VMware vShield - 5.1 Administrator’s Guide
vShield Administration Guide
vShield Manager 5.1
vShield App 5.1
vShield Edge 5.1
vShield Endpoint 5.1
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000867-01
vShield Administration Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010 – 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
vShield Administration Guide 7
Overview of vShield 9
1
About vShield Components 9
Migration of vShield Components 11
About VMware Tools on vShield Components 11
Ports Required for vShield Communication 11
vShield Manager User Interface Basics 13
2
Log in to the vShield Manager User Interface 13
About the vShield Manager User Interface 14
Management System Settings 17
3
Edit DNS Servers 17
Edit the vShield Manager Date and Time 18
Edit Lookup Service Details 18
Edit vCenter Server 18
Specify Syslog Server 19
Download Technical Support Logs for vShield 19
Add an SSL Certificate to Identify the vShield Manager Web Service 20
Add a Cisco Switch to vShield Manager 21
Working with Services and Service Groups 21
Grouping Objects 24
VMware, Inc.
User Management 31
4
Configure Single Sign On 31
Managing User Rights 32
Managing the Default User Account 33
Add a User Account 33
Edit a User Account 35
Change a User Role 35
Disable or Enable a User Account 36
Delete a User Account 36
Updating System Software 37
5
View the Current System Software 37
Upload an Update 37
Backing Up vShield Manager Data 39
6
Back Up Your vShield Manager Data on Demand 39
Schedule a Backup of vShield Manager Data 40
3
vShield Administration Guide
Restore a Backup 40
System Events and Audit Logs 43
7
View the System Event Report 43
vShield Manager Virtual Appliance Events 43
vShield App Events 44
About the Syslog Format 45
View the Audit Log 45
VXLAN Virtual Wires Management 47
8
Preparing your Network for VXLAN Virtual Wires 48
Create a VXLAN Virtual Wire 49
Connect Virtual Machines to a VXLAN Virtual Wire 51
Test VXLAN Virtual Wire Connectivity 52
Viewing Flow Monitoring Data for a VXLAN Virtual Wire 53
Working with Firewall Rules for VXLAN Virtual Wires 53
Prevent Spoofing on a VXLAN Virtual Wire 54
Editing Network Scopes 54
Edit a VXLAN Virtual Wire 55
Sample Scenario for Creating VXLAN Virtual Wires 56
vShield Edge Management 61
9
View the Status of a vShield Edge 62
Configure vShield Edge Settings 62
Managing Appliances 62
Working with Interfaces 64
Working with Certificates 67
Managing the vShield Edge Firewall 70
Managing NAT Rules 75
Working with Static Routes 77
Managing DHCP Service 78
Managing VPN Services 80
Managing Load Balancer Service 135
About High Availability 140
Configure DNS Servers 141
Configure Remote Syslog Servers 142
Change CLI Credentials 142
Upgrade vShield Edge to Large or X-Large 142
Download Tech Support Logs for vShield Edge 143
Synchronize vShield Edge with vShield Manager 143
Redeploy vShield Edge 144
Service Insertion Management 145
10
Inserting a Network Services 145
Change Service Precedence 148
Edit a Service Manager 148
Delete a Service Manager 149
Edit a Service 149
4 VMware, Inc.
Delete a Service 149
Edit a Service Profile 149
Delete a Service Profile 150
Contents
vShield App Management 151
11
Sending vShield App System Events to a Syslog Server 151
Viewing the Current System Status of a vShield App 152
Restart a vShield App 152
Forcing a vShield App to Synchronize with the vShield Manager 152
Viewing Traffic Statistics by vShield App Interface 153
Download Technical Support Logs for vShield App 153
Configuring Fail Safe Mode for vShield App Firewall 153
Excluding Virtual Machines from vShield App Protection 153
vShield App Flow Monitoring 155
12
Viewing the Flow Monitoring Data 155
Add or Edit App Firewall Rule from the Flow Monitoring Report 158
Change the Date Range of the Flow Monitoring Charts 159
vShield App Firewall Management 161
13
Using App Firewall 161
Working with Firewall Rules 163
Using SpoofGuard 168
vShield Endpoint Events and Alarms 173
14
View vShield Endpoint Status 173
vShield Endpoint Alarms 174
vShield Endpoint Events 174
vShield Endpoint Audit Messages 175
vShield Data Security Management 177
15
vShield Data Security User Roles 177
Defining a Data Security Policy 178
Editing a Data Security Policy 180
Running a Data Security Scan 180
Viewing and Downloading Reports 181
Creating Regular Expressions 182
Available Regulations 182
Available Content Blades 197
Supported File Formats 216
Troubleshooting 221
16
Troubleshoot vShield Manager Installation 221
Troubleshooting Operational Issues 222
Troubleshooting vShield Edge Issues 223
Troubleshoot vShield Endpoint Issues 225
Troubleshooting vShield Data Security Issues 226
VMware, Inc. 5
vShield Administration Guide
Index 229
6 VMware, Inc.
vShield Administration Guide
The vShield Administration Guide describes how to install, configure, monitor, and maintain the VMware
vShield™ system by using the vShield Manager user interface, and the vSphere Client plug-in. The information
includes step-by-step configuration instructions, and suggested best practices.
Intended Audience
This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
The information in this manual is written for experienced system administrators who are familiar with virtual
machine technology and virtual datacenter operations. This manual assumes familiarity with VMware
Infrastructure 5.x, including VMware ESX, vCenter Server, and the vSphere Client.
®
VMware, Inc.
7
vShield Administration Guide
8 VMware, Inc.
Overview of vShield 1
VMware® vShield is a suite of security virtual appliances built for VMware vCenter Server and VMware ESX
integration. vShield is a critical security component for protecting virtualized datacenters from attacks and
helping you achieve your compliance-mandated goals.
This guide assumes you have administrator access to the entire vShield system. The viewable resources in the
vShield Manager user interface can differ based on the assigned role and rights of a user, and licensing. If you
are unable to access a screen or perform a particular task, consult your vShield administrator.
n
About vShield Components on page 9
vShield includes components and services essential for protecting virtual machines. vShield can be
configured through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI),
and REST API.
n
Migration of vShield Components on page 11
The vShield Manager and vShield Edge virtual appliances can be automatically or manually migrated
based on DRS and HA policies. The vShield Manager must always be up, so you must migrate the vShield
Manager whenever the current ESX host undergoes a reboot or maintenance mode routine.
n
About VMware Tools on vShield Components on page 11
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of
VMware Tools included with a vShield virtual appliance.
n
Ports Required for vShield Communication on page 11
About vShield Components
vShield includes components and services essential for protecting virtual machines. vShield can be configured
through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI), and REST API.
To run vShield, you need one vShield Manager virtual machine and at least one vShield App or vShield Edge
module.
vShield Manager
The vShield Manager is the centralized network management component of vShield and is installed from OVA
as a virtual machine by using the vSphere Client. Using the vShield Manager user interface, administrators
install, configure, and maintain vShield components. A vShield Manager can run on a different ESX host from
your vShield App and vShield Edge modules.
The vShield Manager leverages the VMware Infrastructure SDK to display a copy of the vSphere Client
inventory panel.
For more on the using the vShield Manager user interface, see Chapter 2, “vShield Manager User Interface
Basics,” on page 13.
VMware, Inc.
9
vShield Administration Guide
vShield Edge
vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port
group, vDS port group, or Cisco® Nexus 1000V. The vShield Edge connects isolated, stub networks to shared
(uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud
environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).
NOTE You must obtain an evaluation or full license to use vShield Edge.
Standard vShield Edge
Services (Including
n
Firewall: Supported rules include IP 5-tuple configuration with IP and port
ranges for stateful inspection for TCP, UDP, and ICMP.
vCloud Director)
n
Network Address Translation: Separate controls for Source and
Destination IP addresses, as well as TCP and UDP port translation.
n
Dynamic Host Configuration Protocol (DHCP): Configuration of IP pools,
gateways, DNS servers, and search domains.
n
Configuration of DNS servers for relay name resolution requests from
clients and syslog servers.
n
Static route for data packets to follow.
Advanced vShield Edge
Services
n
Site-to-Site Virtual Private Network (VPN): Uses standardized IPsec
protocol settings to interoperate with all major firewall vendors.
n
Load Balancing: Simple and dynamically configurable virtual IP addresses
and server groups.
n
High Availability: Ensures that a vShield Edge appliance is always
available on your virtualized network.
n
SSL VPN-Plus: Allows remote users to connect securely to private
networks behind a vShield Edge gateway.
vShield Edge supports syslog export for all services to remote servers.
vShield App
vShield App is an interior, vNIC-level Layer 2 firewall that allows you to create access control policies
regardless of network topology and to achieve network isolation in the same VLAN. A vShield App monitors
all traffic in and out of an ESX host, including between virtual machines in the same port group. vShield App
includes traffic analysis and container-based policy creation. Containers can be dynamic or static, vCenter
constructs such as datacenters or objects defined in vShield Manager such as a security group, IPset, or MACset.
vShield App supports multi-tenancy.
vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App integrates
with ESX hosts through VMsafe APIs and works with VMware vSphere platform features such as DRS,
vMotion, DPM, and maintenance mode.
vShield App provides firewalling between virtual machines by placing a firewall filter on every virtual network
adapter. Rules can include multiple sources, destinations, and applications. The firewall filter operates
transparently and does not require network changes or modification of IP addresses to create security zones.
You can write access rules by using vCenter containers, like datacenters, cluster, resource pools and vApps,
or network objects, like Port Groups and VLANs, to reduce the number of firewall rules and make the rules
easier to track.
10 VMware, Inc.
Chapter 1 Overview of vShield
You should install vShield App instances on all ESX hosts within a cluster so that VMware vMotion™
operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a
vShield App virtual appliance cannot be moved by using vMotion.
The Flow Monitoring feature displays allowed and blocked network flows at the application protocol level.
You can use this information to audit network traffic and troubleshoot operational issues.
NOTE You must obtain an evaluation or full license to use vShield App.
vShield Endpoint
vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance
delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) doesn't go
offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual
machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are
immediately protected with the most current antivirus signatures when they come online.
vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus
vendor (VMware partners) on an ESX host.
NOTE You must obtain an evaluation or full license to use vShield Endpoint.
vShield Data Security
vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and
cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive
data is adequately protected and assess compliance with regulations around the world.
Migration of vShield Components
The vShield Manager and vShield Edge virtual appliances can be automatically or manually migrated based
on DRS and HA policies. The vShield Manager must always be up, so you must migrate the vShield Manager
whenever the current ESX host undergoes a reboot or maintenance mode routine.
Each vShield Edge should move with its datacenter to maintain security settings and services.
vShield App, vShield Endpoint partner appliance, or vShield Data Security cannot be moved to another ESX
host. If the ESX host on which these components reside requires a manual maintenance mode operation, you
must de-select the Move powered off and suspended virtual machines to other hosts in the cluster check
box to ensure these virtual appliances are not migrated. These services restart after the ESX host comes online.
About VMware Tools on vShield Components
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware
Tools included with a vShield virtual appliance.
Ports Required for vShield Communication
vShield requires the following ports to be open:
n
vShield Manager port 443 from the ESX host, the vCenter Server, and the vShield appliances to be deployed
n
UDP123 between vShield Manager and vShield App for time synchronization
n
902/TCP and 903/TCP to and from the vCenter Client and ESX hosts
n
443/TCP from the REST client to vShield Manager for using REST API calls
VMware, Inc. 11
vShield Administration Guide
n
80/TCP to 443/TCP for using the vShield Manager user interface and initiating connection to the vSphere
SDK
n
22/TCP for troubleshooting the CLI
12 VMware, Inc.
vShield Manager User Interface Basics 2
The vShield Manager user interface offers configuration and data viewing options specific to vShield use. By
utilizing the VMware Infrastructure SDK, the vShield Manager displays your vSphere Client inventory panel
for a complete view of your vCenter environment.
NOTE You can register the vShield Manager as a vSphere Client plug-in. This allows you to configure vShield
components from within the vSphere Client. See Set up vShield Manager in the vShield Installation and Upgrade
Guide.
n
Log in to the vShield Manager User Interface on page 13
You access the vShield Manager management interface by using a Web browser.
n
About the vShield Manager User Interface on page 14
The vShield Manager user interface is divided into two panels: the inventory panel and the configuration
panel. You select a view and a resource from the inventory panel to open the available details and
configuration options in the configuration panel.
Log in to the vShield Manager User Interface
You access the vShield Manager management interface by using a Web browser.
VMware, Inc.
Procedure
1 Open a Web browser window and type the IP address assigned to the vShield Manager.
The vShield Manager user interface opens in an SSL/HTTPS session (or opens a secure SSL session).
2 Accept the security certificate.
NOTE It is recommended that you use an SSL certificate for verification of the vShield Manager. See “Add
an SSL Certificate to Identify the vShield Manager Web Service,” on page 20.
The vShield Manager login screen appears.
3 Log in to the vShield Manager user interface by using the username admin and the password default.
You should change the default password as one of your first tasks to prevent unauthorized use. See “Edit
a User Account,” on page 35.
4 Click Log In.
13
vShield Administration Guide
About the vShield Manager User Interface
The vShield Manager user interface is divided into two panels: the inventory panel and the configuration panel.
You select a view and a resource from the inventory panel to open the available details and configuration
options in the configuration panel.
When clicked, each inventory object has a specific set of tabs that appear in the configuration panel.
n
vShield Manager Inventory Panel on page 14
The vShield Manager inventory panel hierarchy mimics the vSphere Client inventory hierarchy.
n
vShield Manager Configuration Panel on page 15
The vShield Manager configuration panel presents the settings that can be configured based on the
selected inventory resource and the output of vShield operation. Each resource offers multiple tabs, each
tab presenting information or configuration forms corresponding to the resource.
vShield Manager Inventory Panel
The vShield Manager inventory panel hierarchy mimics the vSphere Client inventory hierarchy.
Resources include the root folder, datacenters, clusters, port groups, ESX hosts, and virtual machines. As a
result, the vShield Manager maintains solidarity with your vCenter Server inventory to present a complete
view of your virtual deployment. The vShield Manager and vShield App virtual machines do not appear in
the vShield Manager inventory panel. vShield Manager settings are configured from the Settings & Reports
resource atop the inventory panel.
The inventory panel offers multiple views: Hosts & Clusters, Networks, and Edges. The Hosts & Clusters view
displays the datacenters, clusters, resource pools, and ESX hosts in your inventory. The Networks view displays
the VLAN networks and port groups in your inventory. The Edges view displays the port groups protected
by vShield Edge instances. The Hosts & Clusters and Networks views are consistent with the same views in
the vSphere Client.
There are differences in the icons for virtual machines and vShield components between the vShield Manager
and the vSphere Client inventory panels. Custom icons are used to show the difference between vShield
components and virtual machines, and the difference between protected and unprotected virtual machines.
Table 2-1. vShield Virtual Machine Icons in the vShield Manager Inventory Panel
Icon Description
A powered on virtual machine that is protected by a vShield App.
A powered on virtual machine that is not protected by a vShield App.
A powered off virtual machine.
A protected virtual machine that is disconnected.
14 VMware, Inc.
Chapter 2 vShield Manager User Interface Basics
Refreshing the Inventory Panel
To refresh the list of resources in the inventory panel, click . The refresh action requests the latest resource
information from the vCenter Server. By default, the vShield Manager requests resource information from the
vCenter Server every five minutes.
Searching the Inventory Panel
To search the inventory panel for a specific resource, type a string in the field atop the vShield Manager
inventory panel and click .
vShield Manager Configuration Panel
The vShield Manager configuration panel presents the settings that can be configured based on the selected
inventory resource and the output of vShield operation. Each resource offers multiple tabs, each tab presenting
information or configuration forms corresponding to the resource.
Because each resource has a different purpose, some tabs are specific to certain resources. Also, some tabs have
a second level of options.
VMware, Inc. 15
vShield Administration Guide
16 VMware, Inc.
Management System Settings 3
You can edit the vCenter Server, DNS and NTP server, and Lookup server that you specified during initial
login. The vShield Manager requires communication with your vCenter Server and services such as DNS and
NTP to provide details on your VMware Infrastructure inventory.
This chapter includes the following topics:
n
“Edit DNS Servers,” on page 17
n
“Edit the vShield Manager Date and Time,” on page 18
n
“Edit Lookup Service Details,” on page 18
n
“Edit vCenter Server,” on page 18
n
“Specify Syslog Server,” on page 19
n
“Download Technical Support Logs for vShield,” on page 19
n
“Add an SSL Certificate to Identify the vShield Manager Web Service,” on page 20
n
“Add a Cisco Switch to vShield Manager,” on page 21
n
“Working with Services and Service Groups,” on page 21
n
“Grouping Objects,” on page 24
Edit DNS Servers
You can change the DNS servers specified during initial login. The primary DNS server appears in the vShield
Manager user interface.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Ensure that you are in the General tab.
4 Click Edit next to DNS Servers.
5 Make the appropriate changes.
6 Click OK.
VMware, Inc.
17
vShield Administration Guide
Edit the vShield Manager Date and Time
You can change the NTP server specified during initial login.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Ensure that you are in the General tab.
4 Click Edit next to NTP Server.
5 Make the appropriate changes.
6 Click OK.
7 Reboot the vShield Manager.
Edit Lookup Service Details
You can change the Lookup Service details specified during initial login.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Ensure that you are in the General tab.
4 Click Edit next to Lookup Service.
5 Make the appropriate changes.
6 Click OK.
Edit vCenter Server
You can change the vCenter Server with which you registered vShield Manager upon initial login. You should
do this only if you change the IP address of your current vCenter Server.
Procedure
1 If you are logged in to the vSphere Client, log out.
2 Log in to the vShield Manager.
3 Click Settings & Reports from the vShield Manager inventory panel.
4 Click the Configuration tab.
5 Ensure that you are in the General tab.
6 Click Edit next to vCenter Server.
7 Make the appropriate changes.
8 Click OK.
9 Log in to the vSphere Client.
10 Select an ESX host.
11 Verify that vShield appears as a tab.
18 VMware, Inc.
What to do next
You can install and configure vShield components from the vSphere Client.
Specify Syslog Server
If you specify a syslog server, vShield Manager sends all audit logs and system events from vShield Manager
to the syslog server.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Ensure that you are in the General tab.
4 Click Edit next to Syslog Server.
5 Type the IP address of the syslog server.
6 (Optional) Type the port for the syslog server.
If you do not specify a port, the default UDP port for the IP address/host name of the syslog server is used.
7 Click OK.
Chapter 3 Management System Settings
Download Technical Support Logs for vShield
You can download vShield Manager audit logs and system events from a vShield component to your PC.
Audit logs refer to configuration change (such as firewall configuration change) logs while system events refer
to events that happen in the background while vShield Manager is running. For example, if vShield Manager
looses connectivity to one of the vShield App or vShield Edge appliances, a system event is logged.
Both audit logs and system events are logged with the syslog server at the Info level. System events, however,
have an internal severity which is added to the syslog message sent for that system event.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click Support.
4 Under Tech Support Log Download, click Initiate next to the appropriate component.
Once initiated, the log is generated and uploaded to the vShield Manager. This might take several seconds.
5 After the log is ready, click the Download link to download the log to your PC.
The log is compressed and has the file extension .gz.
What to do next
You can open the log using a decompression utility by browsing for All Files in the directory where you saved
the file.
VMware, Inc. 19
vShield Administration Guide
Add an SSL Certificate to Identify the vShield Manager Web Service
You can generate a certificate signing request, get it signed by a CA, and import the signed SSL certificate into
vShield Manager to authenticate the identity of the vShield Manager web service and encrypt information sent
to the vShield Manager web server. As a security best practice, you should use the generate certificate option
to generate a private key and public key, where the private key is saved to the vShield Manager.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click SSL Certificate.
4 Under Generate Certificate Signing Request, complete the form by filling in the following fields:
Option Action
Common Name
Organization Unit
Organization Name
City Name
State Name
Country Code
Key Algorithm
Key Size
5 Click Generate.
Type the IP address or fully qualified domain name (FQDN) of the vShield
Manager. VMware recommends that you enter the FQDN.
Enter the department in your company that is ordering the certificate.
Enter the full legal name of your company.
Enter the full name of the city in which your company resides.
Enter the full name of the state in which your company resides.
Enter the two-digit code that represents your country. For example, the
United States is US.
Select the cryptographic algorithm to use from either DSA or RSA. VMware
recommends RSA for backward compatibility.
Select the number of bits used in the selected algorithm.
Import an SSL certificate
You can import a pre-existing or CA signed SSL certificate for use by the vShield Manager.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Click the Configuration tab.
3 Click SSL Certificate.
4 Under Import Signed Certificate, click Browse at Certificate File to find the file.
5 Select the type of certificate file from the Certificate Type drop-down list.
If applicable, import root and intermediate certificates before importing the CA signed certificate. If there
are multiple intermediate certificates, combine them into a single file and then import the file.
6 Click Apply.
A yellow bar containing the message Successfully imported certificate is displayed at the top of the screen.
7 Click Apply Certificate.
vShield Manager is restarted to apply the certificate.
The certificate is stored in the vShield Manager.
20 VMware, Inc.
Add a Cisco Switch to vShield Manager
You can add a Cisco switch to vShield Manager and manage its implementation.
Prerequisites
The N1K switch must have been installed on vCenter Server.
Procedure
1 Click Settings & Reports from the vShield Manager inventory panel.
2 Ensure that you are in the Configuration tab.
3 Click the Networking tab.
4 Click Add Switch Provider.
5 Type a name for the switch.
6 Type the API interface with which the switch can communicate in the following format:
https://
7 Type your N1K user name and password.
8 Click OK.
IP_of_VSM
/n1k/services/NSM.
Chapter 3 Management System Settings
The switch is added to the switch provider table.
Working with Services and Service Groups
A service is a protocol-port combination, and a service group is a group of services.
Create a Service
You can create a service and then define rules for that service.
Procedure
1 Do one of the following.
Option Description
To create a service at the global
scope
To create a service at the datacenter
scope
To create a service at the port group
scope
To create a service at the vShield
Edge scope
2 Click the Services tab.
a Log in to the vShield Manager user interface.
b Click Settings & Reports.
c Click Object Library.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
VMware, Inc. 21
vShield Administration Guide
3 Select Add > Service.
4 Type a Name to identify the service.
5 Type a Description for the service.
6 Select a Protocol to which you want to add a non-standard port.
7 Type the port number(s) in Ports.
8 (Optional) When creating a service at the global or datacenter scope, select Enable inheritance to allow
visibility at underlying scopes to make this service available to underlying scopes.
9 Click OK.
The service appears in the Services table.
Create a Service Group
You can create a service group at the global, datacenter, or vShield Edge level and then define rules for that
service group.
Procedure
1 Do one of the following.
Option Description
To create a service group at the
global scope
To create a service group at the
datacenter scope
To create a service at the port group
scope
To create a service group at the
vShield Edge scope
a Log in to the vShield Manager user interface.
b Click Settings & Reports.
c Click Object Library.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
2 Click the Services tab.
3 Select Add > Service Group.
4 Type a Name to identify the service group.
5 Type a Description for the service.
6 In Members, select the services or service groups that you want to the group.
7 (Optional) When creating a service group at the global or datacenter scope, select Enable inheritance to
allow visibility at underlying scopes to make this service group available to underlying scopes.
8 Click OK.
The custom service group appears in the Services table.
22 VMware, Inc.
Chapter 3 Management System Settings
Edit a Service or Service Group
You can edit services and service groups.
A service or service group can be edited at the scope it was defined at. For example, if a service was defined
at the global scope, it cannot be edited at the vShield Edge scope.
Procedure
1 Do one of the following.
Option Description
To edit a service at the global scope
To edit a service at the datacenter
scope
To edit a service at the port group
scope
To edit a service at the vShield Edge
scope
2 Click the Services tab.
a Log in to the vShield Manager user interface.
b Click Settings & Reports.
c Click Object Library.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
3
Select a custom service or service group and click the Edit ( ) icon.
4 Make the appropriate changes.
5 Click OK.
Delete a Service or Service Group
You can delete services or service group.
A service or service group can be deleted at the scope it was defined at. For example, if a service was defined
at the global scope, it cannot be deleted at the vShield Edge scope.
Procedure
1 Do one of the following.
Option Description
To delete a service at the global
scope
To delete a service at the datacenter
scope
a Log in to the vShield Manager user interface.
b Click Settings & Reports.
c Click Object Library.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
VMware, Inc. 23
vShield Administration Guide
Option Description
To delete a service at the port group
scope
To delete a service at the vShield
Edge scope
2 Click the Services tab.
3
Select a custom service or service group and click the Delete ( ) icon.
4 Click Yes.
The service or service group is deleted.
Grouping Objects
The Grouping feature enables you to create custom containers to which you can assign resources, such as
virtual machines and network adapters, for App Firewall protection. After a group is defined, you can add the
group as source or destination to a firewall rule for protection.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
Working with IP Address Groups
Create an IP Address Group
You can create an IP address group at the global, datacenter, or vShield Edge scope and then add this group
as the source or destination in a firewall rule. Such a rule can help protect physical machines from virtual
machines or vice versa.
Procedure
1 Do one of the following.
Option Description
To create an IP address group at the
global scope
To create an IP address group at the
datacenter scope
To create an IP address group at the
port group scope
To create an IP address group at the
vShield Edge scope
2 Click the Grouping Objects tab.
a In the vShield Manager user interface, click Object Library from the
vShield Manager inventory panel.
b Ensure that you are in the Grouping tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d From the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
24 VMware, Inc.
Chapter 3 Management System Settings
3
Click the Add (
) icon and select IP Addresses.
The Add IP Addresses window opens.
4 Type a name for the address group.
5 (Optional) Type a description for the address group.
6 Type the IP addresses to be included in the group.
7 (Optional) When creating an IP address group at the global or datacenter scope, select Enable inheritance
to allow visibility at underlying scopes to make this IP address group available to underlying scopes.
8 Click OK.
Edit an IP Address Group
An IP address group can be edited at the scope it was defined at. For example, if an IP address group was
defined at the global scope, it cannot be edited at the vShield Edge scope.
Prerequisites
Procedure
1 Do one of the following.
Option Description
To edit an IP address group at the
global scope
To edit an IP address group at the
datacenter scope
To edit an IP address group at the
port group scope
To edit an IP address group at the
vShield Edge scope
2 Click the Grouping Objects tab.
a In the vShield Manager user interface, click Object Library from the
vShield Manager inventory panel.
b Ensure that you are in the Grouping tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d From the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
3
Select the group that you want to edit and click the Edit ( ) icon.
4 In the Edit IP Addresses dialog box, make the appropriate changes.
5 Click OK.
VMware, Inc. 25
vShield Administration Guide
Delete an IP Address Group
An IP address group can be deleted at the scope it was defined at. For example, if an IP address group was
defined at the global scope, it cannot be deleted at the vShield Edge scope.
Procedure
1 Do one of the following.
Option Description
To delete an IP address group at the
global scope
To delete an IP address group at the
datacenter scope
To delete an IP address group at the
port group scope
To delete an IP address group at the
vShield Edge scope
2 Click the Grouping Objects tab.
a In the vShield Manager user interface, click Object Library from the
vShield Manager inventory panel.
b Ensure that you are in the Grouping tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d From the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
3
Select the group that you want to delete and click the Delete ( ) icon.
Working with MAC Address Groups
Create a MAC Address Group
You can create a MAC address group consisting of a range of MAC addresses and then add this group as the
source or destination in a vShield App firewall rule. Such a rule can help protect physical machines from virtual
machines or vice versa.
Procedure
1 Do one of the following.
Option Description
To create a MAC address group at
the global level
To create a MAC address group at
the datacenter level
To create a MAC address at the port
group level
a In the vShield Manager user interface, click Object Library from the
vShield Manager inventory panel.
b Ensure that you are in the Grouping tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d From the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
26 VMware, Inc.
Chapter 3 Management System Settings
2
Click the Add (
) icon and select MAC Addresses.
The Add MAC Addresses window opens.
3 Type a name for the address group.
4 (Optional) Type a description for the address group.
5 Type the MAC addresses to be included in the group.
6 Select Enable inheritance to allow visibility at underlying scopes if you want the MAC address group
to propagate down to objects in the selected datacenter.
7 Click OK.
Edit a MAC Address Group
A MAC address group can be edited at the scope it was defined at. For example, if a MAC address group was
defined at the global scope, it cannot be edited at the vShield Edge scope.
Procedure
1 Do one of the following.
Option Description
To edit a MAC address group at the
global scope
To edit a MAC address group at the
datacenter scope
To edit a MAC address group at the
port group scope
To edit a MAC address group at the
vShield Edge scope
2 Click the Grouping Objects tab.
a In the vShield Manager user interface, click Object Library from the
vShield Manager inventory panel.
b Ensure that you are in the Grouping tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d From the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
3
Select the group that you want to edit and click the Edit ( ) icon.
4 In the Edit MAC Addresses dialog box, make the appropriate changes.
5 Click OK.
VMware, Inc. 27
vShield Administration Guide
Delete a MAC Address Group
A MAC address group can be deleted at the scope it was defined at. For example, if a MAC address group was
defined at the global scope, it cannot be deleted at the vShield Edge scope.
Procedure
1 Do one of the following.
Option Description
To delete a MAC address group at the
global scope
To delete a MAC address group at the
datacenter scope
To delete a MAC address group at the
port group scope
To delete a MAC address group at the
vShield Edge scope
2 Click the Grouping Objects tab.
a In the vShield Manager user interface, click Object Library from the
vShield Manager inventory panel.
b Ensure that you are in the Grouping tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d From the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the Network Virtualization tab.
d Click the Edges tab.
e Double-click a vShield Edge instance.
f Click the Configure tab.
3
Select the group that you want to edit and click the Delete ( ) icon.
Working with Security Groups
Create a security group
In the vSphere Client, you can add a security group at the datacenter or port group level.
The security group scope is limited to the resource level at which it is created. For example, if you create a
security group at a datacenter level, the security group is available to be added as a source or destination only
when you create a firewall rule at the datacenter level. If you create a rule for a port group within that datacenter,
the security group is not available.
Procedure
1 Do one of the following.
Option Description
To create a security group at the
datacenter level
To create a security group at the port
group level
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d In the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
d Select the Grouping tab.
28 VMware, Inc.
Chapter 3 Management System Settings
2 Click Add and select Security Group.
The Add Security Group window opens with the selected datacenter displayed as the Scope.
3 Type a name and description for the security group.
4 Click in the field next to the Add button and select the resource you want to include in the security group.
5 In Members, select one or more resource to add to the security group.
When you add a resource to a security group, all associated resources are automatically added. For
example, when you select a virtual machine, the associated vNIC is automatically added to the security
group.
6 Click OK.
Edit a Security Group
A security group can be edited at the scope it was defined at. For example, if a security group was defined at
the datacenter scope, it cannot be edited at the port group scope.
Procedure
1 Do one of the following.
Option Description
To edit a security group at the
datacenter level
To edit a security group at the port
group level
2
Select the group that you want to edit and click the Edit ( ) icon.
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d In the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
d Select the Grouping tab.
3 In the Edit Security Group dialog box, make the appropriate changes.
4 Click OK.
Delete a Security Group
A security group can be deleted at the scope it was defined at. For example, if a security group was defined at
the datacenter scope, it cannot be deleted at the vShield port group scope.
Procedure
1 Do one of the following.
Option Description
To delete a security group at the
datacenter level
To delete a security group at the port
group level
VMware, Inc. 29
a In the vSphere Client, go to Inventory > Hosts & Clusters.
b Select a datacenter resource from the inventory panel.
c Click the vShield tab.
d In the General tab, select the Grouping tab.
a In the vSphere Client, go to Inventory > Networking.
b Select a network from the inventory panel.
c Click the vShield tab.
d Select the Grouping tab.
vShield Administration Guide
2
Select the group that you want to delete and click the Delete ( ) icon.
30 VMware, Inc.
Loading...