based policy creation.
vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App integrates
with ESX hosts through VMsafe APIs and works with VMware vSphere platform features such as DRS,
vMotion, DPM, and maintenance mode.
vShield App provides firewalling between virtual machines by placing a firewall filter on every virtual network
adapter. The firewall filter operates transparently and does not require network changes or modification of IP
addresses to create security zones. You can write access rules by using vCenter containers, like datacenters,
cluster, resource pools and vApps, or network objects, like Port Groups and VLANs, to reduce the number of
firewall rules and make the rules easier to track.
You should install vShield App instances on all ESX hosts within a cluster so that VMware vMotion™
operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a
vShield App virtual appliance cannot be moved by using vMotion.
The Flow Monitoring feature displays allowed and blocked network flows at the application protocol level.
You can use this information to audit network traffic and troubleshoot operational.
NOTE You must obtain an evaluation or full license to use vShield App.
10 VMware, Inc.
vShield Endpoint
vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance
delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) doesn't go
offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual
machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are
immediately protected with the most current antivirus signatures when they come online.
vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus
vendor (VMware partners) on an ESX host.
NOTE You must obtain an evaluation or full license to use vShield Endpoint.
vShield Data Security
vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and
cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive
data is adequately protected and assess compliance with regulations around the world.
Migration of vShield Components
Chapter 1 Overview of vShield
The vShield Manager and vShield Edge virtual appliances can be automatically or manually migrated based
on DRS and HA policies. The vShield Manager must always be up, so you must migrate the vShield Manager
whenever the current ESX host undergoes a reboot or maintenance mode routine.
Each vShield Edge should move with its secured port group to maintain security settings and services.
vShield App, vShield Endpoint, or vShield Data Security cannot be moved to another ESX host. If the ESX host
on which these components reside requires a manual maintenance mode operation, you must de-select the
Move powered off and suspended virtual machines to other hosts in the cluster check box to ensure these
virtual appliances are not migrated. These services restart after the ESX host comes online.
About VMware Tools on vShield Components
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware
Tools included with a vShield virtual appliance.
Ports Required for vShield Communication
The vShield Manager requires the following ports to be open:
n
Access to ESX hosts: 902/TCP and 903/TCP
n
REST API: 80/TCP and 443/TCP
n
Graphical User Interface: 80/TCP to 443/TCP and initiates connections to vSphere vCenter SDK.
n
SSH access to the CLI (not enabled by default): 22/TCP
VMware, Inc. 11
vShield Administration Guide
12 VMware, Inc.
vShield Manager User Interface Basics 2
The vShield Manager user interface offers configuration and data viewing options specific to vShield use. By
utilizing the VMware Infrastructure SDK, the vShield Manager displays your vSphere Client inventory panel
for a complete view of your vCenter environment.
NOTE You can register the vShield Manager as a vSphere Client plug-in. This allows you to configure vShield
components from within the vSphere Client. For more, see “Register the vShield Manager as a vSphere Client
Plug-In,” on page 18.
n
Log in to the vShield Manager User Interface on page 13
You access the vShield Manager management interface by using a Web browser.
n
About the vShield Manager User Interface on page 14
The vShield Manager user interface is divided into two panels: the inventory panel and the configuration
panel. You select a view and a resource from the inventory panel to open the available details and
configuration options in the configuration panel.
Log in to the vShield Manager User Interface
You access the vShield Manager management interface by using a Web browser.
VMware, Inc.
Procedure
1 Open a Web browser window and type the IP address assigned to the vShield Manager.
The vShield Manager user interface opens in an SSH session.
2 Accept the security certificate.
NOTE To use an SSL certificate for authentication, see “Add an SSL Certificate to Identify the vShield
Manager Web Service,” on page 20.
The vShield Manager login screen appears.
3 Log in to the vShield Manager user interface by using the username admin and the password default.
You should change the default password as one of your first tasks to prevent unauthorized use. See “Edit
a User Account,” on page 23.
4 Click Log In.
13
vShield Administration Guide
About the vShield Manager User Interface
The vShield Manager user interface is divided into two panels: the inventory panel and the configuration panel.
You select a view and a resource from the inventory panel to open the available details and configuration
options in the configuration panel.
When clicked, each inventory object has a specific set of tabs that appear in the configuration panel.
n
vShield Manager Inventory Panel on page 14
The vShield Manager inventory panel hierarchy mimics the vSphere Client inventory hierarchy.
n
vShield Manager Configuration Panel on page 15
The vShield Manager configuration panel presents the settings that can be configured based on the
selected inventory resource and the output of vShield operation. Each resource offers multiple tabs, each
tab presenting information or configuration forms corresponding to the resource.
vShield Manager Inventory Panel
The vShield Manager inventory panel hierarchy mimics the vSphere Client inventory hierarchy.
Resources include the root folder, datacenters, clusters, port groups, ESX hosts, and virtual machines, including
your installed vShield App and vShield Edge modules. As a result, the vShield Manager maintains solidarity
with your vCenter Server inventory to present a complete view of your virtual deployment. The vShield
Manager is the only virtual machine that does not appear in the vShield Manager inventory panel. vShield
Manager settings are configured from the Settings & Reports resource atop the inventory panel.
The inventory panel offers multiple views: Hosts & Clusters, Networks, and Secured Port Groups. The Hosts
& Clusters view displays the datacenters, clusters, resource pools, and ESX hosts in your inventory. The
Networks view displays the VLAN networks and port groups in your inventory. The Secured Port Groups
view displays the port groups protected by vShield Edge instances. The Hosts & Clusters and Networks views
are consistent with the same views in the vSphere Client.
There are differences in the icons for virtual machines and vShield components between the vShield Manager
and the vSphere Client inventory panels. Custom icons are used to show the difference between vShield
components and virtual machines, and the difference between protected and unprotected virtual machines.
Table 2-1. vShield Virtual Machine Icons in the vShield Manager Inventory Panel
Icon Description
n
Refreshing the Inventory Panel on page 15
To refresh the list of resources in the inventory panel, click
A powered on virtual machine that is protected by a vShield App.
A powered on virtual machine that is not protected by a vShield App.
. The refresh action requests the latest
resource information from the vCenter Server. By default, the vShield Manager requests resource
information from the vCenter Server every five minutes.
n
Searching the Inventory Panel on page 15
To search the inventory panel for a specific resource, type a string in the field atop the vShield Manager
inventory panel and click .
14 VMware, Inc.
Chapter 2 vShield Manager User Interface Basics
Refreshing the Inventory Panel
To refresh the list of resources in the inventory panel, click . The refresh action requests the latest resource
information from the vCenter Server. By default, the vShield Manager requests resource information from the
vCenter Server every five minutes.
Searching the Inventory Panel
To search the inventory panel for a specific resource, type a string in the field atop the vShield Manager
inventory panel and click .
vShield Manager Configuration Panel
The vShield Manager configuration panel presents the settings that can be configured based on the selected
inventory resource and the output of vShield operation. Each resource offers multiple tabs, each tab presenting
information or configuration forms corresponding to the resource.
Because each resource has a different purpose, some tabs are specific to certain resources. Also, some tabs have
a second level of options.
VMware, Inc. 15
vShield Administration Guide
16 VMware, Inc.
Management System Settings 3
The vShield Manager requires communication with your vCenter Server and services such as DNS and NTP
to provide details on your VMware Infrastructure inventory.
This chapter includes the following topics:
n
“Connect to Your vCenter Server,” on page 17
n
“Register the vShield Manager as a vSphere Client Plug-In,” on page 18
n
“Identify DNS Services,” on page 18
n
“Set the vShield Manager Date and Time,” on page 19
n
“Download a Technical Support Log from a Component,” on page 19
n
“View vShield Manager Status,” on page 19
n
“Add an SSL Certificate to Identify the vShield Manager Web Service,” on page 20
Connect to Your vCenter Server
Connecting to your vCenter Server enables the vShield Manager to display your VMware Infrastructure
inventory.
VMware, Inc.
Procedure
1 Log in to the vShield Manager.
Upon initial login, the vShield Manager opens to the Configuration > vCenter tab. If you have previously
configured the vCenter tab form, perform the following steps:
a Click the Settings & Reports from the vShield Manager inventory panel.
b Click the Configuration tab.
The vCenter screen appears.
2 Under vCenter Server Information, type the IP address of your vCenter Server in theServer IP
Address/Name field.
3 Type your vSphere Client login user name in the Administrator User Name field.
This user account must have administrator access.
4 Type the password associated with the user name in the Password field.
5 Click Save.
17
vShield Administration Guide
The vShield Manager connects to the vCenter Server, logs on, and utilizes the VMware Infrastructure SDK to
populate the vShield Manager inventory panel. The inventory panel is presented on the left side of the screen.
This resource tree should match your VMware Infrastructure inventory panel. The vShield Manager does not
appear in the vShield Manager inventory panel.
Register the vShield Manager as a vSphere Client Plug-In
The vSphere Plug-in option lets you register the vShield Manager as a vSphere Client plug-in. After the plugin is registered, you can open the vShield Manager user interface from the vSphere Client.
Procedure
1 If you are logged in to the vSphere Client, log out.
2 Log in to the vShield Manager.
3 Click Settings & Reports from the vShield Manager inventory panel.
4 Click the Configuration tab.
The vCenter screen appears.
5 Under vSphere Plug-in, click Register.
Registration might take a few minutes.
6 Log in to the vSphere Client.
7 Select an ESX host.
8 Verify that vShield Install appears as a tab.
What to do next
You can install and configure vShield components from the vSphere Client.
Identify DNS Services
You must specify at least one DNS server during vShield Manager setup. The specified DNS servers appear
in the vShield Manager user interface.
In the vShield Manager user interface, you can specify up to three DNS servers that the vShield Manager can
use for IP address and host name resolution.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
The vCenter screen appears.
3 Under DNS Servers, type an IP address in Primary DNS IP Address to identify the primary DNS server.
This server is checked first for all resolution requests.
4 (Optional) Type an IP address in the Secondary DNS IP Address field.
5 (Optional) Type an IP address in the Tertiary DNS IP Address field.
6 Click Save.
18 VMware, Inc.
Chapter 3 Management System Settings
Set the vShield Manager Date and Time
You can set the date, time, and time zone of the vShield Manager to timestamp events and data. You can also
specify a connection to an NTP server to establish a common network time.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click Date/Time.
4 In the Date and Clock field, type the date and time in the format YYYY-MM-DD HH:MM:SS.
5 In the NTP Server field, type the IP address of your NTP server.
You can type the hostname of your NTP server if you have set up DNS service.
6 From the Time Zone drop-down menu, select the appropriate time zone.
7 Click Save.
Download a Technical Support Log from a Component
You can download the system log from a vShield component to your PC. A system log can be used to
troubleshoot operational issues.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click Support.
4 Under Tech Support Log Download, click Initiate next to the appropriate component.
Once initiated, the log is generated and uploaded to the vShield Manager. This might take several seconds.
5 After the log is ready, click the Download link to download the log to your PC.
The log is compressed and has the proprietary file extension .blsl.
What to do next
You can open the log using a decompression utility by browsing for All Files in the directory where you saved
the file.
View vShield Manager Status
vShield Manager shows system resource utilization.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click Status.
What to do next
See “View the Current System Software,” on page 25.
VMware, Inc. 19
vShield Administration Guide
Add an SSL Certificate to Identify the vShield Manager Web Service
You can generate or import an SSL certificate into the vShield Manager to authenticate the identity of the
vShield Manager web service and encrypt information sent to the vShield Manager web server. As a security
best practice, you should use the generate certificate option to generate a private key and public key, where
the private key is saved to the vShield Manager.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click SSL Certificate.
4 Under Generate Certificate Signing Request, complete the form by filling in the following fields:
Option Action
Common Name
Organization Unit
Organization Name
City Name
State Name
Country Code
Key Algorithm
Key Size
5 Click Generate.
Enter the name that matches the site name. For example, if the IP address of
vShield Manager management interface is 192.168.1.10, enter
192.168.1.10.
Enter the department in your company that is ordering the certificate.
Enter the full legal name of your company.
Enter the full name of the city in which your company resides.
Enter the full name of the state in which your company resides.
Enter the two-digit code that represents your country. For example, the
United States is US.
Select the cryptographic algorithm to use from either DSA or RSA.
Select the number of bits used in the selected algorithm.
Import an SSL certificate
You can import a pre-existing SSL certificate for use by the vShield Manager.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click SSL Certificate.
4 Under Import Signed Certificate, click Browse at Certificate File to find the file.
5 Select the type of certificate file from the Certificate Type drop-down list.
6 Click Apply.
The certificate is stored in the vShield Manager.
20 VMware, Inc.
User Management 4
Security operations are often managed by multiple individuals. Management of the overall system is delegated
to different personnel according to some logical categorization. However, permission to carry out tasks is
limited only to users with appropriate rights to specific resources. From the Users section, you can delegate
such resource management to users by granting applicable rights.
User management in the vShield Manager user interface is separate from user management in the CLI of any
vShield component.
This chapter includes the following topics:
n
“Managing User Accounts,” on page 21
n
“Managing the Default User Account,” on page 22
n
“Add a User Account,” on page 22
n
“Edit a User Account,” on page 23
n
“Change a User Role,” on page 23
n
“Disable or Enable a User Account,” on page 24
n
“Delete a User Account,” on page 24
Managing User Accounts
Within the vShield Manager user interface, a user’s role define the actions the user is allowed to perform on a
given resource. The role determine the user’s authorized activities on the given resource, ensuring that a user
has access only to the functions necessary to complete applicable operations. This allows domain control over
specific resources, or system-wide control if your right has no restrictions.
The following rules are enforced:
n
A user can only have one role.
n
You cannot add a role to a user, or remove an assigned role from a user. You can, however, change the
assigned role for a user.
Table 4-1. vShield Manager User Roles
Right Permissions
Enterprise Administrator vShield operations and security.
vShield Administrator vShield operations only: for example, install virtual appliances, configure port groups.
VMware, Inc. 21
vShield Administration Guide
Table 4-1. vShield Manager User Roles (Continued)
Right Permissions
Security Administrator vShield security only: for example, define data security policies, create port groups, create
Auditor Read only.
reports for vShield modules.
The scope of a role determines what resources a particular user can view. The following scopes are available
for vShield users.
Table 4-2. vShield Manager User Scope
Scope Description
No restriction Access to entire vShield system
Limit access scope to the
selected port groups below
Access to a specified datacenter or port group
The Enterprise Administrator and vShield Administrator roles can only be assigned to vCenter users, and their
access scope is global (no restrictions).
Managing the Default User Account
The vShield Manager user interface includes a local user account, which has access rights to all resources. You
cannot edit the rights of or delete this user. The default user name is admin and the default password is
default.
Change the password for this account upon initial login to the vShield Manager. See “Edit a User Account,”
on page 23.
Add a User Account
You can either create a new user local to vShield, or assign a role to a vCenter user.
Create a New Local User
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Users tab.
3 Click Add.
The Assign Role window opens.
4 Click Create a new user local to vShield.
5 Type an Email address.
6 Type a Login ID.
This is used for login to the vShield Manager user interface. This user name and associated password
cannot be used to access the vShield App or vShield Manager CLIs.
7 Type the user’s Full Name for identification purposes.
8 Type a Password for login.
9 Re-type the password in the Retype Password field.
10 Click Next.
11 Select the role for the user and click Next. For more information on the available roles, see “Managing
User Accounts,” on page 21.
22 VMware, Inc.
12 Select the scope for the user and click Finish.
The user account appears in the Users table.
Assign a Role to a vCenter User
When you assign a role to a vCenter user, vCenter authenticates the role with the Active Directory.
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Users tab.
3 Click Add.
The Assign Role window opens.
4 Click Select vCenter user.
5 Type the vCenter User name for the user.
NOTE If the vCenter user is from a domain, then you must enter a fully qualified windows domain path.
This user name is for login to the vShield Manager user interface, and cannot be used to access the vShield
App or vShield Manager CLIs.
6 Click Next.
Chapter 4 User Management
7 Select the role for the user and click Next. For more information on the available roles, see “Managing
User Accounts,” on page 21.
8 Select the scope for the user and click Finish.
The user account appears in the Users table.
Edit a User Account
You can edit a user account to change the password, role, and scope. You cannot edit the admin account.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Users tab.
3 Select the user you want to edit.
4 Click Edit.
5 Make changes as necessary.
If you are changing the password, confirm the password by typing it a second time in the Retype
Password field.
6 Click Finish to save your changes.
Change a User Role
You can change the role assignment for all users, except for the admin user.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Users tab.
3 Select the user you want to change the role for
VMware, Inc. 23
vShield Administration Guide
4 Click Change Role.
5 Make changes as necessary.
6 Click Finish to save your changes.
Disable or Enable a User Account
You can disable a user account to prevent that user from logging in to the vShield Manager. You cannot disable
the admin user.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Users tab.
3 Select a user account.
4 Do one of the following.
n
Click Actions > Disable selected user(s) to disable a user account.
n
Click Actions > Enable selected user(s) to enable a user account.
Delete a User Account
You can delete any created user account. You cannot delete the admin account. Audit records for deleted users
are maintained in the database and can be referenced in an Audit Log report.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Users tab.
3 Select the user you want to delete.
4 Click Delete.
5 Click OK to confirm deletion.
If you delete a vCenter user account, only the role assignment for vShield Manager is deleted. The user
account on vCenter is not deleted.
24 VMware, Inc.
Updating System Software 5
vShield software requires periodic updates to maintain system performance. Using the Updates tab options,
you can install and track system updates.
n
View the Current System Software on page 25
You can view the current installed versions of vShield component software or verify if an update is in
progress.
n
Upload an Update on page 25
vShield updates are available as offline updates. When an update is made available, you can download
the update to your PC, and then upload the update by using the vShield Manager user interface.
View the Current System Software
You can view the current installed versions of vShield component software or verify if an update is in progress.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Updates tab.
3 Click Update Status.
Upload an Update
vShield updates are available as offline updates. When an update is made available, you can download the
update to your PC, and then upload the update by using the vShield Manager user interface.
When the update is uploaded, the vShield Manager is updated first, after which, each vShield Zones or vShield
App instance is updated. If a reboot of either the vShield Manager or a vShield Zones or App is required, the
Update Status screen prompts you to reboot the component. In the event that both the vShield Manager and
all vShield Zones or App instances must be rebooted, you must reboot the vShield Manager first, and then
reboot each vShield Zones or App.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Updates tab.
3 Click Upload Settings.
4 Click Browse to locate the update.
5 After locating the file, click Upload File.
VMware, Inc.
25
vShield Administration Guide
6 Click Update Status and then click Install.
7 Click Confirm Install to confirm update installation.
There are two tables on this screen. During installation, you can view the top table for the description,
start time, success state, and process state of the current update. View the bottom table for the update
status of each vShield App. All vShield App instances have been upgraded when the status of the last
vShield App is displayed as Finished.
8 After the vShield Manager reboots, click the Update Status tab.
9 Click Reboot Manager if prompted.
10 Click Finish Install to complete the system update.
11 Click Confirm.
26 VMware, Inc.
Backing Up vShield Manager Data 6
You can back up and restore your vShield Manager data, which can include system configuration, events, and
audit log tables. Configuration tables are included in every backup. You can, however, exclude system and
audit log events. Backups are saved to a remote location that must be accessible by the vShield Manager.
Backups can be executed according to a schedule or on demand.
n
Back Up Your vShield Manager Data on Demand on page 27
You can back up vShield Manager data at any time by performing an on-demand backup.
n
Schedule a Backup of vShield Manager Data on page 28
You can only schedule the parameters for one type of backup at any given time. You cannot schedule a
configuration-only backup and a complete data backup to run simultaneously.
n
Restore a Backup on page 29
To restore an available backup, the Host IP Address, User Name, Password, and Backup Directory fields
in the Backups screen must have values that identify the location of the backup to be restored. When
you restore a backup, the current configuration is overridden. If the backup file contains system event
and audit log data, that data is also restored.
Back Up Your vShield Manager Data on Demand
VMware, Inc.
You can back up vShield Manager data at any time by performing an on-demand backup.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click Backups.
4 (Optional) Select the Exclude System Events check box if you do not want to back up system event tables.
5 (Optional) Select the Exclude Audit Logs check box if you do not want to back up audit log tables.
6 Type the Host IP Address of the system where the backup will be saved.
7 (Optional) Type the Host Name of the backup system.
8 Type the User Name required to log in to the backup system.
9 Type the Password associated with the user name for the backup system.
10 In the Backup Directory field, type the absolute path where backups are to be stored.
27
vShield Administration Guide
11 Type a text string in Filename Prefix.
This text is prepended to the backup filename for easy recognition on the backup system. For example, if
you type ppdb, the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.
12 Enter a Pass Phrase to secure the backup file.
13 From the Transfer Protocol drop-down menu, select either SFTP or FTP.
14 Click Backup.
Once complete, the backup appears in a table below this forms.
15 Click Save Settings to save the configuration.
Schedule a Backup of vShield Manager Data
You can only schedule the parameters for one type of backup at any given time. You cannot schedule a
configuration-only backup and a complete data backup to run simultaneously.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click Backups.
4 From the Scheduled Backups drop-down menu, select On.
5 From the Backup Frequency drop-down menu, select Hourly, Daily, or Weekly.
The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected
frequency. For example, if you select Daily, the Day of Week drop-down menu is disabled as this field is
not applicable to a daily frequency.
6 (Optional) Select the Exclude System Events check box if you do not want to back up system event tables.
7 (Optional) Select the Exclude Audit Log check box if you do not want to back up audit log tables.
8 Type the Host IP Address of the system where the backup will be saved.
9 (Optional) Type the Host Name of the backup system.
10 Type the User Name required to login to the backup system.
11 Type the Password associated with the user name for the backup system.
12 In the Backup Directory field, type the absolute path where backups will be stored.
13 Type a text string in Filename Prefix.
This text is prepended to each backup filename for easy recognition on the backup system. For example,
if you type ppdb, the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.
14 From the Transfer Protocol drop-down menu, select either SFTP or FTP, based on what the destination
supports.
15 Click Save Settings.
28 VMware, Inc.
Restore a Backup
To restore an available backup, the Host IP Address, User Name, Password, and Backup Directory fields in
the Backups screen must have values that identify the location of the backup to be restored. When you restore
a backup, the current configuration is overridden. If the backup file contains system event and audit log data,
that data is also restored.
IMPORTANT Back up your current data before restoring a backup file.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click Backups.
4 Click View Backups to view all available backups saved to the backup server.
5 Select the check box for the backup to restore.
6 Click Restore.
7 Click OK to confirm.
Chapter 6 Backing Up vShield Manager Data
VMware, Inc. 29
vShield Administration Guide
30 VMware, Inc.
Loading...