VMware vShield Endpoint 1.0.0 Update 1, VSHIELD APP 1.0.0 UPDATE 1, vShield Manager 4.1.0 Update 1, vShield Zones 4.1.0 Update 1, vShield Edge 1.0.0 Update 1 Admin Manual
Page 1
vShield Administration Guide
vShield Manager 4.1.0 Update 1
vShield Zones 4.1.0 Update 1
vShield Edge 1.0.0 Update 1
vShield App 1.0.0 Update 1
vShield Endpoint 1.0.0 Update 1
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000374-01
Page 2
vShield Administration Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Page 3
Contents
About This Book 7
vShield Manager and vShield Zones
1 Overview of vShield 11
vShield Components 11
vShield Manager 11
vShield Zones 11
vShield Edge 12
vShield App 12
vShield Endpoint 13
Migration of vShield Components 13
VMware Tools 13
Ports Required for vShield Communication 13
2 vShield Manager User Interface Basics 15
Logging in to the vShield Manager User Interface 15
Accessing the Online Help 16
vShield Manager User Interface 16
vShield Manager Inventory Panel 16
vShield Manager Configuration Panel 17
3 Management System Settings 19
Identify Your vCenter Server 19
Register the vShield Manager as a vSphere Client Plug-in 20
Identify DNS Services 20
Set the vShield Manager Date and Time 21
Identify a Proxy Server 21
Download a Technical Support Log from a Component 21
Back Up vShield Manager Data 22
View vShield Manager System Status 22
Add an SSL Certificate to Identify the vShield Manager Web Service 22
4 Zones Firewall Management 25
Using Zones Firewall 25
Default Rules 26
Layer 4 Rules and Layer 2/Layer 3 Rules 26
Hierarchy of Zones Firewall Rules 26
Planning Zones Firewall Rule Enforcement 26
Create a Zones Firewall Rule 27
Create a Layer 2/Layer 3 Zones Firewall Rule 28
Validating Active Sessions against the Current Zones Firewall Rules 29
Revert to a Previous Zones Firewall Configuration 29
Delete a Zones Firewall Rule 30
VMware, Inc. 3
Page 4
vShield Administration Guide
5 User Management 31
Managing User Rights 31
Managing the Default User Account 32
Add a User 32
Assign a Role and Rights to a User 32
Edit a User Account 32
Delete a User Account 33
6 Updating System Software 35
View the Current System Software 35
Upload an Update 35
Review the Update History 36
7 Backing Up vShield Manager Data 37
Back Up Your vShield Manager Data on Demand 37
Schedule a Backup of vShield Manager Data 38
Restore a Backup 38
8 System Events and Audit Logs 39
View the System Event Report 39
System Event Notifications 40
vShield Manager Virtual Appliance Events 40
vShield App Events 40
Syslog Format 40
View the Audit Log 41
9 Uninstalling vShield Components 43
Uninstall a vShield App or vShield Zones 43
Uninstall a vShield Edge from a Port Group 44
Uninstall Port Group Isolation from an ESX Host 44
Uninstall a vShield Endpoint Module 45
Unregister an SVM from a vShield Endpoint Module 45
Uninstall the vShield Endpoint Module from the vSphere Client 45
vShield Edge and Port Group Isolation
10 vShield Edge Management 49
View the Status of a vShield Edge 49
Specify a Remote Syslog Server 50
Managing the vShield Edge Firewall 50
Create a vShield Edge Firewall Rule 50
Validate Active Sessions Against Current vShield Edge Firewall Rules 51
Manage NAT Rules 51
Manage DHCP Service 52
Manage VPN Service 53
Manage Load Balancer Service 55
Start or Stop vShield Edge Services 56
Upgrade vShield Edge Software 56
4 VMware, Inc.
Page 5
vShield App and vShield Endpoint
11 vShield App Management 59
Send vShield App System Events to a Syslog Server 59
Back Up the Running CLI Configuration of a vShield App 60
View the Current System Status of a vShield App 60
Force a vShield App to Synchronize with the vShield Manager 60
Restart a vShield App 61
View Traffic Statistics by vShield App Interface 61
12 Flow Monitoring 63
Using Flow Monitoring 63
View a Specific Application in the Flow Monitoring Charts 64
Change the Date Range of the Flow Monitoring Charts 64
View the Flow Monitoring Report 64
Add an App Firewall Rule from the Flow Monitoring Report 65
Delete All Recorded Flows 66
Editing Port Mappings 66
Add an Application-Port Pair Mapping 66
Delete an Application-Port Pair Mapping 67
Hide the Port Mappings Table 67
13 App Firewall Management 69
Using App Firewall 69
Securing Containers and Designing Security Groups 69
Default Rules 70
Layer 4 Rules and Layer 2/Layer 3 Rules 70
Hierarchy of App Firewall Rules 70
Planning App Firewall Rule Enforcement 70
Create an App Firewall Rule 71
Create a Layer 2/Layer 3 App Firewall Rule 73
Creating and Protecting Security Groups 73
Add a Security Group 73
Assign Resources to a Security Group 74
Validating Active Sessions against the Current App Firewall Rules 74
Revert to a Previous App Firewall Configuration 75
Delete an App Firewall Rule 75
Using SpoofGuard 75
SpoofGuard Screen Options 76
Enable SpoofGuard 76
Approve IP Addresses 76
Edit an IP Address 77
Delete an IP Address 77
14 vShield Endpoint Events and Alarms 79
View vShield Endpoint Status 79
Alarms 80
Host Alarms 80
SVM Alarms 80
VM Alarms 81
Events 81
Audit Messages 84
VMware, Inc. 5
Page 6
Appendixes
A Command Line Interface 87
Logging In and Out of the CLI 87
CLI Command Modes 87
CLI Syntax 88
Moving Around in the CLI 88
Getting Help within the CLI 89
Securing CLI User Accounts and the Privileged Mode Password 89
Add a CLI User Account 89
Delete the admin User Account from the CLI 90
Change the CLI Privileged Mode Password 90
Command Reference 91
Administrative Commands 91
CLI Mode Commands 92
Configuration Commands 95
Debug Commands 102
Show Commands 107
Diagnostics and Troubleshooting Commands 123
User Administration Commands 126
Terminal Commands 128
Deprecated Commands 129
B Troubleshooting 131
Troubleshooting vShield Manager Installation 131
vShield OVA File Extracted to a PC Where vSphere Client Is Not Installed 131
vShield OVA File Cannot Be Installed in vSphere Client 131
Cannot Log In to CLI After the vShield Manager Virtual Machine Starts 132
Cannot Log In to the vShield Manager User Interface 132
Troubleshooting Operation Issues 132
vShield Manager Cannot Communicate with a vShield App 132
Cannot Configure a vShield App 132
Firewall Block Rule Not Blocking Matching Traffic 133
No Flow Data Displaying in Flow Monitoring 133
Troubleshooting Port Group Isolation Issues 133
Validate Installation of Port Group Isolation 133
Verify Install or Uninstall Script 134
Validate the Data Path 134
Details of the fence-util Utility 135
Troubleshooting vShield Edge Issues 136
Virtual Machines Are Not Getting IP Addresses from the DHCP Server 136
Load-Balancer Does Not Work 136
Load-Balancer Throws Error 502 Bad Gateway for HTTP Requests 137
VPN Does Not Work 137
Troubleshooting vShield Endpoint Issues 137
Thin Agent Logging 137
Component Version Compatibility 138
Index 139
VMware, Inc. 6
Page 7
About This Book
This manual, the vShield Administration Guide, describes how to install, configure, monitor, and maintain the
VMware
command line interface (CLI). The information includes step-by-step configuration instructions, and
suggested best practices.
®
vShield™ system by using the vShield Manager user interface, the vSphere Client plug-in, and
Intended Audience
This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
The information in this manual is written for experienced system administrators who are familiar with virtual
machine technology and virtual datacenter operations. This manual assumes familiarity with VMware
Infrastructure 4.x, including VMware ESX, vCenter Server, and the vSphere Client.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions
of terms as they are used in VMware technical documentation go to http://www.vmware.com/support/pubs.
Document Feedback
VMware welcomes your suggestions for improving our documentation. If you have comments, send your
feedback to docfeedback@vmware.com.
vShield Documentation
The following documents comprise the vShield documentation set:
vShield Administration Guide, this guide
vShield Quick Start Guide
vShield API Programming Guide
Technical Support and Education Resources
The following sections describe the technical support resources available to you. To access the current version
of this book and other books, go to http://www.vmware.com/support/pubs.
Online and Telephone Support
To use online support to submit technical support requests, view your product and contract information, and
register your products, go to http://www.vmware.com/support.
Customers with appropriate support contracts should use telephone support for the fastest response on
priority 1 issues. Go to http://www.vmware.com/support/phone_support.
VMware, Inc. 7
Page 8
vShield Administration Guide
Support Offerings
To find out how VMware support offerings can help meet your business needs, go to
http://www.vmware.com/support/services.
VMware Professional Services
VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials
designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live
online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides
offerings to help you assess, plan, build, and manage your virtual environment. To access information about
education classes, certification programs, and consulting services, go to http://www.vmware.com/services.
8 VMware, Inc.
Page 9
vShield Manager and vShield Zones
VMware, Inc. 9
Page 10
vShield Administration Guide
10 VMware, Inc.
Page 11
1
Overview of vShield
VMware® vShield is a suite of security virtual appliances built for VMware vCenter™ Server and Vmware
ESX™ integration. vShield is a critical security component for protecting virtualized datacenters from attacks
and misuse helping you achieve your compliance-mandated goals.
This guide assumes you have administrator access to the entire vShield system. The viewable resources in the
vShield Manager user interface can differ based on the assigned role and rights of a user, and licensing. If you
are unable to access a screen or perform a particular task, consult your vShield administrator.
This chapter includes the following topics:
“vShield Components” on page 11
“Migration of vShield Components” on page 13
“VMware Tools” on page 13
“Ports Required for vShield Communication” on page 13
vShield Components
vShield includes components and services essential for protecting virtual machines. vShield can be configured
through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI), and REST API.
1
To run vShield, you need one vShield Manager virtual machine and at least one vShield App or vShield Edge
module.
vShield Manager
The vShield Manager is the centralized network management component of vShield and is installed from OVA
as a virtual machine by using the vSphere Client. Using the vShield Manager user interface, administrators
install, configure, and maintain vShield components. A vShield Manager can run on a different ESX host from
your vShield App and vShield Edge modules.
The vShield Manager leverages the VMware Infrastructure SDK to display a copy of the vSphere Client
inventory panel.
For more on the using the vShield Manager user interface, see Chapter 2, “vShield Manager User Interface
Basics,” on page 15.
vShield Zones
vShield Zones, included with the vShield Manager, provides firewall protection for traffic between virtual
machines. For each Zones Firewall rule, you can specify the source IP, destination IP, source port, destination
port, and service.
VMware, Inc. 11
Page 12
vShield Administration Guide
vShield Edge
N
OTE You must obtain an evaluation or full license to use vShield Edge.
vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port
group, vDS port group, or Cisco
®
Nexus 1000V. The vShield Edge connects isolated, stub networks to shared
(uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud
environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).
Standard vShield Edge Services (Including Cloud Director)
Firewall: Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection
for TCP, UDP, and ICMP.
Network Address Translation: Separate controls for Source and Destination IP addresses, as well as TCP
and UDP port translation.
Dynamic Host Configuration Protocol (DHCP): Configuration of IP pools, gateways, DNS servers, and
search domains.
Advanced vShield Edge Services
Site-to-Site Virtual Private Network (VPN): Uses standardized IPsec protocol settings to interoperate with
all major firewall vendors.
Load Balancing: Simple and dynamically configurable virtual IP addresses and server groups.
vShield Edge supports syslog export for all services to remote servers.
vShield App
NOTE You must obtain an evaluation or full license to use vShield App.
vShield App is an interior, vNIC-level firewall that allows you to create access control policies regardless of
network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual
machines in the same port group. vShield App includes traffic analysis and container-based policy creation.
vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App integrates
with ESX hosts through VMsafe APIs and works with VMware vSphere platform features such as DRS,
vMotion, DPM, and maintenance mode.
vShield App provides firewalling between virtual machines by placing a firewall filter on every virtual
network adapter. The firewall filter operates transparently and does not require network changes or
modification of IP addresses to create security zones. You can write access rules by using vCenter containers,
like datacenters, cluster, resource pools and vApps, or network objects, like Port Groups and VLANs, to
reduce the number of firewall rules and make the rules easier to track.
You should install vShield App instances on all ESX hosts within a cluster so that VMware vMotion™
operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a
vShield App virtual appliance cannot be moved by using vMotion.
The Flow Monitoring feature displays allowed and blocked network flows at the application protocol level.
You can use this information to audit network traffic and troubleshoot operational.
12 VMware, Inc.
Page 13
vShield Endpoint
N
OTE You must obtain an evaluation or full license to use vShield Endpoint.
vShield Endpoint delivers an introspection-based antivirus solution. vShield Endpoint uses the hypervisor to
scan guest virtual machines from the outside without a bulky agent. vShield Endpoint is efficient in avoiding
resource bottlenecks while optimizing memory use.
vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus
vendor (VMware partners) on an ESX host.
vShield Endpoint provides the following features:
On-demand file scanning in a service virtual machine.
On-access file scanning in a service virtual machine.
Migration of vShield Components
The vShield Manager and vShield Edge virtual appliances can be automatically or manually migrated based
on DRS and HA policies. The vShield Manager must always be up, so you must migrate the vShield Manager
whenever the current ESX host undergoes a reboot or maintenance mode routine.
Each vShield Edge should move with its secured port group to maintain security settings and services.
Chapter 1 Overview of vShield
vShield App and Port Group Isolation services cannot be moved to another ESX host. If the ESX host on which
these services reside requires a manual maintenance mode operation, you must de-select the Move powered
off and suspended virtual machines to other hosts in the cluster check box to ensure these virtual appliances
are not migrated. These services restart after the ESX host comes online.
VMware Tools
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware
Tools included with a vShield virtual appliance.
Ports Required for vShield Communication
The vShield Manager requires the following ports to be open:
REST API: 80/TCP and 443/TCP
Graphical User Interface: 80/TCP to 443/TCP and initiates connections to vSphere vCenter SDK.
SSH access to the CLI (not enabled by default): 22/TCP
VMware, Inc. 13
Page 14
vShield Administration Guide
14 VMware, Inc.
Page 15
2
vShield Manager User Interface
Basics
The vShield Manager user interface offers configuration and data viewing options specific to vShield use. By
utilizing the VMware Infrastructure SDK, the vShield Manager displays your vSphere Client inventory panel
for a complete view of your vCenter environment.
NOTE You can register the vShield Manager as a vSphere Client plug-in. This allows you to configure vShield
components from within the vSphere Client. For more, see “Register the vShield Manager as a vSphere Client
Plug-in” on page 20.
The chapter includes the following topics:
“Logging in to the vShield Manager User Interface” on page 15
“Accessing the Online Help” on page 16
“vShield Manager User Interface” on page 16
Logging in to the vShield Manager User Interface
You access the vShield Manager management interface by using a Web browser.
To log in to the vShield Manager user interface
2
1 Open a Web browser window and type the IP address assigned to the vShield Manager.
The vShield Manager user interface opens in an SSH session.
2 Accept the security certificate.
NOTE To use an SSL certificate for authentication, see “Add an SSL Certificate to Identify the vShield
Manager Web Service” on page 22.
The vShield Manager login screen appears.
3 Log in to the vShield Manager user interface by using the username admin and the password default.
You should change the default password as one of your first tasks to prevent unauthorized use. See “Edit
a User Account” on page 32.
4Click Log In.
VMware, Inc. 15
Page 16
vShield Administration Guide
Accessing the Online Help
The Online Help can be accessed by clicking in the upper right of the vShield Manager user interface.
vShield Manager User Interface
The vShield Manager user interface is divided into two panels: the inventory panel and the configuration
panel. You select a view and a resource from the inventory panel to open the available details and
configuration options in the configuration panel.
When clicked, each inventory object has a specific set of tabs that appear in the configuration panel.
vShield Manager Inventory Panel
The vShield Manager inventory panel hierarchy mimics the vSphere Client inventory hierarchy. Resources
include the root folder, datacenters, clusters, port groups, ESX hosts, and virtual machines, including your
installed vShield App and vShield Edge modules. As a result, the vShield Manager maintains solidarity with
your vCenter Server inventory to present a complete view of your virtual deployment. The vShield Manager
is the only virtual machine that does not appear in the vShield Manager inventory panel. vShield Manager
settings are configured from the Settings & Reports resource atop the inventory panel.
The inventory panel offers multiple views: Hosts & Clusters, Networks, and Secured Port Groups. The Hosts
& Clusters view displays the datacenters, clusters, resource pools, and ESX hosts in your inventory. The
Networks view displays the VLAN networks and port groups in your inventory. The Secured Port Groups
view displays the port groups protected by vShield Edge instances. The Hosts & Clusters and Networks views
are consistent with the same views in the vSphere Client.
There are differences in the icons for virtual machines and vShield components between the vShield Manager
and the vSphere Client inventory panels. Custom icons are used to show the difference between vShield
components and virtual machines, and the difference between protected and unprotected virtual machines.
Tabl e 2- 1 . vShield Virtual Machine Icons in the vShield Manager Inventory Panel
Icon Description
A powered on vShield App in active protection state.
A powered off vShield App.
A powered on virtual machine that is protected by a vShield App.
A powered on virtual machine that is not protected by a vShield App.
Refreshing the Inventory Panel
To refresh the list of resources in the inventory panel, click . The refresh action requests the latest resource
information from the vCenter Server. By default, the vShield Manager requests resource information from the
vCenter Server every five minutes.
Searching the Inventory Panel
To search the inventory panel for a specific resource, type a string in the field atop the vShield Manager
inventory panel and click .
16 VMware, Inc.
Page 17
Chapter 2 vShield Manager User Interface Basics
vShield Manager Configuration Panel
The vShield Manager configuration panel presents the settings that can be configured based on the selected
inventory resource and the output of vShield operation. Each resource offers multiple tabs, each tab presenting
information or configuration forms corresponding to the resource.
Because each resource has a different purpose, some tabs are specific to certain resources. Also, some tabs have
a second level of options.
VMware, Inc. 17
Page 18
vShield Administration Guide
18 VMware, Inc.
Page 19
3
Management System Settings
The vShield Manager requires communication with your vCenter Server and services such as DNS and NTP
to provide details on your VMware Infrastructure inventory.
The chapter includes the following topics:
“Identify Your vCenter Server” on page 19
“Register the vShield Manager as a vSphere Client Plug-in” on page 20
“Identify DNS Services” on page 20
“Set the vShield Manager Date and Time” on page 21
“Identify a Proxy Server” on page 21
“Download a Technical Support Log from a Component” on page 21
“View vShield Manager System Status” on page 22
“Add an SSL Certificate to Identify the vShield Manager Web Service” on page 22
Identify Your vCenter Server
After the vShield Manager is installed as a virtual machine, log in to the vShield Manager user interface to
connect to your vCenter Server. This enables the vShield Manager to display your VMware Infrastructure
inventory.
3
To identify your vCenter Server from the vShield Manager
1 Log in to the vShield Manager.
Upon initial login, the vShield Manager opens to the Configuration > vCenter tab. If you have previously
configured the vCenter tab form, perform the following steps:
aClick the Settings & Reports from the vShield Manager inventory panel.
bClick the Configuration tab.
The vCenter screen appears.
2 Under vCenter Server Information, type the IP address of your vCenter Server in the vSphere Server IP
Address/Name field.
3 Type your vSphere Client login user name in the Administrator User Name field.
This user account must have administrator access.
VMware, Inc. 19
Page 20
vShield Administration Guide
4 Type the password associated with the user name in the Password field.
5Click Save.
The vShield Manager connects to the vCenter Server, logs on, and utilizes the VMware Infrastructure SDK
to populate the vShield Manager inventory panel. The inventory panel is presented on the left side of the
screen. This resource tree should match your VMware Infrastructure inventory panel. The vShield
Manager does not appear in the vShield Manager inventory panel.
Register the vShield Manager as a vSphere Client Plug-in
The vSphere Plug-in option lets you register the vShield Manager as a vSphere Client plug-in. After the
plug-in is registered, you can open the vShield Manager user interface from the vSphere Client.
To register the vShield Manager as a vSphere Client plug-in
1 If you are logged in to the vSphere Client, log out.
2 Log in to the vShield Manager.
3Click Settings & Reports from the vShield Manager inventory panel.
4Click the Configuration tab.
The vCenter screen appears.
5Under vSphere Plug-in, click Register.
Registration might take a few minutes.
6 Log in to the vSphere Client.
7 Select an ESX host.
8 Verify that vShield Install appears as a tab.
You can install and configure vShield components from the vSphere Client.
Identify DNS Services
You must specify at least one DNS server during vShield Manager setup. The specified DNS servers appear in
the vShield Manager user interface.
In the vShield Manager user interface, you can specify up to three DNS servers that the vShield Manager can
use for IP address and host name resolution.
To identify a DNS server
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
The vCenter screen appears.
3Under DNS Servers, type an IP address in Primary DNS IP Address to identify the primary DNS server.
This server is checked first for all resolution requests.
4 (Optional) Type an IP address in the Secondary DNS IP Address field.
5 (Optional) Type an IP address in the Tertiary DNS IP Address field.
6Click Save.
20 VMware, Inc.
Page 21
Set the vShield Manager Date and Time
You can set the date, time, and time zone of the vShield Manager. You can also specify a connection to an NTP
server to establish a common network time. Date and time values are used in the system to stamp events as
they occur.
To set the date and time configuration of the vShield Manager
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Date/Time.
4In the Date and Clock field, type the date and time in the format YYYY-MM-DD HH:MM:SS.
5In the NTP Server field, type the IP address of your NTP server.
You can type the hostname of your NTP server if you have set up DNS service.
6From the Time Zone drop-down menu, select the appropriate time zone.
7Click Save.
Identify a Proxy Server
If you use a proxy server for network connectivity, you can configure the vShield Manager to use the proxy
server. The vShield Manager supports application-level HTTP/HTTPS proxies such as CacheFlow and
Microsoft ISA Server.
Chapter 3 Management System Settings
To identify a proxy server
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click HTTP Proxy.
4From the Use Proxy drop-down menu, select Yes.
5 (Optional) Type the host name of the proxy server in the Proxy Host Name field.
6 Type the IP address of the proxy server in the Proxy IP Address field.
7 Type the connecting port number on your proxy server in the Proxy Port field.
8Type the User Name required to log in to the proxy server.
9Type the Password associated with the user name for proxy server login.
10 Click Save.
Download a Technical Support Log from a Component
You can use the Support option to download the system log from a vShield component to your PC. A system
log can be used to troubleshoot operational issues.
To download a vShield component system log
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Support.
VMware, Inc. 21
Page 22
vShield Administration Guide
4Under Tech Support Log Download, click Initiate next to the appropriate component.
Once initiated, the log is generated and uploaded to the vShield Manager. This might take several
seconds.
5 After the log is ready, click the Download link to download the log to your PC.
The log is compressed and has the proprietary file extension .blsl. You can open the log using a
decompression utility by browsing for All Files in the directory where you saved the file.
Back Up vShield Manager Data
You can use the Backups option to back up vShield Manager data. See Chapter 7, “Backing Up vShield
Manager Data,” on page 37.
View vShield Manager System Status
The Status tab displays the status of vShield Manager system resource utilization, and includes the software
version details, license status, and serial number. The serial number must be registered with technical support
for update and support purposes.
To view the system status of the vShield Manager
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Status.
4(Optional) Click Version Status to review the current version of system software running on your vShield
components.
The Update Status tab appears. See “View the Current System Software” on page 35.
Add an SSL Certificate to Identify the vShield Manager Web Service
You can generate or import an SSL certificate into the vShield Manager to authenticate the identity of the
vShield Manager web service and encrypt information sent to the vShield Manager web server. As a security
best practice, you should use the generate certificate option to generate a private key and public key, where
the private key is saved to the vShield Manager.
To generate an SSL certificate
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click SSL Certificate.
4 Under Generate Certificate Signing Request, enter the following information:
Field Description
Common Name Enter the name that matches the site name. For example, if the IP address of vShield
Manager management interface is 192.168.1.10, enter 192.168.1.10.
Organization Unit Enter the department in your company that is ordering the certificate.
Organization Name Enter the full legal name of your company.
City Name Enter the full name of the city in which your company resides.
State Name Enter the full name of the state in which your company resides.
Country Code Enter the two-digit code that represents your country. For example, the United States
is US.
22 VMware, Inc.
Page 23
Chapter 3 Management System Settings
Field Description
Key Algorithm Select the cryptographic algorithm to use from either DSA or RSA.
Key Size Select the number of bits used in the selected algorithm.
5Click Generate.
To import an SSL certificate
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click SSL Certificate.
4 Under Import Signed Certificate, click Browse at Certificate File to find the file.
5 Select the type of certificate file from the Certificate File drop-down list.
6Click Apply.
VMware, Inc. 23
Page 24
vShield Administration Guide
24 VMware, Inc.
Page 25
4
Zones Firewall Management
vShield Zones provides firewall protection access policy enforcement. Traffic details include sources,
destinations, direction of sessions, applications, and ports being used. Traffic details can be used to create
firewall allow or deny rules.
NOTE You can upgrade vShield Zones to vShield App by obtaining a vShield App license. vShield App
enhances vShield Zones protection by offering Flow Monitoring, custom container creation (Security Groups),
and container-based access policy creation and enforcement.
You do not have to uninstall vShield Zones to install vShield App. All vShield Zones instances become vShield
App instances, the Zones Firewall becomes App Firewall, and the additional vShield App features are enabled.
This chapter includes the following topics:
“Using Zones Firewall” on page 25
“Create a Zones Firewall Rule” on page 27
“Create a Layer 2/Layer 3 Zones Firewall Rule” on page 28
“Validating Active Sessions against the Current Zones Firewall Rules” on page 29
“Revert to a Previous Zones Firewall Configuration” on page 29
4
“Delete a Zones Firewall Rule” on page 30
Using Zones Firewall
Zones Firewall is a centralized, hierarchical firewall for ESX hosts. Zones Firewall enables you to create rules
that allow or deny access to and from your virtual machines. Each installed vShield Zones enforces the App
Zones rules.
You can manage Zones Firewall rules at the datacenter, cluster, and port group levels to provide a consistent
set of rules across multiple vShield Zones instances under these containers. As membership in these containers
can change dynamically, Zones Firewall maintains the state of existing sessions without requiring
reconfiguration of firewall rules. In this way, Zones Firewall effectively has a continuous footprint on each ESX
host under the managed containers.
When creating Zones Firewall rules, you create 5-tuple firewall rules based on specific source and destination IP
addresses.
VMware, Inc. 25
Page 26
vShield Administration Guide
Default Rules
By default, Zones Firewall enforces a set of rules allowing traffic to pass through all vShield Zones instances.
These rules appear in the Default Rules section of the Zones Firewall table. The default rules cannot be deleted
or added to. However, you can change the Action element of each rule from Allow to Deny.
Layer 4 Rules and Layer 2/Layer 3 Rules
Zones Firewall offers two sets of configurable rules: L4 (Layer 4) rules and L2/L3 (Layer 2/Layer 3) rules. Layers
refer to layers of the Open Systems Interconnection (OSI) Reference Model.
Layer 4 rules govern TCP and UDP transport of Layer 7, or application-specific, traffic. Layer 2/Layer 3 rules
monitor traffic from ICMP, ARP, and other Layer 2 and Layer 3 protocols. You can configure Layer 2/Layer 3
rules at the datacenter level only. By default, all Layer4 and Layer 2/Layer 3 traffic is allowed to pass.
Hierarchy of Zones Firewall Rules
Each vShield Zones instance enforces Zones Firewall rules in top-to-bottom ordering. A vShield Zones
instance checks each traffic session against the top rule in the Zones Firewall table before moving down the
subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced.
Zones Firewall rules are enforced in the following hierarchy:
1 Data Center High Precedence Rules
2 Cluster Level Rules
3 Data Center Low Precedence Rules (seen as Rules below this level have lower precedence than cluster
level rules when a datacenter resource is selected)
4 Secure Port Group Rules
5 Default Rules
Zones Firewall offers container-level and custom priority precedence configurations:
Container-level precedence refers to recognizing the datacenter level as being higher in priority than the
cluster level. When a rule is configured at the datacenter level, the rule is inherited by all clusters and
vShield agents therein. A cluster-level rule is only applied to the vShield Zones instances within the
cluster.
Custom priority precedence refers to the option of assigning high or low precedence to rules at the
datacenter level. High precedence rules work as noted in the container-level precedence description. Low
precedence rules include the Default Rules and the configuration of Data Center Low Precedence rules.
This flexibility allows you to recognize multiple layers of applied precedence.
At the cluster level, you configure rules that apply to all vShield Zones instances within the cluster.
Because Data Center High Precedence Rules are above Cluster Level Rules, ensure your Cluster Level
Rules are not in conflict with Data Center High Precedence Rules.
Planning Zones Firewall Rule Enforcement
Using Zones Firewall, you can configure allow and deny rules based on your network policy. The following
examples represent two common firewall policies:
Allow all traffic by default. You keep the default allow all rules and add deny rules based on Flow
Monitoring data or manual App Firewall configuration. In this scenario, if a session does not match any
of the deny rules, the vShield App allows the traffic to pass.
Deny all traffic by default.You can change the Action status of the default rules from Allow to Deny, and
add allow rules explicitly for specific systems and applications. In this scenario, if a session does not
match any of the allow rules, the vShield App drops the session before it reaches its destination. If you
change all of the default rules to deny any traffic, the vShield App drops all incoming and outgoing traffic.
26 VMware, Inc.
Page 27
Create a Zones Firewall Rule
Zones Firewall rules allow or deny traffic based on the following criteria:
Criteria Description
Source (A.B.C.D/nn) IP address with netmask (nn) from which the communication originated
Source Port Port or range of ports from which the communication originated. To enter a port
range, separate the low and high end of the range with a colon. For example,
1000:1100.
Destination (A.B.C.D/nn) IP address with netmask (nn) which the communication is targeting
Destination Application The application on the destination the source is targeting
Destination Port Port or range of ports which the communication is targeting. To enter a port range,
separate the low and high end of the range with a colon. For example, 1000:1100.
Protocol Transport protocol used for communication
You can add destination and source port ranges to a rule for dynamic services such as FTP and RPC, which
require multiple ports to complete a transmission. If you do not allow all of the ports that must be opened for
a transmission, the transmission fails.
To create a firewall rule at the datacenter level
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
Chapter 4 Zones Firewall Management
2 Select a datacenter resource from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
By default, the L4 Rules option is selected.
To create L2/L3 rules, see “Create a Layer 2/Layer 3 Zones Firewall Rule” on page 28.
5 Do one of the following:
Click Add to add a new rule to the Data Center Low Precedence Rules (Rules below this level have
lower precedence...).
Select a row in the Data Center High Precedence Rules section of the table and click Add. A new
appears below the selected row.
6 Double-click each cell in the new row to select the appropriate information.
You must type IP addresses in the Source and Destination fields, and port numbers in the Source Port
and Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
To create a firewall rule at the cluster level
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a cluster resource from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
By default, the L4 Rules option is selected.
To create L2/L3 rules, see “Create a Layer 2/Layer 3 Zones Firewall Rule” on page 28.
VMware, Inc. 27
Page 28
vShield Administration Guide
5Click Add.
A new row appears in the Cluster Level Rules section of the table.
6 Double-click each cell in the new row to select the appropriate information.
You must type IP addresses in the Source and Destination fields, and port numbers in the Source Port
and Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
To create a firewall rule at the port group level
1 In the vSphere Client, go to Inventory > Networking.
2 Select a port group from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
5Click Add.
A new row is added at the bottom of the Secure Port Group Rules section.
6 Double-click each cell in the new row to select the appropriate information.
You must type IP addresses in the Source and Destination fields, and port numbers in the Source Port
and Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
Create a Layer 2/Layer 3 Zones Firewall Rule
The Layer 2/Layer 3 firewall enables configuration of allow or deny rules for common Data Link Layer and
Network Layer requests, such as ICMP pings and traceroutes.
You can change the default Layer 2/Layer 3 rules from allow to deny based on your network security policy.
Layer 4 firewall rules allow or deny traffic based on the following criteria:
Criteria Description
Source (A.B.C.D/nn) IP address with netmask (nn) from which the communication originated
Destination (A.B.C.D/nn) IP address with netmask (nn) which the communication is targeting
Protocol Transport protocol used for communication
To create a Layer 2/Layer 3 firewall rule
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter resource from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
5Click L2/L3 Rules.
6Click Add.
A new row is added at the bottom of the DataCenter Rules section of the table.
28 VMware, Inc.
Page 29
Chapter 4 Zones Firewall Management
7 Double-click each cell in the new row to type or select the appropriate information.
You can type IP addresses in the Source and Destination fields
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit.
Validating Active Sessions against the Current Zones Firewall Rules
By default, a vShield Zones instance matches firewall rules against each new session. After a session has been
established, any firewall rule changes do not affect active sessions.
The CLI command validate sessions enables you to validate active sessions against the current Zones
Firewall rule set to purge any sessions that are in violation of the current rule set. After a firewall rule set
update, you should validate active sessions to purge any existing sessions that are in violation of the updated
policy.
After the Zones Firewall update is complete, issue the validate sessions command from the CLI of a
vShield Zones instance to purge sessions that are in violation of current policy.
To validate active sessions against the current firewall rules
1 Update and commit the Zones Firewall rule set at the appropriate container level.
2 Open a console session on a vShield Zones instance issue the validate sessions command.
vShieldZones> enable
Password:
vShieldZones# validate sessions
Revert to a Previous Zones Firewall Configuration
The vShield Manager saves a snapshot of App Firewall settings each time you commit a new rule. Clicking
Commit causes the vShield Manager to save the previous configuration with a timestamp before adding the
new rule. These snapshots are available from the Revert to Snapshot drop-down menu.
To revert to a previous App Firewall configuration
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter or cluster resource from the inventory panel.
3Click the vShield Zones tab.
4Click Zones Firewall.
5From the Revert to Snapshot drop-down list, select a snapshot.
Snapshots are presented in the order of timestamps, with the most recent snapshot listed at the top.
6 View snapshot configuration details.
7 Do one of the following:
To return to the current configuration, select the - option from the Revert to Snapshot drop-down list.
Click Commit to overwrite the current configuration with the snapshot configuration.
VMware, Inc. 29
Page 30
vShield Administration Guide
Delete a Zones Firewall Rule
You can delete any App Firewall rule you have created. You cannot delete the any rules in the Default Rules
section of the table.
To delete an App Firewall rule
1 Click an existing row in the Zones Firewall table.
2Click Delete.
3Click Commit.
30 VMware, Inc.
Page 31
5
User Management
Security operations are often managed by multiple individuals. Management of the overall system is
delegated to different personnel according to some logical categorization. However, permission to carry out
tasks is limited only to users with appropriate rights to specific resources. From the Users section, you can
delegate such resource management to users by granting applicable rights.
User management in the vShield Manager user interface is separate from user management in the CLI of any
vShield component.
This chapter includes the following topics:
“Managing User Rights” on page 31
“Add a User” on page 32
“Assign a Role and Rights to a User” on page 32
“Edit a User Account” on page 32
“Delete a User Account” on page 33
Managing User Rights
Within the vShield Manager user interface, a user’s rights define the actions the user is allowed to perform on
a given resource. Rights determine the user’s authorized activities on the given resource, ensuring that a user
has access only to the functions necessary to complete applicable operations. This allows domain control over
specific resources, or system-wide control if your right encompasses the System resource.
5
The following rules are enforced:
A user can only have one right to one resource.
A user cannot add to or remove assigned rights and resources.
Tabl e 5- 1 . vShield Manager User Rights
Right Description
R Read only
CRUD Read and Write
Tabl e 5- 2 . vShield Manager User Resources
Resource Description
System Access to entire vShield system
Datacenter Access to a specified datacenter resource
Cluster Access to a specified cluster resource
None Access to no resources
VMware, Inc. 31
Page 32
vShield Administration Guide
Managing the Default User Account
The vShield Manager user interface includes one default user account, user name admin, which has rights to
all resources. You cannot edit the rights of or delete this user. The default password for admin is default.
Change the password for this account upon initial login to the vShield Manager. See “Edit a User Account” on
page 32.
Add a User
Basic user account creation requires assigning the user a login name and password.
To create a new user account
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Users tab.
3Click Create User.
The New User screen opens.
4Type a User Name.
This is used for login to the vShield Manager user interface. This user name and associated password
cannot be used to access the vShield App or vShield Manager CLIs.
5 (Optional) Type the user’s Full Name for identification purposes.
6 (Optional) Type an Email Address.
7Type a Password for login.
8 Re-type the password in the Retype Password field.
9Click OK.
After account creation, you configure right and resource assignment separately.
Assign a Role and Rights to a User
After creating a user account, you can assign the user a role and rights to system resources. The role defines
the resource, and the right defines the user’s access to that resource.
To assign a role and right to a user
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Users tab.
3 Double-click the Resource cell for the user.
4 From the drop-down menu that opens, select an available resource.
5 Double-click the Access Right cell for the user.
6 From the drop-down menu that opens, select an available access right.
Edit a User Account
You can edit a user account to change the password.
To edit an existing user account
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Users tab.
3 Click a cell in the table row that identifies the user account.
32 VMware, Inc.
Page 33
4Click Update User.
5 Make changes as necessary.
If you are changing the password, confirm the password by typing it a second time in the Retype
Password field.
6Click OK to save your changes.
Delete a User Account
You can delete any created user account. You cannot delete the admin account. Audit records for deleted users
are maintained in the database and can be referenced in an Audit Log report.
To delete a user account
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Users tab.
3 Click a cell in the table row that identifies the user account.
4Click Delete User.
Chapter 5 User Management
VMware, Inc. 33
Page 34
vShield Administration Guide
34 VMware, Inc.
Page 35
6
Updating System Software
vShield software requires periodic updates to maintain system performance. Using the Updates tab options,
you can install and track system updates.
This chapter includes the following topics:
“View the Current System Software” on page 35
“Upload an Update” on page 35
“Review the Update History” on page 36
View the Current System Software
The current versions of vShield component software display under the Update Status tab.
To view the current system software
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Updates tab.
3Click Update Status.
6
Upload an Update
vShield updates are available as offline updates. When an update is made available, you can download the
update to your PC, and then upload the update by using the vShield Manager user interface.
When the update is uploaded, the vShield Manager is updated first, after which, each vShield App is updated.
If a reboot of either the vShield Manager or a vShield App is required, the Update Status screen prompts you
to reboot the component. In the event that both the vShield Manager and all vShield App instances must be
rebooted, you must reboot the vShield Manager first, and then reboot each vShield App.
To upload an update
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Updates tab.
3Click Upload Settings.
4Click Browse to locate the update.
5 After locating the file, click Upload File.
VMware, Inc. 35
Page 36
vShield Administration Guide
6Click Confirm Install to confirm update installation.
There are two tables on this screen. During installation, you can view the top table for the description, start
time, success state, and process state of the current update. View the bottom table for the update status of
each vShield App. All vShield App instances have been upgraded when the status of the last vShield App
is displayed as Finished.
7 After the vShield Manager reboots, click the Update Status tab.
8Click Reboot Manager if prompted.
9Click Finish Install to complete the system update.
10 Click Confirm.
Review the Update History
The Update History tab lists the updates that have already been installed, including the installation date and
a brief description of each update.
To view a history of installed updates
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Updates tab.
3Click Update History.
36 VMware, Inc.
Page 37
7
Backing Up vShield Manager Data
You can back up and restore your vShield Manager data, which can include system configuration, events, and
audit log tables. Configuration tables are included in every backup. You can, however, exclude system and
audit log events. Backups are saved to a remote location that must be accessible by the vShield Manager.
Backups can be executed according to a schedule or on demand.
This chapter includes the following topics:
“Back Up Your vShield Manager Data on Demand” on page 37
“Schedule a Backup of vShield Manager Data” on page 38
“Restore a Backup” on page 38
Back Up Your vShield Manager Data on Demand
You can back up vShield Manager data at any time by performing an on-demand backup.
To back up the vShield Manager database
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
7
3Click Backups.
4 (Optional) Select the Exclude System Events check box if you do not want to back up system event tables.
5 (Optional) Select the Exclude Audit Logs check box if you do not want to back up audit log tables.
6Type the Host IP Address of the system where the backup will be saved.
7 (Optional) Type the Host Name of the backup system.
8Type the User Name required to log in to the backup system.
9Type the Password associated with the user name for the backup system.
10 In the Backup Directory field, type the absolute path where backups are to be stored.
11 Type a text string in Filename Prefix.
This text is prepended to the backup filename for easy recognition on the backup system. For example, if
you type ppdb, the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.
12 From the Transfer Protocol drop-down menu, select either SFTP or FTP.
13 Click Backup.
Once complete, the backup appears in a table below this form.
14 Click Save Settings to save the configuration.
VMware, Inc. 37
Page 38
vShield Zones Administration Guide
Schedule a Backup of vShield Manager Data
You can only schedule the parameters for one type of backup at any given time. You cannot schedule a
configuration-only backup and a complete data backup to run simultaneously.
To schedule periodic backups of your vShield Manager data
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Backups.
4From the Scheduled Backups drop-down menu, select On.
5From the Backup Frequency drop-down menu, select Hourly, Daily, or Weekly.
The Day of Week, Hour of Day, and Minute drop-down menus are disabled based on the selected
frequency. For example, if you select Daily, the Day of Week drop-down menu is disabled as this field is
not applicable to a daily frequency.
6 (Optional) Select the Exclude System Events check box if you do not want to back up system event tables.
7 (Optional) Select the Exclude Audit Log check box if you do not want to back up audit log tables.
8Type the Host IP Address of the system where the backup will be saved.
9 (Optional) Type the Host Name of the backup system.
10 Type the User Name required to login to the backup system.
11 Type the Password associated with the user name for the backup system.
12 In the Backup Directory field, type the absolute path where backups will be stored.
13 Type a text string in Filename Prefix.
This text is prepended to each backup filename for easy recognition on the backup system. For example,
if you type ppdb, the resulting backup is named as ppdbHH_MM_SS_DayDDMonYYYY.
14 From the Transfer Protocol drop-down menu, select either SFTP or FTP, based on what the destination
supports.
15 Click Save Settings.
Restore a Backup
To restore an available backup, the Host IP Address, User Name, Password, and Backup Directory fields in
the Backups screen must have values that identify the location of the backup to be restored. When you restore
a backup, the current configuration is overridden. If the backup file contains system event and audit log data,
that data is also restored.
I
MPORTANT Back up your current data before restoring a backup file.
To restore an available vShield Manager backup
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Backups.
4Click View Backups to view all available backups saved to the backup server.
5 Select the check box for the backup to restore.
6Click Restore.
7Click OK to confirm.
38 VMware, Inc.
Page 39
8
System Events and Audit Logs
System events are events that are related to vShield operation. They are raised to detail every operational
event, such as a vShield App reboot or a break in communication between a vShield App and the vShield
Manager. Events might relate to basic operation (Informational) or to a critical error (Critical).
This chapter includes the following topics:
“View the System Event Report” on page 39
“System Event Notifications” on page 40
“Syslog Format” on page 40
“View the Audit Log” on page 41
View the System Event Report
The vShield Manager aggregates system events into a report that can be filtered by vShield App and event
severity.
To view the System Event report
1Click Settings & Reports from the vShield Manager inventory panel.
8
2Click the System Events tab.
3 (Optional) Select one or more vShield App instances from the vShield field.
All vShield App instances are selected by default.
4From the and Severity drop-down menu, select a severity by which to filter results.
All severities are included by default. You can select one or more severities at a time.
5Click View Report.
6 In the report output, click an Event Time link to view details about a specific event.
VMware, Inc. 39
Page 40
vShield Administration Guide
System Event Notifications
vShield Manager Virtual Appliance Events
Power Off Power On Interface Down Interface Up
Local CLI Run show log follow
command.
GUI NA NA NA NA
CPU Memory Storage
Local CLI Run show process monitor
GUI See “View vShield Manager
command.
System Status” on page 22.
vShield App Events
Power Off Power On Interface Down Interface Up
Local CLI Run show log
follow command.
Syslog NA See “Syslog
GUI “Heartbeat failure”
event in System
Event log.
“View the System
Event Report” on
page 39
See
.
Run show log follow
command.
Run show system memory
command.
See “View vShield Manager
System Status” on page 22.
Run show log
follow
command.
Format” on
page 40.
See “View the
Current System
Status of a vShield
App” on page 60
Run show log follow
command.
Run show log follow
command.
e1000: mgmt:
e1000_watchdog_task:
NIC Link is Up/Down 100
Mbps Full Duplex. For
scripting on the syslog server,
search for NIC Link is.
See “View the Current System
Status of a vShield App” on
page 60
.
.
Run show log follow
command.
Run show filesystem
command.
See “View vShield Manager
System Status” on page 22.
Run show log follow
command.
e1000: mgmt:
e1000_watchdog_task: NIC
Link is Up/Down 100 Mbps
Full Duplex. For scripting
on the syslog server, search
for NIC Link is.
See “View the Current System
Status of a vShield App” on
page 60
.
Session reset due to DoS,
CPU Memory Storage
Local CLI Run show process
Syslog NA NA NA See “Syslog Format” on
GUI
monitor command.
See “View the Current
System Status of a
vShield App” on
page 60
.
Run show system
memory command.
See “View the Current
System Status of a
vShield App” on
page 60
.
Run show
filesystem
command.
See “View the Current
System Status of a
vShield App” on
page 60
.
inactivity, or data timeouts
Run show log follow
command.
page 40.
Refer to the System Event Log.
See “View the System Event
Report” on page 39
.
Syslog Format
The system event message logged in the syslog has the following structure:
syslog header (timestamp + hostname + sysmgr/)
Timestamp (from the service)
Name/value pairs
Name and value separated by delimiter '::' (double colons)
Each name/value pair separated by delimiter ';;' (double semi-colons)
40 VMware, Inc.
Page 41
The fields and types of the system event are:
Event ID :: 32 bit unsigned integer
Timestamp :: 32 bit unsigned integer
Application Name :: string
Application Submodule :: string
Application Profile :: string
Event Code :: integer (possible values: 10007 10016 10043 20019)
Severity :: string (possible values: INFORMATION LOW MEDIUM HIGH CRITICAL)
Message ::
View the Audit Log
The Audit Logs tab provides a view into the actions performed by all vShield Manager users. The vShield
Manager retains audit log data for one year, after which time the data is discarded.
To view the Audit Log
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Audit Logs tab.
3 Narrow the output by clicking one or more of the following column filters:
Column Description
User Name Select the login name of a user who performed the action.
Module Select the vShield resource on which the action was performed.
Operation Select the type of action performed.
Status Select the result of action as either Success or Failure.
Operation Span Select the vShield component on which the action was performed. Local
Chapter 8 System Events and Audit Logs
refers to the vShield Manager.
VMware, Inc. 41
Page 42
vShield Administration Guide
42 VMware, Inc.
Page 43
9
Uninstalling vShield Components
This chapter details the steps required to uninstall vShield components from your vCenter inventory.
This chapter includes the following topics:
“Uninstall a vShield App or vShield Zones” on page 43
“Uninstall a vShield Edge from a Port Group” on page 44
“Uninstall Port Group Isolation from an ESX Host” on page 44
“Uninstall a vShield Endpoint Module” on page 45
NOTE The vShield Quick Start Guide details installation of vShield components.
Uninstall a vShield App or vShield Zones
Uninstalling a vShield App or vShield Zones removes the agent from the network.
CAUTION Uninstalling a vShield App or vShield Zones places the ESX host in maintenance mode. After
uninstallation is complete, the ESX host reboots. If any of the virtual machines that are running on the target
ESX host cannot be migrated to another ESX host, these virtual machines must be powered off or migrated
manually before the uninstallation can continue. If the vShield Manager is on the same ESX host, the vShield
Manager must be migrated prior to uninstalling the vShield App or vShield Zones.
9
To uninstall a vShield App or vShield Zones instance
1 Log in to the vSphere Client.
2 Select the ESX host from the inventory tree.
3Click the vShield tab.
4Click Uninstall for the vShield App or vShield Zones service.
The instance is uninstalled.
VMware, Inc. 43
Page 44
vShield Administration Guide
Uninstall a vShield Edge from a Port Group
You can uninstall a vShield Edge from a port group by using the vSphere Client.
CAUTION If you have enabled Port Group Isolation, you must migrate or power off the virtual machines on
the ESX host from which you want to uninstall a vShield Edge. Uninstalling Port Group Isolation places the
ESX host in maintenance mode. After uninstallation is complete, the ESX host reboots. If any of the virtual
machines that are running on the target ESX host cannot be migrated to another ESX host, these virtual
machines must be powered off or migrated manually before the uninstallation can continue. If the vShield
Manager is on the same ESX host, the vShield Manager must be migrated prior to uninstalling Port Group
Isolation.
If you did not install and enable Port Group Isolation on an ESX host, you do not have to migrate virtual
machines to uninstall a vShield Edge.
To uninstall a vShield Edge
1 Log in to the vSphere Client.
2Go to View > Inventory > Networking.
3Click the Edge tab.
4Click Uninstall.
Uninstall Port Group Isolation from an ESX Host
Uninstalling Port Group Isolation requires multiple steps that must be performed in the following order.
CAUTION Uninstalling Port Group Isolation places the ESX host in maintenance mode. After uninstallation is
complete, the ESX host reboots. If any of the virtual machines that are running on the target ESX host cannot
be migrated to another ESX host, these virtual machines must be powered off or migrated manually before the
uninstallation can continue. If the vShield Manager is on the same ESX host, the vShield Manager must be
migrated prior to uninstalling Port Group Isolation.
To uninstall Port Group Isolation
1 Migrate all vShield Edge instances and their secured port groups off the ESX host from which Port Group
Isoaltion is being uninstalled.
2Go to View > Inventory > Networking.
3 Right-click the vDS from which Port Group Isolation will be uninstalled.
4 Select vShield > Disable Isolation.
5Go to View > Inventory > Hosts and Clusters.
6 Click the ESX host from the vSphere Client inventory panel on which Port Group Isolation is installed.
7Click the vShield tab.
8Click Uninstall for to the vShield Edge Port Group Isolation service.
44 VMware, Inc.
Page 45
Uninstall a vShield Endpoint Module
Before you uninstall the a vShield Endpoint module from the vShield Manager, you must unregister the SVM
from the vShield Endpoint module.
CAUTION Uninstalling vShield Endpoint places the ESX host in maintenance mode. After uninstallation is
complete, the ESX host reboots. If any of the virtual machines that are running on the target ESX host cannot
be migrated to another ESX host, these virtual machines must be powered off or migrated manually before the
uninstallation can continue. If the vShield Manager is on the same ESX host, the vShield Manager must be
migrated prior to uninstalling vShield Endpoint.
Unregister an SVM from a vShield Endpoint Module
You must specify the virtual machine ID of the SVM to unregister the SVM from the vShield Endpoint module.
Example 9-1. Unregistering an SVM
Request:
DELETE <vshieldmanager-uri>/endpointsecurity/svm/<vmId>
Example:
DELETE /api/1.0/endpointsecurity/svm/vm-1234 HTTP/1.1
host: 10.112.199.123:80
Authorization: Basic YWRtaW46ZGVmYXVsdA==
Response:
Chapter 9 Uninstalling vShield Components
HTTP 204 No Content: The Endpoint Security VM is successfully unregistered.
HTTP 401 Unauthorized: The username or password sent in Authorized header is wrong.
HTTP 405 Method Not Allowed: If the vmId is missed in the URI.
HTTP 400 Bad Request: Internal error codes. Please refer the Error Schema for more details.
40002=Acquiring data from VC failed for <>
40007=SVM with moid: <> not registered
40015=vmId is malformatted or of incorrect length : <>
Uninstall the vShield Endpoint Module from the vSphere Client
Uninstalling an vShield Endpoint module puts the ESX host into maintenance mode and reboots it.
CAUTION Migrate your vShield Manager and any other virtual machines to another ESX host to avoid
shutting down these virtual machines during reboot.
To uninstall an vShield Endpoint module from an ESX host
1 Log in to the vSphere Client.
2 Select an ESX host from the inventory tree.
3Click the vShield tab.
4Click Uninstall for to the vShield Endpoint service.
Uninstallation removes port group epsec-vmk-1 and vSwitch epsec-vswitch-2.
VMware, Inc. 45
Page 46
vShield Administration Guide
46 VMware, Inc.
Page 47
vShield Edge and Port Group Isolation
VMware, Inc. 47
Page 48
vShield Administration Guide
48 VMware, Inc.
Page 49
10
vShield Edge Management
vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port
group, vDS port group, or Cisco
(uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud
environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).
This chapter includes the following topics:
“View the Status of a vShield Edge” on page 49
“Specify a Remote Syslog Server” on page 50
“Managing the vShield Edge Firewall” on page 50
“Manage NAT Rules” on page 51
“Manage DHCP Service” on page 52
“Manage VPN Service” on page 53
“Manage Load Balancer Service” on page 55
“Start or Stop vShield Edge Services” on page 56
®
Nexus 1000V. The vShield Edge connects isolated, stub networks to shared
10
“Upgrade vShield Edge Software” on page 56
View the Status of a vShield Edge
The Status option presents the network configuration and status of services of a vShield Edge module. Details
include interface addressing and network ID. You can use the network ID to send REST API commands to a
vShield Edge module.
To view the status of a vShield App
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the Edge tab.
4Click the Status link.
VMware, Inc. 49
Page 50
vShield Administration Guide
Specify a Remote Syslog Server
You can send vShield Edge events, such as violated firewall rules, to a syslog server.
To specify a remote syslog server
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the Status link.
5 Under Remote Syslog Servers, place the cursor in the top text box and type the IP address of a remote
syslog server.
6Click Commit to save the configuration.
Managing the vShield Edge Firewall
The vShield Edge provides firewall protection for incoming and outgoing sessions. The default firewall policy
allows all traffic to pass. In addition to the default firewall policy, you can configure a set of rules to allow or
deny traffic sessions to and from specific sources and destinations. You manage the default firewall policy and
firewall rule set separately for each vShield Edge agent.
You can change the Default Policy from Allow to Deny on a vShield Edge to deny any sessions that do not
match any of the current firewall rules.
Create a vShield Edge Firewall Rule
vShield Edge firewall rules police traffic based on the following criteria:
Criteria Description
Source IP IP address from which the communication originated.
Source Port Port or range of ports from which the communication originated. To enter a port
range, separate the low and high end of the range with a colon. For example,
1000:1100.
Destination IP IP address which the communication is targeting.
Destination Port Port or range of ports which the communication is targeting. To enter a port range,
separate the low and high end of the range with a colon. For example, 1000:1100.
Protocol Transport protocol used for communication.
Direction Direction of transmission. Options are IN, OUT, or BOTH.
Action Action to enforce on transmission. Options are ALLOW or DENY. The default action
You can add destination and source port ranges to a rule for dynamic services such as FTP and RPC, which
require multiple ports to complete a transmission. If you do not allow all of the ports that must be opened for
a transmission, the transmission is blocked.
on all traffic is ALLOW.
To create a vShield Edge firewall rule
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the Firewall link.
50 VMware, Inc.
Page 51
Chapter 10 vShield Edge Management
5Click Add.
A new row appears in the table.
6 Double-click each cell in the row to enter or select the appropriate information.
You must type IP addresses in the Source and Destination fields.
7(Optional) Click Log to send log events to a specified syslog server when the firewall rule is violated.
8 (Optional) Select the new row and click Move Up to move the rule up in priority.
9Click Commit to save the rule.
Validate Active Sessions Against Current vShield Edge Firewall Rules
By default, a vShield Edge matches firewall rules against each new session. After a session has been
established, any firewall rule changes do not affect active sessions.
The CLI command validate sessions enables you to validate active sessions against the current vShield
Edge firewall rule set to purge any sessions that are in violation of the current rule set. After a firewall rule set
update, you should validate active sessions to purge any existing sessions that are in violation of the updated
policy.
After a vShield Edge firewall update is complete, issue the validate sessions command from the CLI of a
vShield Edge instance to purge sessions that are in violation of current policy.
To validate active sessions against the current firewall rules
1 Update and commit the vShield Edge firewall rule set.
2 Open a console session on a vShield Edge instance to issue the validate sessions command.
vShieldEdge> validate sessions
Manage NAT Rules
The vShield Edge provides network address translation (NAT) service to protect the IP addresses of internal,
private networks from the public network. You must configure NAT rules to provide access to services
running on privately addressed virtual machines.
The NAT service configuration is separated into SNAT and DNAT rules. An S N AT rule translates a private
internal IP address into a public IP address for outbound traffic. A DNAT rule maps a public IP address to a
private internal IP address.
To configure an SNAT rule for a vShield Edge
1 In to the vSphere Client, go to Inventory > Networking.
2 Select an Internal port group where a vShield Edge has been installed.
3Click the vShield Edge tab.
4Click the NAT link.
5 Under Direction OUT (SNAT), click Add.
A new row appears in the table.
6 Double-click each cell in the row to enter the appropriate information.
7Click Commit to save the rule.
VMware, Inc. 51
Page 52
vShield Administration Guide
To configure a DNAT rule for a vShield Edge
1 In to the vSphere Client, go to Inventory > Networking.
2 Select an Internal port group where a vShield Edge has been installed.
3Click the vShield Edge tab.
4Click the NAT link.
5 Under Direction In (DNAT), click Add.
A new row appears in the table.
6 Double-click each cell in the row to enter or select the appropriate information.
7Click Commit to save the rule.
Manage DHCP Service
vShield Edge supports IP address pooling and one-to-one static IP address allocation. Static IP address
binding is based on the vCenter managed object ID and interface ID of the requesting client.
vShield Edge DHCP service adheres to the following rules:
Listens on the vShield Edge internal interface for DHCP discovery.
Uses the IP address of the internal interface on the vShield Edge as the default gateway address for all
clients, and the broadcast and subnet mask values of the internal interface for the container network.
To add a DHCP IP pool
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the DHCP link.
5Under IP Pools, click Add Pool.
A new row appears in the table.
6 Double-click each cell in the row to enter or select the appropriate information.
The Primary Name Server and Secondary Name Server fields refer to DNS service. You must enter the IP
address of a DNS server for hostname-to-IP address resolution.
7Click Commit to save the rule.
8 If DHCP service has not been enabled, enable DHCP service.
See “Start or Stop vShield Edge Services” on page 56.
To add a DHCP static binding
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the DHCP link.
52 VMware, Inc.
Page 53
5 Under Static Bindings, click Add Bindings.
A new row appears in the table.
6 Double-click each cell in the row to enter or select the appropriate information.
The Primary Name Server and Secondary Name Server fields refer to DNS service. You must enter the IP
address of a DNS server for hostname-to-IP address resolution.
7Click Commit to save the rule.
8 If DHCP service has not been enabled, enable DHCP service.
See “Start or Stop vShield Edge Services” on page 56.
Manage VPN Service
vShield Edge modules support site-to-site IPSec VPN between a vShield Edge and remote sites.
Figure 10-1. vShield Edge Providing VPN Access from a Remote Site to a Secured Port Group
Chapter 10 vShield Edge Management
At this time, vShield Edge supports pre-shared key mode, IP unicast traffic, and no dynamic routing protocol
between the vShield Edge and remote VPN routers. Behind each remote VPN router, you can configure
multiple subnets to connect to the internal network behind a vShield Edge through IPSec tunnels. These
subnets and the internal network behind a vShield Edge must have non-overlapping address ranges.
You can deploy a vShield Edge agent behind a NAT device. In this deployment, the NAT device translates the
VPN address of a vShield Edge into a publicly accessible address facing the Internet. Remote VPN routers use
this public address to access the vShield Edge.
Remote VPN routers can be located behind a NAT device as well. You must provide both the VPN native
address and the NAT public address to set up the tunnel.
On both ends, static one-to-one NAT is required for the VPN address.
VMware, Inc. 53
Page 54
vShield Administration Guide
To configure VPN on a vShield Edge
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the VPN link.
5Type an External IP Address for the VPN service on the vShield Edge.
6Type the NATed Public IP that represents the External IP Address to the external network.
7 Select the Log check box to log VPN activity.
8Click Apply.
Next, identify a peer site.
To identify a VPN peer site
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the VPN link.
5 Under Peer Site Configuration, click Create Site.
6 Type a name to identify the site in Site Name.
7 Type the IP address of the site in Remote EndPoint.
8Type the Shared Secret.
9Type an MTU threshold.
10 Click Add.
Next, add a tunnel to connect to the site.
To identify a VPN peer site
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the VPN link.
5 Under Peer Site Configuration, select the appropriate peer from the Select or create a site drop-down list.
6Click Add Tunnel.
7 Double-click the Tunnel Name cell and type a name to identify the tunnel.
8 Double-click the Remote Site Subnet cell and enter the IP address in CIDR format (A.B.C.D/M).
9 Double-click the Encryption cell and select the appropriate encryption type.
10 Click Commit.
11 Enable VPN service. See “Start or Stop vShield Edge Services” on page 56.
54 VMware, Inc.
Page 55
Manage Load Balancer Service
The vShield Edge provides load balancing for HTTP traffic. Load balancing (up to Layer 7) enables Web
application auto-scaling.
Figure 10-2. vShield Edge Providing Load Balancing Service for Protected Virtual Machines
Chapter 10 vShield Edge Management
You map an external (or public) IP address to a set of internal servers for load balancing. The load balancer
accepts HTTP requests on the external IP address and decides which internal server to use. Port 80 is the
default listening port for load balancer service.
To configure load balancer service
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the Load Balancer link.
5Click Add Rule above the External IP Addresses table.
A new row appears in the table.
6 Double-click the External IP Addresses column cell to enter the external IP address.
7 Double-click the Algorithm column cell to select the routing algorithm.
8 (Optional) Select the Logging check box to send a syslog event for each request to the external IP address.
9Press ENTER.
10 Click Add Rule above the Load Balanced Servers IP Addresses table.
11 Double-click the cell to enter the IP address of the first web server.
12 Press ENTER.
13 Click Add Rule above the Load Balanced Servers IP Addresses table.
14 Double-click the new cell to enter the IP address of the second web server.
VMware, Inc. 55
Page 56
vShield Administration Guide
15 Press ENTER.
You can add additional web servers in the same manner.
16 Click Commit.
17 If load balancer service has not been enabled, enable the service.
See “Start or Stop vShield Edge Services” on page 56.
Start or Stop vShield Edge Services
You can start and stop the VPN, DHCP, and load balancing services of a vShield Edge from the vSphere Client.
By default, all services are stopped, or in Not Configured state.
N
OTE You should configure a service before starting it.
To manage services on a vShield Edge
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the Status link.
5 Under Edge Services, select a service and click Start to start the service.
Select a service and click Stop to stop a running service.
6 If a service has been started but is not responding, click Refresh Status to send a synchronization request
from the vShield Manager. to the vShield Edge.
Upgrade vShield Edge Software
You upgrade the vShield Edge software on a per vShield Edge basis. vShield Edge upgrades must be
performed separately from vShield Manager-based upgrades.
To upgrade vShield Edge software
1 In the vSphere Client, go to Inventory > Networking.
2 Select an internal port group that is protected by a vShield Edge.
3Click the vShield Edge tab.
4Click the Status link.
5 To the right of the Configuration heading, determine if there is a new version to the right of the Upgrade
to link.
6Click Upgrade to to locate and install the upgrade file.
56 VMware, Inc.
Page 57
vShield App and vShield Endpoint
VMware, Inc. 57
Page 58
vShield Administration Guide
58 VMware, Inc.
Page 59
11
vShield App Management
vShield App is an interior, vNIC-level firewall that allows you to create access control policies regardless of
network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual
machines in the same port group. vShield App includes traffic analysis and container-based policy creation.
vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App integrates
with ESX hosts through VMsafe APIs and works with VMware vSphere platform features such as DRS,
vMotion, DPM, and maintenance mode.
vShield App provides firewalling between virtual machines by placing a firewall filter on every virtual
network adapter. The firewall filter operates transparently and does not require network changes or
modification of IP addresses to create security zones. You can write access rules by using vCenter containers,
like datacenters, cluster, resource pools and vApps, or network objects, like Port Groups and VLANs, to
reduce the number of firewall rules and make the rules easier to track.
You can monitor the health of vShield App instances by using the vShield Manager user interface and by
sending vShield App system events to a syslog server.
This chapter includes the following topics:
“Send vShield App System Events to a Syslog Server” on page 59
“Back Up the Running CLI Configuration of a vShield App” on page 60
11
“View the Current System Status of a vShield App” on page 60
Send vShield App System Events to a Syslog Server
You can send vShield App system events to a syslog server.
To send vShield App system events to a syslog server
1 Log in to the vShield Manager user interface.
2 Select a vShield App from the inventory panel.
3Click the Configuration tab.
4Click Syslog Servers.
5 Type the IP address of the syslog server.
6From the Log Level drop-down menu, select the event level at and above which to send vShield App
events to the syslog server.
For example, if you select Emergency, then only emergency-level events are sent to the syslog server. If
you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server.
7Click Add to save new settings. You send vShield App events to up to five syslog instances.
VMware, Inc. 59
Page 60
vShield Administration Guide
Back Up the Running CLI Configuration of a vShield App
The CLI Configuration option displays the running configuration of the vShield App. You can back up the
running configuration to the vShield Manager to preserve the configuration.
To back up the running CLI configuration of a vShield App
1 Log in to the vShield Manager user interface.
2 Select a vShield App from the inventory panel.
3Click the Configuration tab.
4Click CLI Configuration.
5Click Backup Configuration.
The configuration is populated in the Backup Configuration field. You can cut and paste this text into the
vShield App CLI at the Configuration mode prompt.
View the Current System Status of a vShield App
The System Status option lets you view and influence the health of a vShield App. Details include system
statistics, status of interfaces, software version, and environmental variables.
To view the health of a vShield App
1 Log in to the vShield Manager user interface.
2 Select a vShield App from the inventory panel.
3Click the Configuration tab.
4Click System Status.
From the System Status screen, you can perform the following actions:
“Force a vShield App to Synchronize with the vShield Manager” on page 60
“Restart a vShield App” on page 61
“View Traffic Statistics by vShield App Interface” on page 61
Force a vShield App to Synchronize with the vShield Manager
The Force Sync option forces a vShield App to re-synchronize with the vShield Manager. This might be
necessary after a software upgrade.
To force a vShield App to re-synchronize with the vShield Manager
1 Log in to the vShield Manager user interface.
2 Select a vShield App from the inventory panel.
3Click the Configuration tab.
4Click System Status.
5Click Force Sync.
60 VMware, Inc.
Page 61
Restart a vShield App
You can restart a vShield App to troubleshoot an operational issue.
To restart a vShield App
1 Log in to the vShield Manager user interface.
2 Select a vShield App from the inventory panel.
3Click the Configuration tab.
4Click System Status.
5Click Restart.
6Click OK in the pop-up window to confirm reboot.
View Traffic Statistics by vShield App Interface
You can view the traffic statistics for each vShield interface.
To view traffic statistics by vShield port
1 Log in to the vShield Manager user interface.
2 Select a vShield App from the inventory panel.
Chapter 11 vShield App Management
3Click the Configuration tab.
4Click System Status.
5 Click an interface under the Port column to view traffic statistics.
For example, to view the traffic statistics for the vShield App management interface, click mgmt.
VMware, Inc. 61
Page 62
vShield Administration Guide
62 VMware, Inc.
Page 63
12
Flow Monitoring
Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic on your virtual network
that passed through a vShield App. The Flow Monitoring output defines which machines are exchanging data
and over which application. This data includes the number of sessions, packets, and bytes transmitted per
session. Session details include sources, destinations, direction of sessions, applications, and ports being used.
Session details can be used to create App Firewall allow or deny rules.
You can use Flow Monitoring as a forensic tool to detect rogue services and examine outbound sessions.
This chapter includes the following topics:
“Using Flow Monitoring” on page 63
“View a Specific Application in the Flow Monitoring Charts” on page 64
“Change the Date Range of the Flow Monitoring Charts” on page 64
“View the Flow Monitoring Report” on page 64
“Add an App Firewall Rule from the Flow Monitoring Report” on page 65
“Editing Port Mappings” on page 66
Using Flow Monitoring
12
The Flow Monitoring tab displays throughput statistics as returned by a vShield App. Flow Monitoring
displays traffic statistics in three charts:
Sessions/hr: Total number of sessions per hour
Server KBytes/hr: Number of outgoing kilobytes per hour
Client/hr: Number of incoming kilobytes per hour
Flow Monitoring organizes statistics by the application protocols used in client-server communications, with
each color in a chart representing a different application protocol. This charting method enables you to track
your server resources per application.
Traffic statistics display all inspected sessions within the time span specified. The last seven days of data are
displayed by default.
VMware, Inc. 63
Page 64
vShield Administration Guide
View a Specific Application in the Flow Monitoring Charts
You can select a specific application to view in the charts by clicking the Application drop-down menu.
To view the data for a specific application in the Flow Monitoring charts
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter or cluster resource from the resource tree.
3Click the vShield App tab.
4Click Flow Monitoring.
5From the Application drop-down menu, select the application to view.
The Flow Monitoring charts are refreshed to show data corresponding to the selected application.
Change the Date Range of the Flow Monitoring Charts
You can change the date range of the Flow Monitoring charts for an historical view of traffic data.
To change the date range of the Flow Monitoring chart
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter or cluster resource from the resource tree.
3Click the vShield App tab.
4Click Flow Monitoring.
The charts are updated to display the most current information for the last seven days. This might take
several seconds.
5In the Start Date field, type a new date.
This date represents the date furthest in the past on which to start the query.
6 Type a new date in the End Date field.
This represents the most recent date on which to stop the query.
7Click Update Chart.
View the Flow Monitoring Report
The Flow Monitoring report presents the traffic statistics in tabular format. The report supports drilling down
into traffic statistics based on the following hierarchy:
1 Select the firewall action: Allowed or Blocked.
2 Select an L4 or L2/L3 protocol.
L4: TCP or UDP
L2/L3: ICMP, Other-IPv4, or ARP
3 If an L2/L3 protocol was selected, select an L2/L3 protocol or message type.
4 Select the traffic direction: Incoming, Outgoing, or Intra (between virtual machines).
5 Select the port type: Categorized (standardized ports) or Uncategorized (non-standardized ports).
6 Select an application protocol or port.
64 VMware, Inc.
Page 65
Chapter 12 Flow Monitoring
7 Select a destination IP address.
8 Select a source IP address.
At the source IP address level, you can create an App Firewall rule based on the specific source and
destination IP addresses.
To view the Flow Monitoring report
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter or cluster resource from the resource tree.
3Click the vShield App tab.
4Click Flow Monitoring.
The charts update to display the most current information for the last seven days. This might take several
seconds.
5Click Show Report.
6 Drill down into the report.
7Click Show Latest to update the report statistics.
Add an App Firewall Rule from the Flow Monitoring Report
By drilling down into the traffic data, you can evaluate the use of your resources and send session information
to App Firewall to create a new Layer 4 allow or deny rule. App Firewall rule creation from Flow Monitoring
data is available at the datacenter and cluster levels only.
To add an App Firewall rule from the Flow Monitoring report
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter resource from the resource tree.
3Click the vShield App tab.
4Click Flow Monitoring.
The charts update to display the most current information for the last seven days. This might take several
seconds.
5Click Show Report.
6Expand the firewall action list.
7 Expand the Layer 4 protocol list.
8 Expand the traffic direction list.
9 Expand the port type list.
10 Expand the application or port list.
11 Expand the destination IP address list.
12 Review the source IP addresses.
13 Select the Zones Firewall column radio button for a source IP address to create an App Firewall rule.
A pop-up window opens. Click Ok to proceed.
The App Firewall table appears. A new table row is displayed at the bottom of the Data Center Low
Precedence Rules or Cluster Level Rules section with the session information completed.
VMware, Inc. 65
Page 66
vShield Administration Guide
14 (Optional) Double-click the Action column cell to change the value to Allow or Deny.
15 (Optional) With the new row selected, click Up to move the rule up in priority.
16 (Optional) Select the Log check box to log all sessions matching this rule.
17 Click Commit to save the rule.
Delete All Recorded Flows
At the datacenter level, you can delete the data for all recorded traffic sessions within the datacenter. This
clears the data from charts, the re por t, an d th e da tab ase . Typi cal ly, thi s is onl y us ed w hen mov ing your vSh iel d
Zones deployment from a lab environment to a production environment. If you must maintain a history of
traffic sessions, do not use this feature.
To delete traffic statistics for a datacenter
1 Select a datacenter resource from the inventory panel.
2Click the Flow Monitoring tab.
3Click Delete All Flows.
4Click Ok in the pop-up window to confirm deletion.
CAUTION You cannot recover traffic data after you click Delete All Flows.
Editing Port Mappings
When you click Edit Port Mappings, a table appears, listing well-known applications and protocols, their
respective ports, and a description. vShield recognizes common protocol and port mappings, such as HTTP
over port 80. Your organization might employ an application or protocol that uses a non-standard port. In this
case, you can use Edit Port Mappings to identify a custom protocol-port pair. Your custom mapping appears
in the Flow Monitoring report output.
The Edit Port Mappings table offers complete management capabilities, and provides a model for you to
follow. You cannot edit or delete the default entries.
Add an Application-Port Pair Mapping
You can add a custom application-port mapping to the port mappings table.
To add an application port-pair mapping
1Go to Inventory > Networking in the vSphere Client.
2 Select a port group from the inventory panel.
3Click the Flow Monitoring tab.
4Click Edit Port Mappings.
5 Click a row in the table.
6Click Add.
A new row is inserted above the selected row.
7 Double-click the Application cell and type the application name.
8 Double-click the Port Number cell and type the port number.
9 Double-click the Protocol cell to select the transport protocol.
66 VMware, Inc.
Page 67
Chapter 12 Flow Monitoring
10 Double-click the Resource cell to select the container in which to enforce the new mapping.
The ANY value adds the port mapping to all containers.
11 Double-click the Description cell and type a brief description.
12 Click Hide Port Mappings.
Delete an Application-Port Pair Mapping
You can delete any application-port pair mapping from the table. When you delete a mapping, any traffic to
the application-port pair is listed as Uncategorized in the Flow Monitoring statistics.
To delete an application-port pair mapping
1Go to Inventory > Networking in the vSphere Client.
2 Select a port group from the inventory panel.
3Click the Flow Monitoring tab.
4Click Edit Port Mappings.
5 Click a row in the table.
6Click Delete to delete it from the table.
Hide the Port Mappings Table
When you click Edit Port Mappings, the label changes from Edit Port Mappings to Hide Port Mappings. Click
Hide Port Mappings.
VMware, Inc. 67
Page 68
vShield Administration Guide
68 VMware, Inc.
Page 69
13
App Firewall Management
vShield App provides firewall protection through access policy enforcement. The App Firewall tab represents
the vShield App firewall access control list.
NOTE App Firewall rules apply to vShield App instances, but not vShield Edge or vShield Endpoint instances.
The Zones Firewall tab becomes the App Firewall tab when the vShield App license is activated.
This chapter includes the following topics:
“Using App Firewall” on page 69
“Create an App Firewall Rule” on page 71
“Create a Layer 2/Layer 3 App Firewall Rule” on page 73
“Creating and Protecting Security Groups” on page 73
“Validating Active Sessions against the Current App Firewall Rules” on page 74
“Revert to a Previous App Firewall Configuration” on page 75
“Delete an App Firewall Rule” on page 75
“Using SpoofGuard” on page 75
13
Using App Firewall
The App Firewall service is a centralized, hierarchical firewall for ESX hosts. App Firewall enables you to
create rules that allow or deny access to and from your virtual machines. Each installed vShield App enforces
the App Firewall rules.
You can manage App Firewall rules at the datacenter, cluster, and port group levels to provide a consistent set
of rules across multiple vShield App instances under these containers. As membership in these containers can
change dynamically, App Firewall maintains the state of existing sessions without requiring reconfiguration
of firewall rules. In this way, App Firewall effectively has a continuous footprint on each ESX host under the
managed containers.
Securing Containers and Designing Security Groups
When creating App Firewall rules, you can create rules based on traffic to or from a specific container that
encompasses all of the resources within that container. For example, you can create a rule to deny any traffic
from inside of a cluster that targets a specific destination outside of the cluster. You can create a rule to deny
any incoming traffic that is not tagged with a VLAN ID. When you specify a container as the source or
destination, all IP addresses within that container are included in the rule.
VMware, Inc. 69
Page 70
vShield Administration Guide
A security group is a trust zone that you create and assign resources to for App Firewall protection. Security
groups are containers, like a vApp or a cluster. Security groups enables you to create a container by assigning
resources arbitrarily, such as virtual machines and network adapters. After the security group is defined, you
add the group as a container in the source or destination field of an App Firewall rule. See “Creating and
Protecting Security Groups” on page 73.
Default Rules
By default, the App Firewall enforces a set of rules allowing traffic to pass through all vShield App instances.
These rules appear in the Default Rules section of the App Firewall table. The default rules cannot be deleted
or added to. However, you can change the Action element of each rule from Allow to Deny.
Layer 4 Rules and Layer 2/Layer 3 Rules
The App Firewall tab offers two sets of configurable rules: L4 (Layer 4) rules and L2/L3 (Layer 2/Layer 3) rules.
Layers refer to layers of the Open Systems Interconnection (OSI) Reference Model.
Layer 4 rules govern TCP and UDP transport of Layer 7, or application-specific, traffic. Layer 2/Layer 3 rules
monitor traffic from ICMP, ARP, and other Layer 2 and Layer 3 protocols. You can configure Layer 2/Layer 3
rules at the datacenter level only. By default, all Layer4 and Layer 2/Layer 3 traffic is allowed to pass.
Hierarchy of App Firewall Rules
Each vShield App enforces App Firewall rules in top-to-bottom ordering. A vShield App checks each traffic
session against the top rule in the App Firewall table before moving down the subsequent rules in the table.
The first rule in the table that matches the traffic parameters is enforced.
The rules are enforced in the following hierarchy:
1 Data Center High Precedence Rules
2 Cluster Level Rules
3 Data Center Low Precedence Rules (seen as Rules below this level have lower precedence than cluster
level rules when a datacenter resource is selected)
4 Secure Port Group Rules
5 Default Rules
App Firewall offers container-level and custom priority precedence configurations:
Container-level precedence refers to recognizing the datacenter level as being higher in priority than the
cluster level. When a rule is configured at the datacenter level, the rule is inherited by all clusters and
vShield agents therein. A cluster-level rule is only applied to the vShield App within the cluster.
Custom priority precedence refers to the option of assigning high or low precedence to rules at the
datacenter level. High precedence rules work as noted in the container-level precedence description. Low
precedence rules include the Default Rules and the configuration of Data Center Low Precedence rules.
This flexibility allows you to recognize multiple layers of applied precedence.
At the cluster level, you configure rules that apply to all vShield App instances within the cluster. Because
Data Center High Precedence Rules are above Cluster Level Rules, ensure your Cluster Level Rules are
not in conflict with Data Center High Precedence Rules.
Planning App Firewall Rule Enforcement
Using App Firewall, you can configure allow and deny rules based on your network policy. The following
examples represent two common firewall policies:
Allow all traffic by default. You keep the default allow all rules and add deny rules based on Flow
Monitoring data or manual App Firewall rule configuration. In this scenario, if a session does not match
any of the deny rules, the vShield App allows the traffic to pass.
70 VMware, Inc.
Page 71
Deny all traffic by default.You can change the Action status of the default rules from Allow to Deny, and
add allow rules explicitly for specific systems and applications. In this scenario, if a session does not
match any of the allow rules, the vShield App drops the session before it reaches its destination. If you
change all of the default rules to deny any traffic, the vShield App drops all incoming and outgoing traffic.
Create an App Firewall Rule
App Firewall rules allow or deny traffic based on the following criteria:
Criteria Description
Source (A.B.C.D/nn) Container, direction in relation to container, or IP address with netmask (nn) from
which the communication originated.
Source Port Port or range of ports from which the communication originated. To enter a port
range, separate the low and high end of the range with a colon. For example,
1000:1100.
Destination (A.B.C.D/nn) Container, direction in relation to container, or IP address with netmask (nn) which
the communication is targeting.
Destination Application The application on the destination the source is targeting. If you select a protocol
from the drop-down list, the well-known port for the selected protocol appears in
the Destination Port field.
Destination Port Port or range of ports which the communication is targeting. To enter a port range,
separate the low and high end of the range with a colon. For example, 1000:1100.
Protocol Transport protocol used for communication.
Chapter 13 App Firewall Management
You can add destination and source port ranges to a rule for dynamic services such as FTP and RPC, which
require multiple ports to complete a transmission.
To create a firewall rule at the datacenter level
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter resource from the resource tree.
3Click the vShield App tab.
4Click App Firewall.
By default, the L4 Rules option is selected.
To create L2/L3 rules, see “Create a Layer 2/Layer 3 App Firewall Rule” on page 73.
5 Do one of the following:
Click Add to add a new rule to the Data Center Low Precedence Rules (Rules below this level have
lower precedence...).
Select a row in the Data Center High Precedence Rules section of the table and click Add. A new
appears below the selected row.
6 Double-click each cell in the new row to select the appropriate information.
You can type IP addresses in the Source and Destination fields, and port numbers in the Source Port and
Destination Port fields.
7 (Optional) Select the new row and click Up to move the rule up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
NOTE Layer 4 firewall rules can also be created from the Flow Monitoring report. See “Add an App Firewall
Rule from the Flow Monitoring Report” on page 65.
VMware, Inc. 71
Page 72
vShield Administration Guide
To create a firewall rule at the cluster level
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a cluster resource from the resource tree.
3Click the vShield App tab.
4Click App Firewall.
By default, the L4 Rules option is selected.
To create L2/L3 rules, see “Create a Layer 2/Layer 3 App Firewall Rule” on page 73.
5Click Add.
A new row appears in the Cluster Level Rules section of the table.
6 Double-click each cell in the new row to select the appropriate information.
You can type IP addresses in the Source and Destination fields, and port numbers in the Source Port and
Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
NOTE Layer 4 firewall rules can also be created from the Flow Monitoring report. See “Add an App Firewall
Rule from the Flow Monitoring Report” on page 65.
To create a firewall rule at the port group level
1 In the vSphere Client, go to Inventory > Networking.
2 Select a port group from the resource tree.
3Click the vShield App tab.
4Click App Firewall.
5Click Add.
A new row is added at the bottom of the Secure Port Group Rules section.
6 Double-click each cell in the new row to select the appropriate information.
You can type IP addresses in the Source and Destination fields, and port numbers in the Source Port and
Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
OTE Layer 4 firewall rules can also be created from the Flow Monitoring report. See “Add an App Firewall
N
Rule from the Flow Monitoring Report” on page 65.
72 VMware, Inc.
Page 73
Create a Layer 2/Layer 3 App Firewall Rule
The Layer 2/Layer 3 firewall enables configuration of allow or deny rules for common Data Link Layer and
Network Layer requests, such as ICMP pings and traceroutes. You can change the default Layer 2/Layer 3 rules
from allow to deny based on your network security policy.
Layer 2/Layer 3 firewall rules allow or deny traffic based on the following criteria:
Criteria Description
Source (A.B.C.D/nn) Container, direction in relation to container, or IP address with netmask (nn) from
which the communication originated
Destination (A.B.C.D/nn) Container, direction in relation to container, or IP address with netmask (nn) which
the communication is targeting
Protocol Transport protocol used for communication
To create a Layer 2/Layer 3 firewall rule
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter resource from the resource tree.
3Click the vShield App tab.
4Click App Firewall.
Chapter 13 App Firewall Management
5Click L2/L3 Rules.
6Click Add.
A new row is added at the bottom of the DataCenter Rules section of the table.
7 Double-click each cell in the new row to type or select the appropriate information.
You can type IP addresses in the Source and Destination fields
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit.
NOTE Layer 2/Layer 3 firewall rules can also be created from the Flow Monitoring report. See “Add an App
Firewall Rule from the Flow Monitoring Report” on page 65.
Creating and Protecting Security Groups
The Security Groups feature enables you to create custom containers to which you can assign resources, such
as virtual machines and network adapters, for App Firewall protection. After a security group is defined, you
add the security group to a firewall rule for protection.
Add a Security Group
In the vSphere Client, you can add a security group at the datacenter resource level.
To add a security group by using the vSphere Client
1 Click a datacenter resource from the vSphere Client.
2Click the vShield App tab.
3Click Security Groups.
4Click Add Group.
VMware, Inc. 73
Page 74
vShield Administration Guide
5 Double-click the row and type a name for the group.
6Click Add.
After security group creation is complete, assign resources to the group.
Assign Resources to a Security Group
You can assign virtual machines and network adapters to a security group. These resources have associated IP
addresses that define the source or destination parameters for which an App Firewall rule enforces an access
policy.
To assign resources to a security group
1 Click a datacenter resource from the vSphere Client.
2Click the vShield App tab.
3Click Security Groups.
4 Click the arrow next to the name of a security group to expand the details of the group.
5 Select a vNIC from the drop-down list and click Add.
The selected vNIC appears under vNIC Membership.
Repeat these steps for each vNIC you want to place in this security group.
6Click Commit.
After assigning resources, add the security group to a firewall rule as a container. See “Create an App
Firewall Rule” on page 71.
Validating Active Sessions against the Current App Firewall Rules
By default, a vShield Edge matches firewall rules against each new session. After a session has been
established, any firewall rule changes do not affect active sessions.
The CLI command validate sessions enables you to validate active sessions that are in violation of the
current rule set. You would use this procedure for the following scenarios:
You updated the firewall rule set. After a firewall rule set update, you should validate active sessions to
purge any existing sessions that are in violation of the updated policy.
You vie wed ses sio ns i n Fl ow M oni tor ing and d ete rmi ned tha t an exi sti ng o r hi sto ric al f low req uir es a new
access rule. After creating a firewall rule that matches the offending session, you should validate active
sessions to purge any existing sessions that are in violation of the updated policy.
After the App Firewall update is complete, issue the validate sessions command from the CLI of a vShield
App to purge sessions that are in violation of current policy.
To validate active sessions against the current firewall rules
1 Update and commit the App Firewall rule set at the appropriate container level.
2 Open a console session on a vShield App issue the validate sessions command.
vShieldApp> enable
Password:
vShieldApp# validate sessions
74 VMware, Inc.
Page 75
Revert to a Previous App Firewall Configuration
The vShield Manager saves a snapshot of App Firewall settings each time you commit a new rule. Clicking
Commit causes the vShield Manager to save the previous configuration with a timestamp before adding the
new rule. These snapshots are available from the Revert to Snapshot drop-down list.
To revert to a previous App Firewall configuration
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter or cluster resource from the inventory panel.
3Click the vShield App tab.
4Click App Firewall.
5From the Revert to Snapshot drop-down list, select a snapshot.
Snapshots are presented in the order of timestamps, with the most recent snapshot listed at the top.
6 View snapshot configuration details.
7 Do one of the following:
To return to the current configuration, select the - option from the Revert to Snapshot drop-down list.
Click Commit to overwrite the current configuration with the snapshot configuration.
Chapter 13 App Firewall Management
Delete an App Firewall Rule
You can delete any App Firewall rule you have created. You cannot delete the any rules in the Default Rules
section of the table.
To delete an App Firewall rule
1 Click an existing row in the App Firewall table.
2Click Delete.
3Click Commit.
Using SpoofGuard
After synchronizing with the vCenter Server, the vShield Manager collects the IP addresses of all vCenter
guest virtual machines from VMware Tools on each virtual machine. Up to vShield 4.1, vShield trusted the IP
address provided by VMware Tools on a virtual machine. However, if a virtual machine has been
compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.
SpoofGuard allows you to authorize the IP addresses reported by VMware Tools, and alter them if necessary
to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the
VMX files and vSphere SDK. Operating separately from the App Firewall rules, you can use SpoofGuard to
block traffic determined to be spoofed.
When enabled, you can use SpoofGuard to monitor and manage the IP addresses reported by your virtual
machines in one of the following modes.
Automatically Trust IP Assignments On Their First Use: This mode allows all traffic from your virtual
machines to pass while building a table of MAC-to-IP address assignments. You can review this table at
your convenience and make IP address changes.
Manually Inspect and Approve All IP Assignments Before Use: This mode blocks all traffic until you
approve each MAC-to-IP address assignment.
NOTE SpoofGuard inherently allows DHCP requests regardless of enabled mode. However, if in manual
inspection mode, traffic does not pass until the DHCP-assigned IP address has been approved.
VMware, Inc. 75
Page 76
vShield Administration Guide
SpoofGuard Screen Options
The SpoofGuard screen displays the following options.
Table 13-1. SpoofGuard Screen Options
Option Description
Global Status Status of SpoofGuard as either enabled or disabled
Inactive List of IP addresses where the current IP address does not match the published
Active Since Last Published List of IP addresses that have been validated since the policy was last updated
Unpublished IP assignment changes List of virtual machines for which you have edited the IP address assignment
Require Approval IP address changes that require approval before traffic can flow to or from these
Duplicate IP assignments IP addresses that are duplicates of an existing assigned IP address within the
Enable SpoofGuard
You must enable SpoofGuard per datacenter to manage IP address assignments.
IP address.
but have not yet published
virtual machines
selected datacenter
IMPORTANT You must upgrade all vShield App instances to vShield App 1.0.0 Update 1 or later before you
enable SpoofGuard.
To enable SpoofGuard
1 In the vShield Manager user interface, go to the Hosts and Clusters view.
2 Select a datacenter resource from the resource tree.
3Click the SpoofGuard tab.
4Click Edit to the right side of the Global Status heading.
5For IP Assignment Tracking, click Enabled.
6For Operation Mode, select one of the following:
Automatically Trust IP Assignments on Their First Use: Select this option to trust all IP assignments
upon initial registration with the vShield Manager.
Manually Inspect and Approve All IP Assignments Before Use: Select this option to require manual
approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.
7Click Ok.
Approve IP Addresses
If you set SpoofGuard to require manual approval of all IP address assignments, you must approve IP address
assignments to allow traffic from those virtual machines to pass.
To approve an IP address
1 In the vShield Manager user interface, go to the Hosts and Clusters view.
2 Select a datacenter resource from the resource tree.
3Click the SpoofGuard tab.
4Click the Require Approval or Duplicate IP assignments link.
76 VMware, Inc.
Page 77
Chapter 13 App Firewall Management
5 Do one of the following:
Select the top check box in the left side check box column to select all assignments on the screen.
Select the check box for each assignment you are ready to approve.
6Click Approve Selected.
7Click Publish Changes.
Edit an IP Address
You can edit the IP address assigned to a MAC address to correct the assigned IP address.
N
OTE SpoofGuard accepts a unique IP address from more than virtual machine. However, you can assign an
IP address only once. An approved IP address is unique across the vShield system. Duplicate approved IP
addresses are not allowed.
To edit an IP address
1 In the vShield Manager user interface, go to the Hosts and Clusters view.
2 Select a datacenter resource from the resource tree.
3Click the SpoofGuard tab.
4 Click one of the option links.
5 In the Approved IP column, click Edit.
6 Type an IP address in the Approved IP Address pop-up window.
7Click Apply.
8Click Publish Changes.
Delete an IP Address
You can delete a MAC-to-IP address assignment from the SpoofGuard table to clean the table of a virtual
machine that is no longer active. Any deleted instance can reappear in the SpoofGuard table based on viewed
traffic and the current enabled state of SpoofGuard.
To delete an IP address
1 In the vShield Manager user interface, go to the Hosts and Clusters view.
2 Select a datacenter resource from the resource tree.
3Click the SpoofGuard tab.
4 Click one of the option links.
5 In the Approved IP column, click Delete.
6Click Publish Changes.
VMware, Inc. 77
Page 78
vShield Administration Guide
78 VMware, Inc.
Page 79
14
vShield Endpoint Events and Alarms
vShield Endpoint delivers an introspection-based antivirus solution. vShield Endpoint uses the hypervisor to
scan guest virtual machines from the outside without a bulky agent. vShield Endpoint is efficient in avoiding
resource bottlenecks while optimizing memory use.
vShield Endpoint health status is conveyed by using alarms that show in red and yellow on the vCenter Server
console. In addition, more status information can be gathered by looking at the event logs.
IMPORTANT Your vCenter Server must be correctly configured for vShield Endpoint security:
Not all guest operating systems are supported by vShield Endpoint. Virtual machines with non-supported
operating systems are not protected by the security solution.
All virtual machines (with supported operating systems) that reside on a vShield Endpoint-protected ESX
host must be protected by a vShield Endpoint module.
Not all ESX hosts in a vCenter Server must be protected by the security solution, but each protected ESX
must have an SVM installed on it.
CAUTION vMotion migration of a protected virtual machine are blocked if the target ESX is not enabled for
vShield Endpoint. Make sure that the resource pool for vMotion of protected virtual machines contains only
security enabled ESX hosts.
14
This chapter includes the following topics:
“View vShield Endpoint Status” on page 79
“A l a r m s ” on page 80
“Events” on page 81
“Audit Messages” on page 84
View vShield Endpoint Status
Monitoring a vShield Endpoint instance involves checking for status coming from the vShield Endpoint
components: the security virtual machine (SVM), the ESX host-resident vShield Endpoint module, and the
protected virtual machine-resident thin agent.
To view vShield Endpoint status
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter, cluster, or ESX host resource from the resource tree.
3Click the vShield App tab (or vShield tab on ESX hosts).
4Click Endpoint Status.
VMware, Inc. 79
Page 80
vShield Administration Guide
Alarms
Alarms signal the vCenter Server administrator about vShield Endpoint events that require attention. Alarms
are automatically cancelled in case the alarm state is no longer present.
vCenter Server alarms can be displayed without a custom vSphere plug-in. See the vCenter Server
Administration Guide on events and alarms.
Upon registering as a vCenter Server extension, the vShield Manager defines the rules that create and remove
alarms, based on events coming from the three vShield Endpoint components: SVM, vShield Endpoint
module, and thin agent. Rules can be customized. For instructions on how to customize rules for alarms, see
the vCenter Server documentation. In some cases, there are multiple possible causes for the alarm. The tables
that follow list the possible causes and the corresponding actions you might want to take for remediation.
vShield Endpoint defines three sets of alarms:
“Host Alarms” on page 80
“SVM Alarms” on page 80
“VM Alarms” on page 81
Host Alarms
Host alarms are generated by events affecting the health status of the vShield Endpoint module.
Table 14-1. Warnings (Marked Yellow)
Possible Cause Action
SVM is registered, but vShield Endpoint
module does not see any virtual machines to
protect. No requests for protection are coming
from any virtual machines. No virtual machines
are currently protected.
Usually a transient state occurring while existing virtual
machines are being moved with vMotion, or are just coming up.
No action required.
The ESX host has no virtual machines yet, or only virtual
machines with non-supported operating systems. No action
required.
Check the vShield Manager console for the status of the virtual
machines that should be protected on that host. If one or more
have an error status, the Endpoint thin agents in those machines
may be malfunctioning.
Table 14-2. Errors (Marked Red)
Possible Cause Action
The SVM version is not compatible with the
vShield Endpoint module version.
Install compatible components. Look in the vShield Endpoint
Installation Guide for compatible versions for vShield Endpoint
module and SVM.
SVM Alarms
SVM alarms are generated by events affecting the health status of the vShield Endpoint module.
Table 14-3. Red SVM Alarms
Problem Action
The vShield Monitor is not receiving status from
the SVM.
The SVM failed to initialize Contact your security provider for help with SVM errors.
Either there are network issues between the vShield Monitor and the
SVM, or the SVM is not operating properly.
80 VMware, Inc.
Page 81
Appendix 14 vShield Endpoint Events and Alarms
VM Alarms
VM alarms are generated by events affecting the health status of the vShield Endpoint module.
Table 14-4. Warnings
Possible Cause Action
The SVM is overloaded. The virtual machines
will not be protected while the alarm persists.
The thin agent in one or more virtual machines is
initialized but not reporting events. Those virtual
machines are not protected while this warning
persists.
Table 14-5. Errors
Possible Cause Action
The thin agent version is not compatible with the
vShield Endpoint module
The thin agent is not reporting vShield Endpoint
events. The virtual machine is not protected.
The virtual machine is still powered on, but the
thin agent is disabled. The virtual machine is not
protected.
Check resources allocation for the SVM and allocate more resources,
if necessary. Check the vCenter Server event log for the ESX the SVM
is attached to. An event code of 1002 can indicate an overloaded
SVM.
This is usually a transient alarm that does not require attention. If it
persists or turns to red, look at the vCenter Server event log for the
protected VM. An event code of 1000 indicates a non-functioning
thin agent.
Install compatible components. Look in the vShield Endpoint
Installation Guide for compatible versions for vShield Endpoint
module and SVM.
The thin agent is malfunctioning, or not initialized. Look at the event
log to see if the thin agent was initialized successfully.
If the error persists, this thin agent is malfunctioning. (A virtual
machine that is shutting down or in the process of a vMotion move
does not generate a red alarm.)
Events
Events are used for logging and auditing conditions inside the vShield Endpoint-based security system.
Events can be displayed without a custom vSphere plug-in. See the vCenter Server Administration Guide on
events and alarms.
Events are the basis for alarms that are generated. Upon registering as a vCenter Server extension, the vShield
Manager defines the rules that create and remove alarms.
Default base arguments for an event are the reported time and the vShield Manager event_id.
Table 14-6 lists vShield Endpoint events reported by the SVM and the vShield Manager (VSM) in order by code
number. The table shows the even code, name, the VC arguments, the event category, and a description. In the
Event Category column, events that generate error alarms are colored red. Events that generate warning
alarms are colored yellow.
Table 14-6. vShield Endpoint Events
Code Name
0001 VSM_FSFD_EVENT_VERSION_MISMATCH timestamp,
0003 VSM_FSFD_EVENT_DISK_FULL timestamp warning The vShield Endpoint Thin Agent
0004 VSM_FSFD_EVENT_TIMEOUT timestamp warning A timeout occurred in the
VC
Arguments
SVM version
of FSFD
protocol,
FSFD version
of FSFD
protocol
Event
Category Description
error vShield Endpoint: The SVM was
contacted by a non-compatible version
of the vShield Endpoint Thin Agent.
encountered a "disk full" error while
attempting to write to the local disk.
communication between the SVM and
the Thin Agent.
VMware, Inc. 81
Page 82
vShield Administration Guide
Table 14-6. vShield Endpoint Events (Continued)
Code Name
0005 VSM_FSFD_EVENT_UNKNOWN_STATE timestamp warning N/A
0006 VSM_FSFD_EVENT_MISSING_TIMER timestamp error Lost communication with Thin Agent.
0007 VSM_FSFD_EVENT_TIMER_RESTORED timestamp,
1000 VSM_VM_EVENT_CONNECTED timestamp info VM has connected with the SVM.
1001 VSM_VM_EVENT_DISCONNECTED timestamp info VM has disconnected from the SVM
1002 VSM_VM_EVENT_UNKNOWN_STATE timestamp warning Thin Agent Health Status Information
N/A VM_POWERED_OFF timestamp info Detected VM power off.
2000 VSM_SVM_EVENT_ENABLED timestamp,
2001 VSM_SVM_EVENT_INIT_FAILURE timestamp error SVM initialization failed.
2003 VSM_SVM_EVENT_FSFD_FLOOD_DETECTED timestamp warning SVM detected high volume of vShield
2005 VSM_SVM_EVENT_DROPPED_EVENTS timestamp warning Health Status information has been
2006 VSM_SVM_EVENT_MISSING_REPORT timestamp error vShield Manager lost communication
2007 VSM_SVM_EVENT_REPORT_RESTORED timestamp info vShield Manager communication with
3000 VSM_HOST_EVENT_VERSION_MISMATCH timestamp,
3002 VSM_HOST_EVENT_UNKNOWN_STATE timestamp warning vShield Endpoint Module Status
3003 VSM_HOST_EVENT_SVM_REGISTERED timestamp info SVM is registered with the vShield
3004 VSM_HOST_EVENT_SVM_UNREGISTERED timestamp info SVM is unregistered with the vShield
3005 VSM_HOST_EVENT_VMS_CONNECTED timestamp,
3006 VSM_HOST_EVENT_VMS_DISCONNECTED timestamp info vShield Endpoint module has
VC
Arguments
FSFD version
of FSFD
protocol
SVM version
of LKM
protocol,
SVM version
of FSFD
protocol, port
SVM is
listening on.
SVM version
of LKM
protocol, Host
version of
LKM protocol
Host version
of vShield
Endpoint
module
protocol
Event
Category Description
info Established communication with Thin
Agent.
has been lost.
info SVM enabled.
Endpoint events.
lost.
with SVM.
SVM have been restored.
error vShield Endpoint: The SVM was
contacted by a non-compatible version
of the vShield Endpoint module.
Information has been lost.
Manager.
Manager.
info vShield Endpoint module has
connected with SVM.
disconnected from the SVM
82 VMware, Inc.
Page 83
Appendix 14 vShield Endpoint Events and Alarms
Possible causes for events are listed in Table 14-7:
Table 14-7. Possible Causes for Events
Code Event Possible Cause
0001 VSM_FSFD_EVENT_VERSION_MISMATCH Compatible versions of the vShield Endpoint modules must be used. Please
refer to the vShield Endpoint Installation guide for a compatibility list.
0003 VSM_FSFD_EVENT_DISK_FULL The vShield Endpoint Thin Agent may need to write to a file on the local
disk for file remediation purposes, as well as for temporary storage. The file
location for the temporary files is: %SYSTEMROOT%\temp\vmware\eps010\
For remediation purposes, the needed storage is comparable to the size of
the file being remediated. It is recommended that local disks are at 95% or
less capacity. Running out of disk space may prevent vShield Endpoint from
functioning properly and from effectively protecting the affected VM.
0004 VSM_FSFD_EVENT_TIMEOUT VM is slow to respond to SVM requests. This may happen when the VM is
temporarily running low on CPU resources.
0005 VSM_FSFD_EVENT_UNKNOWN_STATE N/A
0006 VSM_FSFD_EVENT_MISSING_TIMER Thin agent is not operating properly.
0007 VSM_FSFD_EVENT_TIMER_RESTORED N/A
1000 VSM_VM_EVENT_CONNECTED VM configured for vShield Endpoint protection will generate this event
1001 VSM_VM_EVENT_DISCONNECTED VM configured for vShield Endpoint protection will generate this event
1002 VSM_VM_EVENT_UNKNOWN_STATE Heavy load of event reporting on the SVM, or a communication problem
N/A VM_POWERED_OFF N/A
2000 VSM_SVM_EVENT_ENABLED N/A
2001 VSM_SVM_EVENT_INIT_FAILURE vShield Endpoint SVM component failed to initialize. Please consult partner
2003 VSM_SVM_EVENT_FSFD_FLOOD_DETECTED The SVM is overloaded. The number of events exceeds the maximum
2005 VSM_SVM_EVENT_DROPPED_EVENTS Heavy load of event reporting on the SVM, or communication problem
2006 VSM_SVM_EVENT_MISSING_REPORT 1Check SVM status.
2007 VSM_SVM_EVENT_REPORT_RESTORED N/A
3000 VSM_HOST_EVENT_VERSION_MISMATCH Compatible versions of the vShield Endpoint modules must be used. Please
3002 VSM_HOST_EVENT_UNKNOWN_STATE Heavy load of event reporting on the SVM, or communication problem
3003 VSM_HOST_EVENT_SVM_REGISTERED N/A
3004 VSM_HOST_EVENT_SVM_UNREGISTERED N/A
3005 VSM_HOST_EVENT_VMS_CONNECTED N/A
3006 VSM_HOST_EVENT_VMS_DISCONNECTED N/A
when loaded on the corresponding ESX host, for example, during power-up
or incoming vMotion.
when loaded on the corresponding ESX host, for example, during shutdown
or outgoing vMotion.
between the SVM and the vShield Manager.
SVM installation documentation for causes.
concurrent events threshold.
between the SVM and the vShield Manager.
2 Check network connection between vShield Manager and SVM.
refer to the vShield Endpoint Installation guide for a compatibility list.
between the SVM and the vShield Manager.
VMware, Inc. 83
Page 84
vShield Administration Guide
Audit Messages
Audit messages include fatal errors and other important audit messages and are logged to vmware.log. The
following conditions are logged as AUDIT messages:
Thin agent initialization success (and version number.)
Thin agent initialization failure.
Successfully found SCSI device to communicate with the security virtual machine (SVM).
Failure to create filter device object, or failure to attach to device stack.
Established first time communication with SVM.
Failure to establish communication with SVM (when first such failure occurs).
Generated log messages have the following substrings near the beginning of each log message: vf-AUDIT,
vf-ERROR, vf-WARN, vf-INFO, vf-DEBUG.
84 VMware, Inc.
Page 85
Appendixes
VMware, Inc. 85
Page 86
vShield Administration Guide
86 VMware, Inc.
Page 87
A
Command Line Interface
Each vShield virtual machine contains a command line interface (CLI). This appendix details CLI usage and
commands.
User account management in the CLI is separate from user account management in the vShield Manager user
interface.
This appendix includes the following topics:
“Logging In and Out of the CLI” on page 87
“CLI Command Modes” on page 87
“CLI Syntax” on page 88
“Moving Around in the CLI” on page 88
“Getting Help within the CLI” on page 89
“Securing CLI User Accounts and the Privileged Mode Password” on page 89
“Command Reference” on page 91
Logging In and Out of the CLI
A
Before you can run CLI commands, you must initiate a console session to a vShield virtual machine. To open
a console session within the vSphere Client, select the vShield virtual machine from the inventory panel and
click the Console tab. You can log in to the CLI by using the default user name admin and password default.
You can also use SSH to access the CLI. By default, SSH access is disabled. Use the ssh command to enable
and disable the SSH service on a vShield virtual appliance. See “ssh” on page 100.
To log out, type exit from either Basic or Privileged mode.
CLI Command Modes
The commands available to you at any given time depend on the mode you are currently in.
NOTE vShield Edge virtual machines have Basic mode only.
Basic: Basic mode is a read-only mode. To have access to all commands, you must enter Privileged mode.
Privileged: Privileged mode commands allow support-level options such as debugging and system
diagnostics. Privileged mode configurations are not saved upon reboot. You must run the write memory
command to save Privileged mode configurations.
VMware, Inc. 87
Page 88
vShield Administration Guide
Configuration: Configuration mode commands allow you to change the current configuration of utilities
on a vShield virtual machine. You can access Configuration mode from Privileged mode. From
Configuration mode, you can enter Interface configuration mode.
Interface Configuration: Interface Configuration mode commands allow you to change the configuration
of virtual machine interfaces. For example, you can change the IP address and IP route for the
management port of the vShield Manager.
CLI Syntax
Run commands at the prompt as shown. Do not type the ( ), < >, or [ ] symbols.
command A.B.C.D (option1 | option2) <0-512> [WORD]
Required numerical ranges are enclosed in angle brackets.
Required text is presented in all capital letters.
Multiple, required keywords or options are enclosed in parentheses and separated by a pipe character.
An optional keyword or value is enclosed in square brackets.
Moving Around in the CLI
The following commands move the pointer around on the command line.
Keystrokes Description
CTRL+A Moves the pointer to beginning of the line.
CTRL+B or
the left arrow key
CTRL+C Ends any operation that continues to propagate, such as a ping.
CTRL+D Deletes the character at the pointer.
CTRL+E Moves the pointer to end of the line.
CTRL+F or
the right arrow key
CTRL+K Deletes all characters from the pointer to the end of the line.
CTRL+N or
the down arrow key
CTRL+P or
the up arrow key
CTRL+U Deletes all characters from the pointer to beginning of the line.
CTRL+W Deletes the word to the left of pointer.
ENTER Scrolls down one line.
ESC+B Moves the pointer back one word.
ESC+D Deletes all characters from the pointer to the end of the word.
ESC+F Moves the pointer forward one word.
SPACE Scrolls down one screen.
Moves the pointer back one character.
Moves the pointer forward one character.
Displays more recent commands in the history buffer after recalling commands
with CTRL+P (or the up arrow key). Repeat to recall other recently run
commands.
Recalls commands in the history, starting with the most recent completed
command. Repeat to recall successively older commands.
88 VMware, Inc.
Page 89
Appendix A Command Line Interface
Getting Help within the CLI
The CLI contains the following commands for assisting your use.
Command Description
? Moves the pointer to the beginning of the line.
sho? Displays a list of commands that begin with a particular character string.
exp+TAB Completes a partial command name.
show ? Lists the associated keywords of a command.
show log ? Lists the associated arguments of a keyword.
list Displays the verbose options of all commands for the current mode.
Securing CLI User Accounts and the Privileged Mode Password
You must manage CLI user accounts separately on each vShield virtual machine. By default, you use the
admin user account to log in to the CLI of each vShield virtual machine. The CLI admin account and password
are separate from the vShield Manager user interface admin account and password.
You should create a new CLI user account and remove the admin account to secure access to the CLI on each
vShield virtual machine.
User account management in the CLI conforms to the following rules.
You can create CLI user accounts. Each created user account has administrator-level access to the CLI.
You cannot change the password for any CLI user account on a vShield Manager or vShield App virtual
machine. If you need to change a CLI user account password, you must delete the user account, and then
re-add it with a new password. You can change the password of any non-admin account on the
vShield Edge.
The CLI admin account password and the Privileged mode password are managed separately. The default
Privileged mode password is the same for each CLI user account. You should change the Privileged mode
password to secure access to the CLI configuration options.
IMPORTANT Each vShield virtual machine has two built-in CLI user accounts for system use: nobody and
vs_comm. Do not delete or modify these accounts. If these accounts are deleted or modified, the virtual
machine will not work.
Add a CLI User Account
You can add a user account with a strong password to secure CLI access to each vShield virtual machine. After
adding a user account, you should delete the admin user account.
To add a CLI user account
1 Log in to the vSphere Client.
2 Select a vShield virtual machine from the inventory.
3Click the Console tab to open a CLI session.
4 Log in by using the admin account.
manager login: admin
password:
manager>
5 Switch to Privileged mode.
manager> enable
password:
manager#
VMware, Inc. 89
Page 90
vShield Administration Guide
6 Switch to Configuration mode.
manager# configure terminal
7 Add a user account.
manager(config)# user root password plaintext
abcd1234
8 Save the configuration.
manager(config)# write memory
Building Configuration...
Configuration saved.
[OK]
9Exit the CLI.
manager(config)# exit
manager# exit
Delete the admin User Account from the CLI
After adding a CLI user account, you can delete the admin user account to secure access to the CLI.
IMPORTANT Do not delete the admin user account until you add a user account to replace the admin account.
This prevents you from being locked out of the CLI.
To delete the admin user account
1 Log in to the vSphere Client.
2 Select a vShield virtual machine from the inventory.
3Click the Console tab to open a CLI session.
4 Log in by using a user account other than admin.
5 Switch to Privileged mode.
6 Switch to Configuration mode.
7 Delete the admin user account.
manager(config)# no user admin
8 Save the configuration.
9Run the exit command twice to log out of the CLI.
Change the CLI Privileged Mode Password
You can change the Privileged mode password to secure access to the configuration options of the CLI.
To change the Privileged mode password
1 Log in to the vSphere Client.
2 Select a vShield virtual machine from the inventory.
3Click the Console tab to open a CLI session.
4 Log in to the CLI.
5 Switch to Privileged mode.
6 Switch to Configuration mode.
7 Change the Privileged mode password.
manager(config)# enable password
90 VMware, Inc.
abcd1234
Page 91
8 Save the configuration.
9 Run the exit command twice to log out of the CLI.
10 Log in to the CLI.
11 Switch to Privileged mode by using the new password.
Command Reference
The command reference details each CLI command, including syntax, usage, and related commands.
“Administrative Commands” on page 91
“CLI Mode Commands” on page 92
“Configuration Commands” on page 95
“Debug Commands” on page 102
“Show Commands” on page 107
“Diagnostics and Troubleshooting Commands” on page 123
“User Administration Commands” on page 126
“Terminal Commands” on page 128
Appendix A Command Line Interface
“Deprecated Commands” on page 129
Administrative Commands
list
Lists all in-mode commands.
Syntax
list
CLI Mode
Basic, Privileged, Configuration, Interface Configuration
Example
vShieldMgr> list
enable
exit
list
ping WORD
quit
show interface
show ip route
ssh WORD
telnet WORD
telnet WORD PORT
traceroute WORD
...
reboot
Reboots a vShield virtual machine. You can also reboot a vShield App from the vShield Manager user
interface. See “Restart a vShield App” on page 61.
Syntax
reboot
VMware, Inc. 91
Page 92
vShield Administration Guide
CLI Mode
Privileged
Example
vShield# reboot
Related Commands
shutdown
shutdown
In Privileged mode, the shutdown command powers off the virtual machine. In Interface Configuration mode, the
shutdown command disables the interface.
To enable a disabled interface, use no before the command.
Syntax
[no] shutdown
CLI Mode
Privileged, Interface Configuration
Example
vShield# shutdown
or
vShield(config)# interface mgmt
vShield(config-if)# shutdown
vShield(config-if)# no shutdown
Related Commands
reboot
CLI Mode Commands
configure terminal
Switches to Configuration mode from Privileged mode.
Syntax
configure terminal
CLI Mode
Privileged
Example
vShield# configure terminal
vShield(config)#
Related Commands
interface
disable
Switches to Basic mode from Privileged mode.
Syntax
disable
92 VMware, Inc.
Page 93
CLI Mode
Basic
Example
vShield# disable
vShield>
Related Commands
enable
enable
Switches to Privileged mode from Basic mode.
Syntax
enable
CLI Mode
Basic
Example
vShield> enable
password:
vShield#
Appendix A Command Line Interface
Related Commands
disable
end
Ends the current CLI mode and switches to the previous mode.
Syntax
end
CLI Mode
Basic, Privileged, Configuration, and Interface Configuration
Example
vShield# end
vShield>
Related Commands
exit
quit
exit
Exits from the current mode and switches to the previous mode, or exits the CLI session if run from Privileged
or Basic mode.
Syntax
exit
CLI Mode
Basic, Privileged, Configuration, and Interface Configuration
VMware, Inc. 93
Page 94
vShield Administration Guide
Example
vShield(config-if)# exit
vShield(config)# exit
vShield#
Related Commands
end
quit
interface
Switches to Interface Configuration mode for the specified interface.
To delete the configuration of an interface, use no before the command.
Syntax
[no] interface (mgmt | p0 | u0)
Option Description
mgmt The management port on a vShield virtual machine.
p0 vShield App p0 interface.
u0 vShield App u0 interface.
CLI Mode
Configuration
Example
vShield# configure terminal
vShield(config)# interface mgmt
vShield(config-if)#
or
vShield(config)# no interface mgmt
Related Commands
show interface
quit
Quits Interface Configuration mode and switches to Configuration mode, or quits the CLI session if run from
Privileged or Basic mode.
Syntax
quit
CLI Mode
Basic, Privileged, and Interface Configuration
Example
vShield(config-if)# quit
vShield(config)#
Related Commands
end
exit
94 VMware, Inc.
Page 95
Appendix A Command Line Interface
Configuration Commands
clear vmwall rules
Resets the firewall rule set on a vShield App to the default rule set. This is a temporary condition that can be
used to troubleshoot firewall issues. You can restore the firewall rule set by performing a force sync operation
for the vShield App from the vShield Manager. Fore more information on forcing synchronization, see “Force
a vShield App to Synchronize with the vShield Manager” on page 60.
Syntax
clear vmwall rules
CLI Mode
Privileged
Usage Guidelines
vShield App CLI
Example
manager# clear vmwall rules
Related Commands
show vmwall log
show vmwall rules
cli ssh allow
Enable or disable access to the CLI via SSH session.
Syntax
[no] cli ssh allow
CLI Mode
Configuration
Usage Guidelines
Use this command with the ssh command to allow or disallow CLI access via SSH.
Example
manager(config)# ssh start
manager(config)# cli ssh allow
Related Commands
ssh
copy running-config startup-config
Copies the current system configuration to the startup configuration. You can also copy and save the running
CLI configuration of a vShield App from the vShield Manager user interface. See “Back Up the Running CLI
Configuration of a vShield App” on page 60.
Syntax
copy running-config startup-config
CLI Mode
Privileged
VMware, Inc. 95
Page 96
vShield Administration Guide
Example
manager# copy running-config startup-config
Building Configuration...
Configuration saved.
[OK]
Related Commands
show running-config
show startup-config
database erase
Erases the vShield Manager database, resetting the database to factory defaults. This command clears all
configuration data from the vShield Manager user interface, including vShield App configurations, event data,
and so forth. The vShield Manager CLI configuration is not affected by this command.
Syntax
database erase
CLI Mode
Privileged
Usage Guidelines
vShield Manager CLI
Example
manager# database erase
enable password
Changes the Privileged mode password. You should change the Privileged mode password for each vShield
virtual machine. CLI user passwords and the Privileged mode password are managed separately. The
Privileged mode password is the same for each CLI user account.
Syntax
enable password PASSWORD
Option Description
PASSWORD Password to use. The default password is default.
CLI Mode
Configuration
Example
vShield# configure terminal
vShield(config)# enable password plaintext abcd123
Related Commands
enable
show running-config
96 VMware, Inc.
Page 97
Appendix A Command Line Interface
hostname
Changes the name of the CLI prompt. The default prompt name for the vShield Manager is manager, and
the default prompt name for the vShield App is vShield.
Syntax
hostname WORD
Option Description
WORD Prompt name to use.
CLI Mode
Configuration
Example
vShield(config)# hostname vs123
vs123(config)#
ip address
Assigns an IP address to an interface. On the vShield virtual machines, you can assign an IP addresses to the
mgmt interface only.
To remove an IP address from an interface, use no before the command.
Syntax
[no] ip address A.B.C.D/M
Option Description
A.B.C.D IP address to use.
M Subnet mask to use.
CLI Mode
Interface Configuration
Example
vShield(config)# interface mgmt
vShield(config-if)# ip address 192.168.110.200/24
or
vShield(config)# interface mgmt
vShield(config-if)# no ip address 192.168.110.200/24
Related Commands
show interface
ip name server
Identifies a DNS server to provide address resolution service. You can also identify one or more DNS servers
by using the vShield Manager user interface. See “Identify DNS Services” on page 20.
To remove a DNS server, use no before the command.
VMware, Inc. 97
Page 98
vShield Administration Guide
Syntax
[no] ip name server A.B.C.D
Option Description
A.B.C.D IP address to use.
CLI Mode
Configuration
Example
vShield(config)# ip name server 192.168.1.3
or
vShield(config)# no ip name server 192.168.1.3
ip route
Adds a static route.
To delete an IP route, use no before the command.
Syntax
[no] ip route A.B.C.D/M W.X.Y.Z
Option Description
A.B.C.D IP address to use.
M Subnet mask to use.
W.X.Y.Z IP address of network gateway.
CLI Mode
Configuration
Example
vShield# configure terminal
vShield(config)# ip route 0.0.0.0/0 192.168.1.1
or
vShield(config)# no ip route 0.0.0.0/0 192.168.1.1
Related Commands
show ip route
manager key
Sets a shared key for authenticating communication between a vShield App and the vShield Manager. You can
set a shared key on any vShield App. This key must be entered during vShield App installation. If the shared
key between a vShield App and the vShield Manager is not identical, the service cannot install and is
inoperable.
Syntax
manager key KEY
Option Description
KEY The key that the vShield App and vShield Manager must match.
98 VMware, Inc.
Page 99
Appendix A Command Line Interface
CLI Mode
Privileged
Usage Guidelines
vShield App CLI
Example
vShield# manager key abc123
Related Commands
setup
ntp server
Identifies a Network Time Protocol (NTP) server for time synchronization service. Initial NTP server
synchronization might take up to 15 minutes. From the vShield Manager user interface, you can connect to an
NTP server for time synchronization. See “Set the vShield Manager Date and Time” on page 21.
All vShield App instances use the NTP server configuration of the vShield Manager. You can use this
command to connect a vShield App to an NTP server not used by the vShield Manager.
To remove the NTP server, use no before the command.
Syntax
[no] ntp server (HOSTNAME | A.B.C.D)
Option Description
HOSTNAME Hostname of the NTP server.
A.B.C.D IP address of NTP server.
CLI Mode
Configuration
Usage Guidelines
vShield App CLI
Example
vShield# configure terminal
vShield(config)# ntp server 10.1.1.113
or
vShield# configure terminal
vShield(config)# no ntp server
Related Commands
show ntp
set clock
Sets the date and time. From the vShield Manager user interface, you can connect to an NTP server for time
synchronization. All vShield App instances use the NTP server configuration of the vShield Manager. You
should use this command if you meet one of the following conditions.
You cannot connect to an NTP server.
You frequently power off and power on a vShield App, such as in a lab environment. A vShield App can
become out of sync with the vShield Manager when it is frequently power on and off.
VMware, Inc. 99
Page 100
vShield Administration Guide
Syntax
set clock HH:MM:SS MM DD YYYY
Option Description
HH:MM:SS Hours:minutes:seconds
MM Month
DD Day
YYYY Yea r
CLI Mode
Privileged
Example
vShield(config)# set clock 00:00:00 08 28 2009
Related Commands
ntp server
show clock
show ntp
setup
Opens the CLI initialization wizard for vShield virtual machine installation. You configure multiple settings
by using this command. You run the setup command during vShield Manager installation and manual
installation of vShield App instances. Press ENTER to accept a default value.
Syntax
setup
CLI Mode
Basic
Usage Guidelines
The Manager key option is applicable to vShield App setup only.
Example
manager(config)# setup
Default settings are in square brackets '[]'.
Hostname [manager]:
IP Address (A.B.C.D or A.B.C.D/MASK): 192.168.0.253
Default gateway (A.B.C.D): 192.168.0.1
Old configuration will be lost, and system needs to be rebooted
Do you want to save new configuration (y/[n]): y
Please log out and log back in again.
manager>
ssh
Starts or stops the SSH service on a vShield virtual appliance.
Syntax
ssh (start | stop)
100 VMware, Inc.
Loading...