VMware vShield Endpoint 1.0.0 Update 1, VSHIELD APP 1.0.0 UPDATE 1, vShield Manager 4.1.0 Update 1, vShield Zones 4.1.0 Update 1, vShield Edge 1.0.0 Update 1 Admin Manual
vShield Administration Guide
vShield Manager 4.1.0 Update 1
vShield Zones 4.1.0 Update 1
vShield Edge 1.0.0 Update 1
vShield App 1.0.0 Update 1
vShield Endpoint 1.0.0 Update 1
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000374-01
vShield Administration Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
About This Book 7
vShield Manager and vShield Zones
1 Overview of vShield 11
vShield Components 11
vShield Manager 11
vShield Zones 11
vShield Edge 12
vShield App 12
vShield Endpoint 13
Migration of vShield Components 13
VMware Tools 13
Ports Required for vShield Communication 13
2 vShield Manager User Interface Basics 15
Logging in to the vShield Manager User Interface 15
Accessing the Online Help 16
vShield Manager User Interface 16
vShield Manager Inventory Panel 16
vShield Manager Configuration Panel 17
3 Management System Settings 19
Identify Your vCenter Server 19
Register the vShield Manager as a vSphere Client Plug-in 20
Identify DNS Services 20
Set the vShield Manager Date and Time 21
Identify a Proxy Server 21
Download a Technical Support Log from a Component 21
Back Up vShield Manager Data 22
View vShield Manager System Status 22
Add an SSL Certificate to Identify the vShield Manager Web Service 22
4 Zones Firewall Management 25
Using Zones Firewall 25
Default Rules 26
Layer 4 Rules and Layer 2/Layer 3 Rules 26
Hierarchy of Zones Firewall Rules 26
Planning Zones Firewall Rule Enforcement 26
Create a Zones Firewall Rule 27
Create a Layer 2/Layer 3 Zones Firewall Rule 28
Validating Active Sessions against the Current Zones Firewall Rules 29
Revert to a Previous Zones Firewall Configuration 29
Delete a Zones Firewall Rule 30
VMware, Inc. 3
vShield Administration Guide
5 User Management 31
Managing User Rights 31
Managing the Default User Account 32
Add a User 32
Assign a Role and Rights to a User 32
Edit a User Account 32
Delete a User Account 33
6 Updating System Software 35
View the Current System Software 35
Upload an Update 35
Review the Update History 36
7 Backing Up vShield Manager Data 37
Back Up Your vShield Manager Data on Demand 37
Schedule a Backup of vShield Manager Data 38
Restore a Backup 38
8 System Events and Audit Logs 39
View the System Event Report 39
System Event Notifications 40
vShield Manager Virtual Appliance Events 40
vShield App Events 40
Syslog Format 40
View the Audit Log 41
9 Uninstalling vShield Components 43
Uninstall a vShield App or vShield Zones 43
Uninstall a vShield Edge from a Port Group 44
Uninstall Port Group Isolation from an ESX Host 44
Uninstall a vShield Endpoint Module 45
Unregister an SVM from a vShield Endpoint Module 45
Uninstall the vShield Endpoint Module from the vSphere Client 45
vShield Edge and Port Group Isolation
10 vShield Edge Management 49
View the Status of a vShield Edge 49
Specify a Remote Syslog Server 50
Managing the vShield Edge Firewall 50
Create a vShield Edge Firewall Rule 50
Validate Active Sessions Against Current vShield Edge Firewall Rules 51
Manage NAT Rules 51
Manage DHCP Service 52
Manage VPN Service 53
Manage Load Balancer Service 55
Start or Stop vShield Edge Services 56
Upgrade vShield Edge Software 56
4 VMware, Inc.
vShield App and vShield Endpoint
11 vShield App Management 59
Send vShield App System Events to a Syslog Server 59
Back Up the Running CLI Configuration of a vShield App 60
View the Current System Status of a vShield App 60
Force a vShield App to Synchronize with the vShield Manager 60
Restart a vShield App 61
View Traffic Statistics by vShield App Interface 61
12 Flow Monitoring 63
Using Flow Monitoring 63
View a Specific Application in the Flow Monitoring Charts 64
Change the Date Range of the Flow Monitoring Charts 64
View the Flow Monitoring Report 64
Add an App Firewall Rule from the Flow Monitoring Report 65
Delete All Recorded Flows 66
Editing Port Mappings 66
Add an Application-Port Pair Mapping 66
Delete an Application-Port Pair Mapping 67
Hide the Port Mappings Table 67
13 App Firewall Management 69
Using App Firewall 69
Securing Containers and Designing Security Groups 69
Default Rules 70
Layer 4 Rules and Layer 2/Layer 3 Rules 70
Hierarchy of App Firewall Rules 70
Planning App Firewall Rule Enforcement 70
Create an App Firewall Rule 71
Create a Layer 2/Layer 3 App Firewall Rule 73
Creating and Protecting Security Groups 73
Add a Security Group 73
Assign Resources to a Security Group 74
Validating Active Sessions against the Current App Firewall Rules 74
Revert to a Previous App Firewall Configuration 75
Delete an App Firewall Rule 75
Using SpoofGuard 75
SpoofGuard Screen Options 76
Enable SpoofGuard 76
Approve IP Addresses 76
Edit an IP Address 77
Delete an IP Address 77
14 vShield Endpoint Events and Alarms 79
View vShield Endpoint Status 79
Alarms 80
Host Alarms 80
SVM Alarms 80
VM Alarms 81
Events 81
Audit Messages 84
VMware, Inc. 5
Appendixes
A Command Line Interface 87
Logging In and Out of the CLI 87
CLI Command Modes 87
CLI Syntax 88
Moving Around in the CLI 88
Getting Help within the CLI 89
Securing CLI User Accounts and the Privileged Mode Password 89
Add a CLI User Account 89
Delete the admin User Account from the CLI 90
Change the CLI Privileged Mode Password 90
Command Reference 91
Administrative Commands 91
CLI Mode Commands 92
Configuration Commands 95
Debug Commands 102
Show Commands 107
Diagnostics and Troubleshooting Commands 123
User Administration Commands 126
Terminal Commands 128
Deprecated Commands 129
B Troubleshooting 131
Troubleshooting vShield Manager Installation 131
vShield OVA File Extracted to a PC Where vSphere Client Is Not Installed 131
vShield OVA File Cannot Be Installed in vSphere Client 131
Cannot Log In to CLI After the vShield Manager Virtual Machine Starts 132
Cannot Log In to the vShield Manager User Interface 132
Troubleshooting Operation Issues 132
vShield Manager Cannot Communicate with a vShield App 132
Cannot Configure a vShield App 132
Firewall Block Rule Not Blocking Matching Traffic 133
No Flow Data Displaying in Flow Monitoring 133
Troubleshooting Port Group Isolation Issues 133
Validate Installation of Port Group Isolation 133
Verify Install or Uninstall Script 134
Validate the Data Path 134
Details of the fence-util Utility 135
Troubleshooting vShield Edge Issues 136
Virtual Machines Are Not Getting IP Addresses from the DHCP Server 136
Load-Balancer Does Not Work 136
Load-Balancer Throws Error 502 Bad Gateway for HTTP Requests 137
VPN Does Not Work 137
Troubleshooting vShield Endpoint Issues 137
Thin Agent Logging 137
Component Version Compatibility 138
Index 139
VMware, Inc. 6
About This Book
This manual, the vShield Administration Guide, describes how to install, configure, monitor, and maintain the
VMware
command line interface (CLI). The information includes step-by-step configuration instructions, and
suggested best practices.
®
vShield™ system by using the vShield Manager user interface, the vSphere Client plug-in, and
Intended Audience
This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
The information in this manual is written for experienced system administrators who are familiar with virtual
machine technology and virtual datacenter operations. This manual assumes familiarity with VMware
Infrastructure 4.x, including VMware ESX, vCenter Server, and the vSphere Client.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions
of terms as they are used in VMware technical documentation go to http://www.vmware.com/support/pubs.
Document Feedback
VMware welcomes your suggestions for improving our documentation. If you have comments, send your
feedback to docfeedback@vmware.com.
vShield Documentation
The following documents comprise the vShield documentation set:
vShield Administration Guide, this guide
vShield Quick Start Guide
vShield API Programming Guide
Technical Support and Education Resources
The following sections describe the technical support resources available to you. To access the current version
of this book and other books, go to http://www.vmware.com/support/pubs.
Online and Telephone Support
To use online support to submit technical support requests, view your product and contract information, and
register your products, go to http://www.vmware.com/support.
Customers with appropriate support contracts should use telephone support for the fastest response on
priority 1 issues. Go to http://www.vmware.com/support/phone_support.
VMware, Inc. 7
vShield Administration Guide
Support Offerings
To find out how VMware support offerings can help meet your business needs, go to
http://www.vmware.com/support/services.
VMware Professional Services
VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials
designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live
online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides
offerings to help you assess, plan, build, and manage your virtual environment. To access information about
education classes, certification programs, and consulting services, go to http://www.vmware.com/services.
8 VMware, Inc.
vShield Manager and vShield Zones
VMware, Inc. 9
vShield Administration Guide
10 VMware, Inc.
1
Overview of vShield
VMware® vShield is a suite of security virtual appliances built for VMware vCenter™ Server and Vmware
ESX™ integration. vShield is a critical security component for protecting virtualized datacenters from attacks
and misuse helping you achieve your compliance-mandated goals.
This guide assumes you have administrator access to the entire vShield system. The viewable resources in the
vShield Manager user interface can differ based on the assigned role and rights of a user, and licensing. If you
are unable to access a screen or perform a particular task, consult your vShield administrator.
This chapter includes the following topics:
“vShield Components” on page 11
“Migration of vShield Components” on page 13
“VMware Tools” on page 13
“Ports Required for vShield Communication” on page 13
vShield Components
vShield includes components and services essential for protecting virtual machines. vShield can be configured
through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI), and REST API.
1
To run vShield, you need one vShield Manager virtual machine and at least one vShield App or vShield Edge
module.
vShield Manager
The vShield Manager is the centralized network management component of vShield and is installed from OVA
as a virtual machine by using the vSphere Client. Using the vShield Manager user interface, administrators
install, configure, and maintain vShield components. A vShield Manager can run on a different ESX host from
your vShield App and vShield Edge modules.
The vShield Manager leverages the VMware Infrastructure SDK to display a copy of the vSphere Client
inventory panel.
For more on the using the vShield Manager user interface, see Chapter 2, “vShield Manager User Interface
Basics,” on page 15.
vShield Zones
vShield Zones, included with the vShield Manager, provides firewall protection for traffic between virtual
machines. For each Zones Firewall rule, you can specify the source IP, destination IP, source port, destination
port, and service.
VMware, Inc. 11
vShield Administration Guide
vShield Edge
N
OTE You must obtain an evaluation or full license to use vShield Edge.
vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port
group, vDS port group, or Cisco
®
Nexus 1000V. The vShield Edge connects isolated, stub networks to shared
(uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud
environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).
Standard vShield Edge Services (Including Cloud Director)
Firewall: Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection
for TCP, UDP, and ICMP.
Network Address Translation: Separate controls for Source and Destination IP addresses, as well as TCP
and UDP port translation.
Dynamic Host Configuration Protocol (DHCP): Configuration of IP pools, gateways, DNS servers, and
search domains.
Advanced vShield Edge Services
Site-to-Site Virtual Private Network (VPN): Uses standardized IPsec protocol settings to interoperate with
all major firewall vendors.
Load Balancing: Simple and dynamically configurable virtual IP addresses and server groups.
vShield Edge supports syslog export for all services to remote servers.
vShield App
NOTE You must obtain an evaluation or full license to use vShield App.
vShield App is an interior, vNIC-level firewall that allows you to create access control policies regardless of
network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual
machines in the same port group. vShield App includes traffic analysis and container-based policy creation.
vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App integrates
with ESX hosts through VMsafe APIs and works with VMware vSphere platform features such as DRS,
vMotion, DPM, and maintenance mode.
vShield App provides firewalling between virtual machines by placing a firewall filter on every virtual
network adapter. The firewall filter operates transparently and does not require network changes or
modification of IP addresses to create security zones. You can write access rules by using vCenter containers,
like datacenters, cluster, resource pools and vApps, or network objects, like Port Groups and VLANs, to
reduce the number of firewall rules and make the rules easier to track.
You should install vShield App instances on all ESX hosts within a cluster so that VMware vMotion™
operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a
vShield App virtual appliance cannot be moved by using vMotion.
The Flow Monitoring feature displays allowed and blocked network flows at the application protocol level.
You can use this information to audit network traffic and troubleshoot operational.
12 VMware, Inc.
vShield Endpoint
N
OTE You must obtain an evaluation or full license to use vShield Endpoint.
vShield Endpoint delivers an introspection-based antivirus solution. vShield Endpoint uses the hypervisor to
scan guest virtual machines from the outside without a bulky agent. vShield Endpoint is efficient in avoiding
resource bottlenecks while optimizing memory use.
vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus
vendor (VMware partners) on an ESX host.
vShield Endpoint provides the following features:
On-demand file scanning in a service virtual machine.
On-access file scanning in a service virtual machine.
Migration of vShield Components
The vShield Manager and vShield Edge virtual appliances can be automatically or manually migrated based
on DRS and HA policies. The vShield Manager must always be up, so you must migrate the vShield Manager
whenever the current ESX host undergoes a reboot or maintenance mode routine.
Each vShield Edge should move with its secured port group to maintain security settings and services.
Chapter 1 Overview of vShield
vShield App and Port Group Isolation services cannot be moved to another ESX host. If the ESX host on which
these services reside requires a manual maintenance mode operation, you must de-select the Move powered
off and suspended virtual machines to other hosts in the cluster check box to ensure these virtual appliances
are not migrated. These services restart after the ESX host comes online.
VMware Tools
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware
Tools included with a vShield virtual appliance.
Ports Required for vShield Communication
The vShield Manager requires the following ports to be open:
REST API: 80/TCP and 443/TCP
Graphical User Interface: 80/TCP to 443/TCP and initiates connections to vSphere vCenter SDK.
SSH access to the CLI (not enabled by default): 22/TCP
VMware, Inc. 13
vShield Administration Guide
14 VMware, Inc.
2
vShield Manager User Interface
Basics
The vShield Manager user interface offers configuration and data viewing options specific to vShield use. By
utilizing the VMware Infrastructure SDK, the vShield Manager displays your vSphere Client inventory panel
for a complete view of your vCenter environment.
NOTE You can register the vShield Manager as a vSphere Client plug-in. This allows you to configure vShield
components from within the vSphere Client. For more, see “Register the vShield Manager as a vSphere Client
Plug-in” on page 20.
The chapter includes the following topics:
“Logging in to the vShield Manager User Interface” on page 15
“Accessing the Online Help” on page 16
“vShield Manager User Interface” on page 16
Logging in to the vShield Manager User Interface
You access the vShield Manager management interface by using a Web browser.
To log in to the vShield Manager user interface
2
1 Open a Web browser window and type the IP address assigned to the vShield Manager.
The vShield Manager user interface opens in an SSH session.
2 Accept the security certificate.
NOTE To use an SSL certificate for authentication, see “Add an SSL Certificate to Identify the vShield
Manager Web Service” on page 22.
The vShield Manager login screen appears.
3 Log in to the vShield Manager user interface by using the username admin and the password default.
You should change the default password as one of your first tasks to prevent unauthorized use. See “Edit
a User Account” on page 32.
4Click Log In.
VMware, Inc. 15
vShield Administration Guide
Accessing the Online Help
The Online Help can be accessed by clicking in the upper right of the vShield Manager user interface.
vShield Manager User Interface
The vShield Manager user interface is divided into two panels: the inventory panel and the configuration
panel. You select a view and a resource from the inventory panel to open the available details and
configuration options in the configuration panel.
When clicked, each inventory object has a specific set of tabs that appear in the configuration panel.
vShield Manager Inventory Panel
The vShield Manager inventory panel hierarchy mimics the vSphere Client inventory hierarchy. Resources
include the root folder, datacenters, clusters, port groups, ESX hosts, and virtual machines, including your
installed vShield App and vShield Edge modules. As a result, the vShield Manager maintains solidarity with
your vCenter Server inventory to present a complete view of your virtual deployment. The vShield Manager
is the only virtual machine that does not appear in the vShield Manager inventory panel. vShield Manager
settings are configured from the Settings & Reports resource atop the inventory panel.
The inventory panel offers multiple views: Hosts & Clusters, Networks, and Secured Port Groups. The Hosts
& Clusters view displays the datacenters, clusters, resource pools, and ESX hosts in your inventory. The
Networks view displays the VLAN networks and port groups in your inventory. The Secured Port Groups
view displays the port groups protected by vShield Edge instances. The Hosts & Clusters and Networks views
are consistent with the same views in the vSphere Client.
There are differences in the icons for virtual machines and vShield components between the vShield Manager
and the vSphere Client inventory panels. Custom icons are used to show the difference between vShield
components and virtual machines, and the difference between protected and unprotected virtual machines.
Tabl e 2- 1 . vShield Virtual Machine Icons in the vShield Manager Inventory Panel
Icon Description
A powered on vShield App in active protection state.
A powered off vShield App.
A powered on virtual machine that is protected by a vShield App.
A powered on virtual machine that is not protected by a vShield App.
Refreshing the Inventory Panel
To refresh the list of resources in the inventory panel, click . The refresh action requests the latest resource
information from the vCenter Server. By default, the vShield Manager requests resource information from the
vCenter Server every five minutes.
Searching the Inventory Panel
To search the inventory panel for a specific resource, type a string in the field atop the vShield Manager
inventory panel and click .
16 VMware, Inc.
Chapter 2 vShield Manager User Interface Basics
vShield Manager Configuration Panel
The vShield Manager configuration panel presents the settings that can be configured based on the selected
inventory resource and the output of vShield operation. Each resource offers multiple tabs, each tab presenting
information or configuration forms corresponding to the resource.
Because each resource has a different purpose, some tabs are specific to certain resources. Also, some tabs have
a second level of options.
VMware, Inc. 17
vShield Administration Guide
18 VMware, Inc.
3
Management System Settings
The vShield Manager requires communication with your vCenter Server and services such as DNS and NTP
to provide details on your VMware Infrastructure inventory.
The chapter includes the following topics:
“Identify Your vCenter Server” on page 19
“Register the vShield Manager as a vSphere Client Plug-in” on page 20
“Identify DNS Services” on page 20
“Set the vShield Manager Date and Time” on page 21
“Identify a Proxy Server” on page 21
“Download a Technical Support Log from a Component” on page 21
“View vShield Manager System Status” on page 22
“Add an SSL Certificate to Identify the vShield Manager Web Service” on page 22
Identify Your vCenter Server
After the vShield Manager is installed as a virtual machine, log in to the vShield Manager user interface to
connect to your vCenter Server. This enables the vShield Manager to display your VMware Infrastructure
inventory.
3
To identify your vCenter Server from the vShield Manager
1 Log in to the vShield Manager.
Upon initial login, the vShield Manager opens to the Configuration > vCenter tab. If you have previously
configured the vCenter tab form, perform the following steps:
aClick the Settings & Reports from the vShield Manager inventory panel.
bClick the Configuration tab.
The vCenter screen appears.
2 Under vCenter Server Information, type the IP address of your vCenter Server in the vSphere Server IP
Address/Name field.
3 Type your vSphere Client login user name in the Administrator User Name field.
This user account must have administrator access.
VMware, Inc. 19
vShield Administration Guide
4 Type the password associated with the user name in the Password field.
5Click Save.
The vShield Manager connects to the vCenter Server, logs on, and utilizes the VMware Infrastructure SDK
to populate the vShield Manager inventory panel. The inventory panel is presented on the left side of the
screen. This resource tree should match your VMware Infrastructure inventory panel. The vShield
Manager does not appear in the vShield Manager inventory panel.
Register the vShield Manager as a vSphere Client Plug-in
The vSphere Plug-in option lets you register the vShield Manager as a vSphere Client plug-in. After the
plug-in is registered, you can open the vShield Manager user interface from the vSphere Client.
To register the vShield Manager as a vSphere Client plug-in
1 If you are logged in to the vSphere Client, log out.
2 Log in to the vShield Manager.
3Click Settings & Reports from the vShield Manager inventory panel.
4Click the Configuration tab.
The vCenter screen appears.
5Under vSphere Plug-in, click Register.
Registration might take a few minutes.
6 Log in to the vSphere Client.
7 Select an ESX host.
8 Verify that vShield Install appears as a tab.
You can install and configure vShield components from the vSphere Client.
Identify DNS Services
You must specify at least one DNS server during vShield Manager setup. The specified DNS servers appear in
the vShield Manager user interface.
In the vShield Manager user interface, you can specify up to three DNS servers that the vShield Manager can
use for IP address and host name resolution.
To identify a DNS server
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
The vCenter screen appears.
3Under DNS Servers, type an IP address in Primary DNS IP Address to identify the primary DNS server.
This server is checked first for all resolution requests.
4 (Optional) Type an IP address in the Secondary DNS IP Address field.
5 (Optional) Type an IP address in the Tertiary DNS IP Address field.
6Click Save.
20 VMware, Inc.
Set the vShield Manager Date and Time
You can set the date, time, and time zone of the vShield Manager. You can also specify a connection to an NTP
server to establish a common network time. Date and time values are used in the system to stamp events as
they occur.
To set the date and time configuration of the vShield Manager
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Date/Time.
4In the Date and Clock field, type the date and time in the format YYYY-MM-DD HH:MM:SS.
5In the NTP Server field, type the IP address of your NTP server.
You can type the hostname of your NTP server if you have set up DNS service.
6From the Time Zone drop-down menu, select the appropriate time zone.
7Click Save.
Identify a Proxy Server
If you use a proxy server for network connectivity, you can configure the vShield Manager to use the proxy
server. The vShield Manager supports application-level HTTP/HTTPS proxies such as CacheFlow and
Microsoft ISA Server.
Chapter 3 Management System Settings
To identify a proxy server
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click HTTP Proxy.
4From the Use Proxy drop-down menu, select Yes.
5 (Optional) Type the host name of the proxy server in the Proxy Host Name field.
6 Type the IP address of the proxy server in the Proxy IP Address field.
7 Type the connecting port number on your proxy server in the Proxy Port field.
8Type the User Name required to log in to the proxy server.
9Type the Password associated with the user name for proxy server login.
10 Click Save.
Download a Technical Support Log from a Component
You can use the Support option to download the system log from a vShield component to your PC. A system
log can be used to troubleshoot operational issues.
To download a vShield component system log
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Support.
VMware, Inc. 21
vShield Administration Guide
4Under Tech Support Log Download, click Initiate next to the appropriate component.
Once initiated, the log is generated and uploaded to the vShield Manager. This might take several
seconds.
5 After the log is ready, click the Download link to download the log to your PC.
The log is compressed and has the proprietary file extension .blsl. You can open the log using a
decompression utility by browsing for All Files in the directory where you saved the file.
Back Up vShield Manager Data
You can use the Backups option to back up vShield Manager data. See Chapter 7, “Backing Up vShield
Manager Data,” on page 37.
View vShield Manager System Status
The Status tab displays the status of vShield Manager system resource utilization, and includes the software
version details, license status, and serial number. The serial number must be registered with technical support
for update and support purposes.
To view the system status of the vShield Manager
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click Status.
4(Optional) Click Version Status to review the current version of system software running on your vShield
components.
The Update Status tab appears. See “View the Current System Software” on page 35.
Add an SSL Certificate to Identify the vShield Manager Web Service
You can generate or import an SSL certificate into the vShield Manager to authenticate the identity of the
vShield Manager web service and encrypt information sent to the vShield Manager web server. As a security
best practice, you should use the generate certificate option to generate a private key and public key, where
the private key is saved to the vShield Manager.
To generate an SSL certificate
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click SSL Certificate.
4 Under Generate Certificate Signing Request, enter the following information:
Field Description
Common Name Enter the name that matches the site name. For example, if the IP address of vShield
Manager management interface is 192.168.1.10, enter 192.168.1.10.
Organization Unit Enter the department in your company that is ordering the certificate.
Organization Name Enter the full legal name of your company.
City Name Enter the full name of the city in which your company resides.
State Name Enter the full name of the state in which your company resides.
Country Code Enter the two-digit code that represents your country. For example, the United States
is US.
22 VMware, Inc.
Chapter 3 Management System Settings
Field Description
Key Algorithm Select the cryptographic algorithm to use from either DSA or RSA.
Key Size Select the number of bits used in the selected algorithm.
5Click Generate.
To import an SSL certificate
1Click Settings & Reports from the vShield Manager inventory panel.
2Click the Configuration tab.
3Click SSL Certificate.
4 Under Import Signed Certificate, click Browse at Certificate File to find the file.
5 Select the type of certificate file from the Certificate File drop-down list.
6Click Apply.
VMware, Inc. 23
vShield Administration Guide
24 VMware, Inc.
4
Zones Firewall Management
vShield Zones provides firewall protection access policy enforcement. Traffic details include sources,
destinations, direction of sessions, applications, and ports being used. Traffic details can be used to create
firewall allow or deny rules.
NOTE You can upgrade vShield Zones to vShield App by obtaining a vShield App license. vShield App
enhances vShield Zones protection by offering Flow Monitoring, custom container creation (Security Groups),
and container-based access policy creation and enforcement.
You do not have to uninstall vShield Zones to install vShield App. All vShield Zones instances become vShield
App instances, the Zones Firewall becomes App Firewall, and the additional vShield App features are enabled.
This chapter includes the following topics:
“Using Zones Firewall” on page 25
“Create a Zones Firewall Rule” on page 27
“Create a Layer 2/Layer 3 Zones Firewall Rule” on page 28
“Validating Active Sessions against the Current Zones Firewall Rules” on page 29
“Revert to a Previous Zones Firewall Configuration” on page 29
4
“Delete a Zones Firewall Rule” on page 30
Using Zones Firewall
Zones Firewall is a centralized, hierarchical firewall for ESX hosts. Zones Firewall enables you to create rules
that allow or deny access to and from your virtual machines. Each installed vShield Zones enforces the App
Zones rules.
You can manage Zones Firewall rules at the datacenter, cluster, and port group levels to provide a consistent
set of rules across multiple vShield Zones instances under these containers. As membership in these containers
can change dynamically, Zones Firewall maintains the state of existing sessions without requiring
reconfiguration of firewall rules. In this way, Zones Firewall effectively has a continuous footprint on each ESX
host under the managed containers.
When creating Zones Firewall rules, you create 5-tuple firewall rules based on specific source and destination IP
addresses.
VMware, Inc. 25
vShield Administration Guide
Default Rules
By default, Zones Firewall enforces a set of rules allowing traffic to pass through all vShield Zones instances.
These rules appear in the Default Rules section of the Zones Firewall table. The default rules cannot be deleted
or added to. However, you can change the Action element of each rule from Allow to Deny.
Layer 4 Rules and Layer 2/Layer 3 Rules
Zones Firewall offers two sets of configurable rules: L4 (Layer 4) rules and L2/L3 (Layer 2/Layer 3) rules. Layers
refer to layers of the Open Systems Interconnection (OSI) Reference Model.
Layer 4 rules govern TCP and UDP transport of Layer 7, or application-specific, traffic. Layer 2/Layer 3 rules
monitor traffic from ICMP, ARP, and other Layer 2 and Layer 3 protocols. You can configure Layer 2/Layer 3
rules at the datacenter level only. By default, all Layer4 and Layer 2/Layer 3 traffic is allowed to pass.
Hierarchy of Zones Firewall Rules
Each vShield Zones instance enforces Zones Firewall rules in top-to-bottom ordering. A vShield Zones
instance checks each traffic session against the top rule in the Zones Firewall table before moving down the
subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced.
Zones Firewall rules are enforced in the following hierarchy:
1 Data Center High Precedence Rules
2 Cluster Level Rules
3 Data Center Low Precedence Rules (seen as Rules below this level have lower precedence than cluster
level rules when a datacenter resource is selected)
4 Secure Port Group Rules
5 Default Rules
Zones Firewall offers container-level and custom priority precedence configurations:
Container-level precedence refers to recognizing the datacenter level as being higher in priority than the
cluster level. When a rule is configured at the datacenter level, the rule is inherited by all clusters and
vShield agents therein. A cluster-level rule is only applied to the vShield Zones instances within the
cluster.
Custom priority precedence refers to the option of assigning high or low precedence to rules at the
datacenter level. High precedence rules work as noted in the container-level precedence description. Low
precedence rules include the Default Rules and the configuration of Data Center Low Precedence rules.
This flexibility allows you to recognize multiple layers of applied precedence.
At the cluster level, you configure rules that apply to all vShield Zones instances within the cluster.
Because Data Center High Precedence Rules are above Cluster Level Rules, ensure your Cluster Level
Rules are not in conflict with Data Center High Precedence Rules.
Planning Zones Firewall Rule Enforcement
Using Zones Firewall, you can configure allow and deny rules based on your network policy. The following
examples represent two common firewall policies:
Allow all traffic by default. You keep the default allow all rules and add deny rules based on Flow
Monitoring data or manual App Firewall configuration. In this scenario, if a session does not match any
of the deny rules, the vShield App allows the traffic to pass.
Deny all traffic by default.You can change the Action status of the default rules from Allow to Deny, and
add allow rules explicitly for specific systems and applications. In this scenario, if a session does not
match any of the allow rules, the vShield App drops the session before it reaches its destination. If you
change all of the default rules to deny any traffic, the vShield App drops all incoming and outgoing traffic.
26 VMware, Inc.
Create a Zones Firewall Rule
Zones Firewall rules allow or deny traffic based on the following criteria:
Criteria Description
Source (A.B.C.D/nn) IP address with netmask (nn) from which the communication originated
Source Port Port or range of ports from which the communication originated. To enter a port
range, separate the low and high end of the range with a colon. For example,
1000:1100.
Destination (A.B.C.D/nn) IP address with netmask (nn) which the communication is targeting
Destination Application The application on the destination the source is targeting
Destination Port Port or range of ports which the communication is targeting. To enter a port range,
separate the low and high end of the range with a colon. For example, 1000:1100.
Protocol Transport protocol used for communication
You can add destination and source port ranges to a rule for dynamic services such as FTP and RPC, which
require multiple ports to complete a transmission. If you do not allow all of the ports that must be opened for
a transmission, the transmission fails.
To create a firewall rule at the datacenter level
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
Chapter 4 Zones Firewall Management
2 Select a datacenter resource from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
By default, the L4 Rules option is selected.
To create L2/L3 rules, see “Create a Layer 2/Layer 3 Zones Firewall Rule” on page 28.
5 Do one of the following:
Click Add to add a new rule to the Data Center Low Precedence Rules (Rules below this level have
lower precedence...).
Select a row in the Data Center High Precedence Rules section of the table and click Add. A new
appears below the selected row.
6 Double-click each cell in the new row to select the appropriate information.
You must type IP addresses in the Source and Destination fields, and port numbers in the Source Port
and Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
To create a firewall rule at the cluster level
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a cluster resource from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
By default, the L4 Rules option is selected.
To create L2/L3 rules, see “Create a Layer 2/Layer 3 Zones Firewall Rule” on page 28.
VMware, Inc. 27
vShield Administration Guide
5Click Add.
A new row appears in the Cluster Level Rules section of the table.
6 Double-click each cell in the new row to select the appropriate information.
You must type IP addresses in the Source and Destination fields, and port numbers in the Source Port
and Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
To create a firewall rule at the port group level
1 In the vSphere Client, go to Inventory > Networking.
2 Select a port group from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
5Click Add.
A new row is added at the bottom of the Secure Port Group Rules section.
6 Double-click each cell in the new row to select the appropriate information.
You must type IP addresses in the Source and Destination fields, and port numbers in the Source Port
and Destination Port fields.
7 (Optional) Select the new row and click Up to move the row up in priority.
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit to save the rule.
Create a Layer 2/Layer 3 Zones Firewall Rule
The Layer 2/Layer 3 firewall enables configuration of allow or deny rules for common Data Link Layer and
Network Layer requests, such as ICMP pings and traceroutes.
You can change the default Layer 2/Layer 3 rules from allow to deny based on your network security policy.
Layer 4 firewall rules allow or deny traffic based on the following criteria:
Criteria Description
Source (A.B.C.D/nn) IP address with netmask (nn) from which the communication originated
Destination (A.B.C.D/nn) IP address with netmask (nn) which the communication is targeting
Protocol Transport protocol used for communication
To create a Layer 2/Layer 3 firewall rule
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter resource from the resource tree.
3Click the vShield Zones tab.
4Click Zones Firewall.
5Click L2/L3 Rules.
6Click Add.
A new row is added at the bottom of the DataCenter Rules section of the table.
28 VMware, Inc.
Chapter 4 Zones Firewall Management
7 Double-click each cell in the new row to type or select the appropriate information.
You can type IP addresses in the Source and Destination fields
8 (Optional) Select the Log check box to log all sessions matching this rule.
9Click Commit.
Validating Active Sessions against the Current Zones Firewall Rules
By default, a vShield Zones instance matches firewall rules against each new session. After a session has been
established, any firewall rule changes do not affect active sessions.
The CLI command validate sessions enables you to validate active sessions against the current Zones
Firewall rule set to purge any sessions that are in violation of the current rule set. After a firewall rule set
update, you should validate active sessions to purge any existing sessions that are in violation of the updated
policy.
After the Zones Firewall update is complete, issue the validate sessions command from the CLI of a
vShield Zones instance to purge sessions that are in violation of current policy.
To validate active sessions against the current firewall rules
1 Update and commit the Zones Firewall rule set at the appropriate container level.
2 Open a console session on a vShield Zones instance issue the validate sessions command.
vShieldZones> enable
Password:
vShieldZones# validate sessions
Revert to a Previous Zones Firewall Configuration
The vShield Manager saves a snapshot of App Firewall settings each time you commit a new rule. Clicking
Commit causes the vShield Manager to save the previous configuration with a timestamp before adding the
new rule. These snapshots are available from the Revert to Snapshot drop-down menu.
To revert to a previous App Firewall configuration
1 In the vSphere Client, go to Inventory > Hosts and Clusters.
2 Select a datacenter or cluster resource from the inventory panel.
3Click the vShield Zones tab.
4Click Zones Firewall.
5From the Revert to Snapshot drop-down list, select a snapshot.
Snapshots are presented in the order of timestamps, with the most recent snapshot listed at the top.
6 View snapshot configuration details.
7 Do one of the following:
To return to the current configuration, select the - option from the Revert to Snapshot drop-down list.
Click Commit to overwrite the current configuration with the snapshot configuration.
VMware, Inc. 29
vShield Administration Guide
Delete a Zones Firewall Rule
You can delete any App Firewall rule you have created. You cannot delete the any rules in the Default Rules
section of the table.
To delete an App Firewall rule
1 Click an existing row in the Zones Firewall table.
2Click Delete.
3Click Commit.
30 VMware, Inc.
Loading...