Vshield 41 Admin

vShield Administration Guide
vShield Manager 4.1 vShield Edge 1.0 vShield App 1.0 vShield Endpoint Security 1.0
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-000374-00
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
Copyright 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
VMware, Inc.
Contents
AboutThisBook
vShieldManagerandvShieldZones
1 OverviewofvShield 13
vShieldComponents 13 vShieldManager 13 vShieldZones 13 vShieldEdge 14 StandardvShieldEdgeservices(includingCloudDirector) 14 AdvancedvShieldEdgeservices 14 vShieldApp 14 vShieldEndpoint 15 MigrationofvShieldComponents 15 VMwareTools 15 PortsRequiredforvShieldCommunication 15
2 vShieldManagerUserInterfaceBasics 17
LoggingintothevShieldManagerUserInterface 17 AccessingtheOnlineHelp 18 vShieldManagerUserInterface 18 vShieldManagerInventoryPanel 18 RefreshingtheInventoryPanel 18 SearchingtheInventoryPanel 18 vShieldManagerConfigurationPanel 19
3 ManagementSystemSettings 21
IdentifyYourvCenterServer 21 RegisterthevShieldManagerasavSphereClientPlugin 22 IdentifyDNSServices 22 SetthevShieldManagerDateandTime 23 IdentifyaProxyServer 23 DownloadaTechnicalSupportLogfromaComponent 23 BackUpvShieldManagerData 24 ViewvShieldManagerSystemStatus 24 AddanSSLCertificatetoIdentifythevShieldManagerWebService
24
4 ZonesFirewallManagement 27
UsingZonesFirewall 27 DefaultRules 28 Layer4RulesandLayer2/Layer3Rules 28 HierarchyofZonesFirewallRules 28 PlanningZonesFirewallRuleEnforcement 28 CreateaZonesFirewallRule 29 CreateaLayer2/Layer3ZonesFirewallRule 30
VMware, Inc.
ValidatingActiveSessionsagainsttheCurrentZonesFirewallRules 31 ReverttoaPreviousZonesFirewallConfiguration 31 DeleteaZonesFirewallRule 32
5 UserManagement 33
ManagingUserRights 33 ManagingtheDefaultUserAccount 34 AddaUser 34 AssignaRoleandRightstoaUser 34 EditaUserAccount 34 DeleteaUserAccount 35
6 UpdatingSystemSoftware 37
ViewtheCurrentSystemSoftware 37 UploadanUpdate 37 ReviewtheUpdateHistory 38
7 BackingUpvShieldManagerData 39
BackUpYourvShieldManagerDataonDemand ScheduleaBackupofvShieldManagerData 40 RestoreaBackup 40 39
8 SystemEventsandAuditLogs 41
ViewtheSystemEventReport 41 SystemEventNotifications 42 vShieldManagerVirtualApplianceEvents 42 vShieldAppEvents 42 SyslogFormat 42 ViewtheAuditLog 43
9 UninstallingvShieldComponents 45
UninstallavShieldApporvShieldZones 45 UninstallavShieldEdgefromaPortGroup 46 UninstallPortGroupIsolationfromanESXHost 46 UninstallavShieldEndpointModule 47 UnregisteranSVMfromavShieldEndpointModule 47 UninstallthevShieldEndpointModulefromthevSphereClient 47
vShieldEdgeandPortGroupIsolation
10 vShieldEdgeManagement 51
ViewtheStatusofavShieldEdge 51 SpecifyaRemoteSyslogServer 52 ManagingthevShieldEdgeFirewall 52 CreateavShieldEdgeFirewallRule 52 ValidateActiveSessionsAgainstCurrentvShieldEdgeFirewallRules 53 ManageNATRules 53 ManageDHCPService 54 ManageVPNService 56 ManageLoadBalancerService 58 StartorStopvShieldEdgeServices 59
VMware, Inc.
vShieldAppandvShieldEndpoint
11 vShieldAppManagement 63
SendvShieldAppSystemEventstoaSyslogServer 63 BackUptheRunningCLIConfigurationofavShieldApp 64 ViewtheCurrentSystemStatusofavShieldApp 64 ForceavShieldApptoSynchronizewiththevShieldManager 64 RestartavShieldApp 65 ViewTrafficStatisticsbyvShieldAppInterface 65 DownloadtheFirewallLogsofavShieldApp 65
12 FlowMonitoring 67
UsingFlowMonitoring 67 ViewaSpecificApplicationintheFlowMonitoringCharts 68 ChangetheDateRangeoftheFlowMonitoringCharts 68 ViewtheFlowMonitoringReport 68 AddanAppFirewallRulefromtheFlowMonitoringReport 69 DeleteAllRecordedFlows 70 EditingPortMappings 70 AddanApplicationPortPairMapping 70 DeleteanApplicationPortPairMapping 71 HidethePortMappingsTable 71
13 AppFirewallManagement 73
UsingAppFirewall 73 SecuringContainersandDesigningSecurityGroups 73 DefaultRules 74 Layer4RulesandLayer2/Layer3Rules 74 HierarchyofAppFirewallRules 74 PlanningAppFirewallRuleEnforcement 74 CreateanAppFirewallRule 75 CreateaLayer2/Layer3AppFirewallRule 77 CreatingandProtectingSecurityGroups 77 AddaSecurityGroup 77 AssignResourcestoaSecurityGroup 78 ValidatingActiveSessionsagainsttheCurrentAppFirewallRules 78 ReverttoaPreviousAppFirewallConfiguration 79 DeleteanAppFirewallRule 79
14 vShieldEndpointEventsandAlarms 81
ViewvShieldEndpointStatus 81 Alarms 82 HostAlarms 82 SVMAlarms 82 VMAlarms 83 Events 83 AuditMessages 86
VMware, Inc.
Appendixes
A CommandLineInterface 89
LoggingInandOutoftheCLI 89 CLICommandModes 89 CLISyntax 90 MovingAroundintheCLI 90 GettingHelpwithintheCLI 91 SecuringCLIUserAccountsandthePrivilegedModePassword 91 AddaCLIUserAccount 91 DeletetheadminUserAccountfromtheCLI 92 ChangetheCLIPrivilegedModePassword 92 CommandReference 93 AdministrativeCommands 93 list 93 reboot 93 shutdown 94 CLIModeCommands 94 configureterminal 94 disable 94 enable 95 end 95 exit 95 interface 96 quit 96 ConfigurationCommands 97 clearvmwallrules 97 clisshallow 97 copyrunningconfigstartupconfig 97 databaseerase 98 enablepassword 98 hostname 99 ipaddress 99 ipnameserver 99 iproute 100 managerkey 100 ntpserver 101 setclock 101 setup 102 ssh 102 syslog 103 write 103 writeerase 104 writememory 104 DebugCommands 104 debugcopy 104 debugpacketcapture 105 debugpacketdisplayinterface 105 debugremove 106 debugservice 107 debugserviceflowsrc 107 debugshowfiles 108
VMware, Inc.
ShowCommands 108 showalerts 108 showarp 109 showclock 109 showconfiguration 109 showdebug 110 showethernet 110 showfilesystem 111 showgatewayrules 111 showhardware 112 showhostname 112 showinterface 112 showipaddr 113 showiproute 113 showiptables 113 showkernelmessage 114 showkernelmessagelast 114 showlog 115 showlogalerts 115 showlogevents 115 showloglast 116 showmanagerlog 116 showmanagerloglast 117 showntp 117 showprocess 118 showroute 118 showrunningconfig 118 showservice 119 showservicestatistics 119 showservices 119 showsessionmanagercounters 120 showsessionmanagersessions 120 showslots 121 showstacktrace 121 showstartupconfig 121 showsyslog 122 showsystemevents 122 showsystemload 122 showsystemmemory 123 showsystemnetwork_connections 123 showsystemstorage 123 showsystemuptime 124 showversion 124 showvmwalllog 124 showvmwallrules 124 DiagnosticsandTroubleshootingCommands 125 exporttechsupportscp 125 linkdetect 125 ping 125 pinginterfaceaddr 126 showtechsupport 126 ssh 126 telnet 127
VMware, Inc. 7
traceroute 127 validatesessions 128 UserAdministrationCommands 128 defaultwebmanagerpassword 128 user 128 webmanager 129 TerminalCommands 129 clearvty 129 reset 130 terminallength 130 terminalnolength 130 DeprecatedCommands 131
B Troubleshooting 133
TroubleshootingvShieldManagerInstallation 133 vShieldOVAFileExtractedtoaPCWherevSphereClientIsNotInstalled 133 Problem 133 Solution 133 vShieldOVAFileCannotBeInstalledinvSphereClient 133 Problem 133 Solution 133 CannotLogIntoCLIAfterthevShieldManagerVirtualMachineStarts 134 Problem 134 Solution 134 CannotLogIntothevShieldManagerUserInterface 134 Problem 134 Solution 134 TroubleshootingOperationIssues 134 vShieldManagerCannotCommunicatewithavShieldApp 134 Problem 134 Solution 134 CannotConfigureavShieldApp 134 Problem 134 Solution 134 FirewallBlockRuleNotBlockingMatchingTraffic 135 Problem 135 Solution 135 NoFlowDataDisplayinginFlowMonitoring 135 TroubleshootingPortGroupIsolationIssues 135 ValidateInstallationofPortGroupIsolation 135 TovalidateinstallationofPortGroupIsolation 135 VerifyInstallorUninstallScript 136 ValidatetheDataPath 136 DetailsofthefenceutilUtility 137 TroubleshootingvShieldEdgeIssues 138 VirtualMachinesAreNotGettingIPAddressesfromtheDHCPServer 138 LoadBalancerDoesNotWork 138 LoadBalancerThrowsError502BadGatewayforHTTPRequests 139 VPNDoesNotWork 139 TroubleshootingvShieldEndpointIssues 139 ThinAgentLogging 139 ComponentVersionCompatibility 140
Index 141
VMware, Inc. 8
About This Book
Thismanual,thevShieldAdministrationGuide,describeshowtoinstall,configure,monitor,andmaintainthe VMwarevShieldsystembyusingthevShieldManageruserinterface,thevSphereClientplugin,and commandlineinterface(CLI).Theinformationincludesstepbystepconfigurationinstructions,and suggestedbestpractices.
Intended Audience
ThismanualisintendedforanyonewhowantstoinstallorusevShieldinaVMwarevCenterenvironment. Theinformationinthismanualiswrittenforexperiencedsystemadministratorswhoarefamiliarwithvirtual machinetechnologyandvirtualdatacenteroperations.ThismanualassumesfamiliaritywithVMware Infrastructure4.x,includingVMwareESX,vCenterServer,andthevSphereClient.
VMware Technical Publications Glossary

VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour feedbacktodocfeedback@vmware.com.
vShield Documentation
ThefollowingdocumentscomprisethevShielddocumentationset:

vShieldAdministrationGuide,thisguide vShieldQuickStartGuide vShieldAPIProgrammingGuide
Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and registeryourproducts,gotohttp://www.vmware.com/support. Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon priority1issues.Gotohttp://www.vmware.com/support/phone_support.
VMware, Inc.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto http://www.vmware.com/support/services.
VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
10
VMware, Inc.
vShield Manager and vShield Zones
VMware, Inc.
11
12
VMware, Inc.
Overview of vShield
VMwarevShieldisasuiteofsecurityvirtualappliancesbuiltforVMwarevCenterServerandVmware ESXintegration.vShieldisacriticalsecuritycomponentforprotectingvirtualizeddatacentersfromattacks andmisusehelpingyouachieveyourcompliancemandatedgoals. ThisguideassumesyouhaveadministratoraccesstotheentirevShieldsystem.Theviewableresourcesinthe vShieldManageruserinterfacecandifferbasedontheassignedroleandrightsofauser,andlicensing.Ifyou areunabletoaccessascreenorperformaparticulartask,consultyourvShieldadministrator. Thischapterincludesthefollowingtopics:

vShieldComponentsonpage 13 MigrationofvShieldComponentsonpage 15 VMwareToolsonpage 15 PortsRequiredforvShieldCommunicationonpage 15
vShield Components
vShieldincludescomponentsandservicesessentialforprotectingvirtualmachines.vShieldcanbeconfigured throughawebbaseduserinterface,avSphereClientplugin,acommandlineinterface(CLI),andRESTAPI. TorunvShield,youneedonevShieldManagervirtualmachineandatleastonevShieldApporvShieldEdge module.
vShield Manager
ThevShieldManageristhecentralizednetworkmanagementcomponentofvShieldandisinstalledfromOVA asavirtualmachinebyusingthevSphereClient.UsingthevShieldManageruserinterface,administrators install,configure,andmaintainvShieldcomponents.AvShieldManagercanrunonadifferentESXhostfrom yourvShieldAppandvShieldEdgemodules. ThevShieldManagerleveragestheVMwareInfrastructureSDKtodisplayacopyofthevSphereClient inventorypanel. FormoreontheusingthevShieldManageruserinterface,seeChapter 2,vShieldManagerUserInterface Basics,onpage 17.
vShield Zones
vShieldZones,includedwiththevShieldManager,providesfirewallprotectionfortrafficbetweenvirtual machines.ForeachZonesFirewallrule,youcanspecifythesourceIP,destinationIP,sourceport,destination port,andservice.
VMware, Inc.
13
vShield Edge
NOTEYoumustobtainanevaluationorfulllicensetousevShieldEdge. vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport group,vDSportgroup,orCiscoNexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared (uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing. CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloud environmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).
Standard vShield Edge services (including Cloud Director)
Firewall:SupportedrulesincludeIP5tupleconfigurationwithIPandportrangesforstatefulinspection forTCP,UDP,andICMP. NetworkAddressTranslation:SeparatecontrolsforSourceandDestinationIPaddresses,aswellasTCP andUDPporttranslation. DynamicHostConfigurationProtocol(DHCP):ConfigurationofIPpools,gateways,DNSservers,and searchdomains.
Advanced vShield Edge services
SitetoSiteVirtualPrivateNetwork(VPN):UsesstandardizedIPsecprotocolsettingstointeroperatewith allmajorfirewallvendors. LoadBalancing:SimpleanddynamicallyconfigurablevirtualIPaddressesandservergroups.
vShieldEdgesupportssyslogexportforallservicestoremoteservers.
vShield App
NOTEYoumustobtainanevaluationorfulllicensetousevShieldApp. vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicycreation. vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS, vMotion,DPM,andmaintenancemode. vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteroneveryvirtual networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetworkchangesor modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers, likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to reducethenumberoffirewallrulesandmaketheruleseasiertotrack. YoushouldinstallvShieldAppinstancesonallESXhostswithinaclustersothatVMwarevMotion operationsworkandvirtualmachinesremainprotectedastheymigratebetweenESXhosts.Bydefault,a vShieldAppvirtualappliancecannotbemovedbyusingvMotion. TheFlowMonitoringfeaturedisplaysallowedandblockednetworkflowsattheapplicationprotocollevel. Youcanusethisinformationtoauditnetworktrafficandtroubleshootoperational.
14
VMware, Inc.
Chapter 1 Overview of vShield
vShield Endpoint
NOTEYoumustobtainanevaluationorfulllicensetousevShieldEndpoint. vShieldEndpointdeliversanintrospectionbasedantivirussolution.vShieldEndpointusesthehypervisorto scanguestvirtualmachinesfromtheoutsidewithoutabulkyagent.vShieldEndpointisefficientinavoiding resourcebottleneckswhileoptimizingmemoryuse. vShieldEndpointinstallsasahypervisormoduleandsecurityvirtualappliancefromathirdpartyantivirus vendor(VMwarepartners)onanESXhost. vShieldEndpointprovidesthefollowingfeatures:

Ondemandfilescanninginaservicevirtualmachine. Onaccessfilescanninginaservicevirtualmachine.
Migration of vShield Components

ThevShieldManagerandvShieldEdgevirtualappliancescanbeautomaticallyormanuallymigratedbased onDRSandHApolicies.ThevShieldManagermustalwaysbeup,soyoumustmigratethevShieldManager wheneverthecurrentESXhostundergoesarebootormaintenancemoderoutine. EachvShieldEdgeshouldmovewithitssecuredportgrouptomaintainsecuritysettingsandservices. vShieldAppandPortGroupIsolationservicescannotbemovedtoanotherESXhost.IftheESXhostonwhich theseservicesresiderequiresamanualmaintenancemodeoperation,youmustdeselecttheMovepowered offandsuspendedvirtualmachinestootherhostsintheclustercheckboxtoensurethesevirtualappliances arenotmigrated.TheseservicesrestartaftertheESXhostcomesonline.
VMware Tools
EachvShieldvirtualapplianceincludesVMwareTools.DonotupgradeoruninstalltheversionofVMware ToolsincludedwithavShieldvirtualappliance.
Ports Required for vShield Communication

ThevShieldManagerrequiresthefollowingportstobeopen:

RESTAPI:80/TCPand443/TCP GraphicalUserInterface:80/TCPto443/TCPandinitiatesconnectionstovSpherevCenterSDK. SSHaccesstotheCLI(notenabledbydefault):22/TCP
VMware, Inc.
15
16
VMware, Inc.
vShield Manager User Interface Basics
ThevShieldManageruserinterfaceoffersconfigurationanddataviewingoptionsspecifictovShielduse.By utilizingtheVMwareInfrastructureSDK,thevShieldManagerdisplaysyourvSphereClientinventorypanel foracompleteviewofyourvCenterenvironment. NOTEYoucanregisterthevShieldManagerasavSphereClientplugin.ThisallowsyoutoconfigurevShield componentsfromwithinthevSphereClient.Formore,seeRegisterthevShieldManagerasavSphereClient Pluginonpage 22. Thechapterincludesthefollowingtopics:

LoggingintothevShieldManagerUserInterfaceonpage 17 AccessingtheOnlineHelponpage 18 vShieldManagerUserInterfaceonpage 18
Logging in to the vShield Manager User Interface

YouaccessthevShieldManagermanagementinterfacebyusingaWebbrowser. To log in to the vShield Manager user interface 1 OpenaWebbrowserwindowandtypetheIPaddressassignedtothevShieldManager. ThevShieldManageruserinterfaceopensinanSSHsession. 2 Acceptthesecuritycertificate. NOTETouseanSSLcertificateforauthentication,seeAddanSSLCertificatetoIdentifythevShield ManagerWebServiceonpage 24. ThevShieldManagerloginscreenappears. 3 LogintothevShieldManageruserinterfacebyusingtheusernameadminandthepassworddefault. Youshouldchangethedefaultpasswordasoneofyourfirsttaskstopreventunauthorizeduse.SeeEdit aUserAccountonpage 34. 4 ClickLogIn.
VMware, Inc.
17
Accessing the Online Help

TheOnlineHelpcanbeaccessedbyclicking intheupperrightofthevShieldManageruserinterface.
vShield Manager User Interface

ThevShieldManageruserinterfaceisdividedintotwopanels:theinventorypanelandtheconfiguration panel.Youselectaviewandaresourcefromtheinventorypaneltoopentheavailabledetailsand configurationoptionsintheconfigurationpanel. Whenclicked,eachinventoryobjecthasaspecificsetoftabsthatappearintheconfigurationpanel.
vShield Manager Inventory Panel

ThevShieldManagerinventorypanelhierarchymimicsthevSphereClientinventoryhierarchy.Resources includetherootfolder,datacenters,clusters,portgroups,ESXhosts,andvirtualmachines,includingyour installedvShieldAppandvShieldEdgemodules.Asaresult,thevShieldManagermaintainssolidaritywith yourvCenterServerinventorytopresentacompleteviewofyourvirtualdeployment.ThevShieldManager istheonlyvirtualmachinethatdoesnotappearinthevShieldManagerinventorypanel.vShieldManager settingsareconfiguredfromtheSettings&Reportsresourceatoptheinventorypanel. Theinventorypaneloffersmultipleviews:Hosts&Clusters,Networks,andSecuredPortGroups.TheHosts &Clustersviewdisplaysthedatacenters,clusters,resourcepools,andESXhostsinyourinventory.The NetworksviewdisplaystheVLANnetworksandportgroupsinyourinventory.TheSecuredPortGroups viewdisplaystheportgroupsprotectedbyvShieldEdgeinstances.TheHosts&ClustersandNetworksviews areconsistentwiththesameviewsinthevSphereClient. TherearedifferencesintheiconsforvirtualmachinesandvShieldcomponentsbetweenthevShieldManager andthevSphereClientinventorypanels.CustomiconsareusedtoshowthedifferencebetweenvShield componentsandvirtualmachines,andthedifferencebetweenprotectedandunprotectedvirtualmachines. Table 2-1. vShield Virtual Machine Icons in the vShield Manager Inventory Panel
Icon Description ApoweredonvShieldAppinactiveprotectionstate. ApoweredoffvShieldApp. ApoweredonvirtualmachinethatisprotectedbyavShieldApp. ApoweredonvirtualmachinethatisnotprotectedbyavShieldApp.
Refreshing the Inventory Panel

Torefreshthelistofresourcesintheinventorypanel,click .Therefreshactionrequeststhelatestresource informationfromthevCenterServer.Bydefault,thevShieldManagerrequestsresourceinformationfromthe vCenterServereveryfiveminutes.
Searching the Inventory Panel

Tosearchtheinventorypanelforaspecificresource,typeastringinthefieldatopthevShieldManager inventorypanelandclick .
18
VMware, Inc.
Chapter 2 vShield Manager User Interface Basics
vShield Manager Configuration Panel

ThevShieldManagerconfigurationpanelpresentsthesettingsthatcanbeconfiguredbasedontheselected inventoryresourceandtheoutputofvShieldoperation.Eachresourceoffersmultipletabs,eachtabpresenting informationorconfigurationformscorrespondingtotheresource. Becauseeachresourcehasadifferentpurpose,sometabsarespecifictocertainresources.Also,sometabshave asecondlevelofoptions.
VMware, Inc.
19
20
VMware, Inc.
Management System Settings
ThevShieldManagerrequirescommunicationwithyourvCenterServerandservicessuchasDNSandNTP toprovidedetailsonyourVMwareInfrastructureinventory. Thechapterincludesthefollowingtopics:

IdentifyYourvCenterServeronpage 21 RegisterthevShieldManagerasavSphereClientPluginonpage 22 IdentifyDNSServicesonpage 22 SetthevShieldManagerDateandTimeonpage 23 IdentifyaProxyServeronpage 23 DownloadaTechnicalSupportLogfromaComponentonpage 23 ViewvShieldManagerSystemStatusonpage 24 AddanSSLCertificatetoIdentifythevShieldManagerWebServiceonpage 24
Identify Your vCenter Server

AfterthevShieldManagerisinstalledasavirtualmachine,logintothevShieldManageruserinterfaceto connecttoyourvCenterServer.ThisenablesthevShieldManagertodisplayyourVMwareInfrastructure inventory. To identify your vCenter Server from the vShield Manager 1 LogintothevShieldManager. Uponinitiallogin,thevShieldManageropenstotheConfiguration>vCentertab.Ifyouhavepreviously configuredthevCentertabform,performthefollowingsteps: a b ClicktheSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ThevCenterscreenappears. 2 3 UndervCenterServerInformation,typetheIPaddressofyourvCenterServerinthevSphereServerIP Address/Namefield. TypeyourvSphereClientloginusernameintheAdministratorUserNamefield. Thisuseraccountmusthaveadministratoraccess.
VMware, Inc.
21
4 5
TypethepasswordassociatedwiththeusernameinthePasswordfield. ClickSave. ThevShieldManagerconnectstothevCenterServer,logson,andutilizestheVMwareInfrastructureSDK topopulatethevShieldManagerinventorypanel.Theinventorypanelispresentedontheleftsideofthe screen.ThisresourcetreeshouldmatchyourVMwareInfrastructureinventorypanel.ThevShield ManagerdoesnotappearinthevShieldManagerinventorypanel.
Register the vShield Manager as a vSphere Client Plug-in

ThevSpherePluginoptionletsyouregisterthevShieldManagerasavSphereClientplugin.Afterthe pluginisregistered,youcanopenthevShieldManageruserinterfacefromthevSphereClient. To register the vShield Manager as a vSphere Client plug-in 1 2 3 4 IfyouareloggedintothevSphereClient,logout. LogintothevShieldManager. ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ThevCenterscreenappears. 5 UndervSpherePlugin,clickRegister. Registrationmighttakeafewminutes. 6 7 8 LogintothevSphereClient. SelectanESXhost. VerifythatvShieldInstallappearsasatab. YoucaninstallandconfigurevShieldcomponentsfromthevSphereClient.
Identify DNS Services

YoumustspecifyatleastoneDNSserverduringvShieldManagersetup.ThespecifiedDNSserversappearin thevShieldManageruserinterface. InthevShieldManageruserinterface,youcanspecifyuptothreeDNSserversthatthevShieldManagercan useforIPaddressandhostnameresolution. To identify a DNS server 1 2 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ThevCenterscreenappears. 3 UnderDNSServers,typeanIPaddressinPrimaryDNSIPAddresstoidentifytheprimaryDNSserver. Thisserverischeckedfirstforallresolutionrequests. 4 5 6 (Optional)TypeanIPaddressintheSecondaryDNSIPAddressfield. (Optional)TypeanIPaddressintheTertiaryDNSIPAddressfield. ClickSave.
22
VMware, Inc.
Chapter 3 Management System Settings
Set the vShield Manager Date and Time

Youcansetthedate,time,andtimezoneofthevShieldManager.YoucanalsospecifyaconnectiontoanNTP servertoestablishacommonnetworktime.Dateandtimevaluesareusedinthesystemtostampeventsas theyoccur. To set the date and time configuration of the vShield Manager 1 2 3 4 5 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickDate/Time. IntheDateandClockfield,typethedateandtimeintheformatYYYYMMDDHH:MM:SS. IntheNTPServerfield,typetheIPaddressofyourNTPserver. YoucantypethehostnameofyourNTPserverifyouhavesetupDNSservice. 6 7 FromtheTimeZonedropdownmenu,selecttheappropriatetimezone. ClickSave.
Identify a Proxy Server

Ifyouuseaproxyserverfornetworkconnectivity,youcanconfigurethevShieldManagertousetheproxy server.ThevShieldManagersupportsapplicationlevelHTTP/HTTPSproxiessuchasCacheFlowand MicrosoftISAServer. To identify a proxy server 1 2 3 4 5 6 7 8 9 10 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickHTTPProxy. FromtheUseProxydropdownmenu,selectYes. (Optional)TypethehostnameoftheproxyserverintheProxyHostNamefield. TypetheIPaddressoftheproxyserverintheProxyIPAddressfield. TypetheconnectingportnumberonyourproxyserverintheProxyPortfield. TypetheUserNamerequiredtologintotheproxyserver. TypethePasswordassociatedwiththeusernameforproxyserverlogin. ClickSave.
Download a Technical Support Log from a Component

YoucanusetheSupportoptiontodownloadthesystemlogfromavShieldcomponenttoyourPC.A system logcanbeusedtotroubleshootoperationalissues. To download a vShield component system log 1 2 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickSupport.
VMware, Inc.
23
UnderTechSupportLogDownload,clickInitiatenexttotheappropriatecomponent. Onceinitiated,thelogisgeneratedanduploadedtothevShieldManager.Thismighttakeseveral seconds.
Afterthelogisready,clicktheDownloadlinktodownloadthelogtoyourPC. Thelogiscompressedandhastheproprietaryfileextension.blsl.Youcanopenthelogusinga decompressionutilitybybrowsingforAllFilesinthedirectorywhereyousavedthefile.
Back Up vShield Manager Data

YoucanusetheBackupsoptiontobackupvShieldManagerdata.SeeChapter 7,BackingUpvShield ManagerData,onpage 39.
View vShield Manager System Status

TheStatustabdisplaysthestatusofvShieldManagersystemresourceutilization,andincludesthesoftware versiondetails,licensestatus,andserialnumber.Theserialnumbermustberegisteredwithtechnicalsupport forupdateandsupportpurposes. To view the system status of the vShield Manager 1 2 3 4 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickStatus. (Optional)ClickVersionStatustoreviewthecurrentversionofsystemsoftwarerunningonyourvShield components. TheUpdateStatustabappears.SeeViewtheCurrentSystemSoftwareonpage 37.
Add an SSL Certificate to Identify the vShield Manager Web Service

YoucangenerateorimportanSSLcertificateintothevShieldManagertoauthenticatetheidentityofthe vShieldManagerwebserviceandencryptinformationsenttothevShieldManagerwebserver.Asasecurity bestpractice,youshouldusethegeneratecertificateoptiontogenerateaprivatekeyandpublickey,where theprivatekeyissavedtothevShieldManager. To generate an SSL certificate 1 2 3 4 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickSSLCertificate. UnderGenerateCertificateSigningRequest,enterthefollowinginformation:
Description Enterthenamethatmatchesthesitename.Forexample,iftheIPaddressofvShield Managermanagementinterfaceis192.168.1.10,enter192.168.1.10. Enterthedepartmentinyourcompanythatisorderingthecertificate. Enterthefulllegalnameofyourcompany. Enterthefullnameofthecityinwhichyourcompanyresides. Enterthefullnameofthestateinwhichyourcompanyresides. Enterthetwodigitcodethatrepresentsyourcountry.Forexample,theUnitedStates isUS.
Field CommonName OrganizationUnit OrganizationName CityName StateName CountryCode
24
VMware, Inc.
Chapter 3 Management System Settings
Field KeyAlgorithm KeySize
Description SelectthecryptographicalgorithmtousefromeitherDSAorRSA. Selectthenumberofbitsusedintheselectedalgorithm.
ClickGenerate.
To import an SSL certificate 1 2 3 4 5 6 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickSSLCertificate. UnderImportSignedCertificate,clickBrowseatCertificateFiletofindthefile. SelectthetypeofcertificatefilefromtheCertificateFiledropdownlist. ClickApply.
VMware, Inc.
25
26
VMware, Inc.
Zones Firewall Management
vShieldZonesprovidesfirewallprotectionaccesspolicyenforcement.Trafficdetailsincludesources, destinations,directionofsessions,applications,andportsbeingused.Trafficdetailscanbeusedtocreate firewallallowordenyrules. NOTEYoucanupgradevShieldZonestovShieldAppbyobtainingavShieldApplicense.vShieldApp enhancesvShieldZonesprotectionbyofferingFlowMonitoring,customcontainercreation(SecurityGroups), andcontainerbasedaccesspolicycreationandenforcement. YoudonothavetouninstallvShieldZonestoinstallvShieldApp.AllvShieldZonesinstancesbecomevShield Appinstances,theZonesFirewallbecomesAppFirewall,andtheadditionalvShieldAppfeaturesareenabled. Thischapterincludesthefollowingtopics:

UsingZonesFirewallonpage 27 CreateaZonesFirewallRuleonpage 29 CreateaLayer2/Layer3ZonesFirewallRuleonpage 30 ValidatingActiveSessionsagainsttheCurrentZonesFirewallRulesonpage 31 ReverttoaPreviousZonesFirewallConfigurationonpage 31 DeleteaZonesFirewallRuleonpage 32
Using Zones Firewall

ZonesFirewallisacentralized,hierarchicalfirewallforESXhosts.ZonesFirewallenablesyoutocreaterules thatallowordenyaccesstoandfromyourvirtualmachines.EachinstalledvShieldZonesenforcestheApp Zonesrules. YoucanmanageZonesFirewallrulesatthedatacenter,cluster,andportgrouplevelstoprovideaconsistent setofrulesacrossmultiplevShieldZonesinstancesunderthesecontainers.Asmembershipinthesecontainers canchangedynamically,ZonesFirewallmaintainsthestateofexistingsessionswithoutrequiring reconfigurationoffirewallrules.Inthisway,ZonesFirewalleffectivelyhasacontinuousfootprintoneachESX hostunderthemanagedcontainers. WhencreatingZonesFirewallrules,youcreate5tuplefirewallrulesbasedonspecificsourceanddestinationIP addresses.
VMware, Inc.
27
Default Rules
Bydefault,ZonesFirewallenforcesasetofrulesallowingtraffictopassthroughallvShieldZonesinstances. TheserulesappearintheDefaultRulessectionoftheZonesFirewalltable.Thedefaultrulescannotbedeleted oraddedto.However,youcanchangetheActionelementofeachrulefromAllowtoDeny.
Layer 4 Rules and Layer 2/Layer 3 Rules

ZonesFirewallofferstwosetsofconfigurablerules:L4(Layer4)rulesandL2/L3(Layer2/Layer3)rules.Layers refertolayersoftheOpenSystemsInterconnection(OSI)ReferenceModel. Layer4rulesgovernTCPandUDPtransportofLayer7,orapplicationspecific,traffic.Layer2/Layer3rules monitortrafficfromICMP,ARP,andotherLayer2andLayer3protocols.YoucanconfigureLayer2/Layer 3 rulesatthedatacenterlevelonly.Bydefault,allLayer4andLayer2/Layer3trafficisallowedtopass.
Hierarchy of Zones Firewall Rules

EachvShieldZonesinstanceenforcesZonesFirewallrulesintoptobottomordering.AvShieldZones instancecheckseachtrafficsessionagainstthetopruleintheZonesFirewalltablebeforemovingdownthe subsequentrulesinthetable.Thefirstruleinthetablethatmatchesthetrafficparametersisenforced. ZonesFirewallrulesareenforcedinthefollowinghierarchy: 1 2 3 4 5 DataCenterHighPrecedenceRules ClusterLevelRules DataCenterLowPrecedenceRules(seenasRulesbelowthislevelhavelowerprecedencethancluster levelruleswhenadatacenterresourceisselected) SecurePortGroupRules DefaultRules
ZonesFirewallofferscontainerlevelandcustompriorityprecedenceconfigurations:
Containerlevelprecedencereferstorecognizingthedatacenterlevelasbeinghigherinprioritythanthe clusterlevel.Whenaruleisconfiguredatthedatacenterlevel,theruleisinheritedbyallclustersand vShieldagentstherein.AclusterlevelruleisonlyappliedtothevShieldZonesinstanceswithinthe cluster. Custompriorityprecedencereferstotheoptionofassigninghighorlowprecedencetorulesatthe datacenterlevel.Highprecedencerulesworkasnotedinthecontainerlevelprecedencedescription.Low precedencerulesincludetheDefaultRulesandtheconfigurationofDataCenterLowPrecedencerules. Thisflexibilityallowsyoutorecognizemultiplelayersofappliedprecedence. Attheclusterlevel,youconfigurerulesthatapplytoallvShieldZonesinstanceswithinthecluster. BecauseDataCenterHighPrecedenceRulesareaboveClusterLevelRules,ensureyourClusterLevel RulesarenotinconflictwithDataCenterHighPrecedenceRules.
Planning Zones Firewall Rule Enforcement

UsingZonesFirewall,youcanconfigureallowanddenyrulesbasedonyournetworkpolicy.Thefollowing examplesrepresenttwocommonfirewallpolicies:
Allowalltrafficbydefault.YoukeepthedefaultallowallrulesandadddenyrulesbasedonFlow MonitoringdataormanualAppFirewallconfiguration.Inthisscenario,ifasessiondoesnotmatchany ofthedenyrules,thevShieldAppallowsthetraffictopass. Denyalltrafficbydefault.YoucanchangetheActionstatusofthedefaultrulesfromAllowtoDeny,and addallowrulesexplicitlyforspecificsystemsandapplications.Inthisscenario,ifasessiondoesnot matchanyoftheallowrules,thevShieldAppdropsthesessionbeforeitreachesitsdestination.Ifyou changeallofthedefaultrulestodenyanytraffic,thevShieldAppdropsallincomingandoutgoingtraffic.
28
VMware, Inc.
Chapter 4 Zones Firewall Management
Create a Zones Firewall Rule

ZonesFirewallrulesallowordenytrafficbasedonthefollowingcriteria:
Criteria Source(A.B.C.D/nn) SourcePort Description IPaddresswithnetmask(nn)fromwhichthecommunicationoriginated Portorrangeofportsfromwhichthecommunicationoriginated.Toenteraport range,separatethelowandhighendoftherangewithacolon.Forexample, 1000:1100. IPaddresswithnetmask(nn)whichthecommunicationistargeting Theapplicationonthedestinationthesourceistargeting Portorrangeofportswhichthecommunicationistargeting.Toenteraportrange, separatethelowandhighendoftherangewithacolon.Forexample,1000:1100. Transportprotocolusedforcommunication
Destination(A.B.C.D/nn) DestinationApplication DestinationPort Protocol
YoucanadddestinationandsourceportrangestoarulefordynamicservicessuchasFTPandRPC,which requiremultipleportstocompleteatransmission.Ifyoudonotallowalloftheportsthatmustbeopenedfor atransmission,thetransmissionfails. To create a firewall rule at the datacenter level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3ZonesFirewallRuleonpage 30. 5 Dooneofthefollowing:
ClickAddtoaddanewruletotheDataCenterLowPrecedenceRules(Rulesbelowthislevelhave lowerprecedence...). SelectarowintheDataCenterHighPrecedenceRulessectionofthetableandclickAdd.Anew appearsbelowtheselectedrow.
Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoumusttypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePort andDestinationPortfields.
7 8 9
(Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
To create a firewall rule at the cluster level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectaclusterresourcefromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3ZonesFirewallRuleonpage 30.
VMware, Inc.
29
ClickAdd. AnewrowappearsintheClusterLevelRulessectionofthetable.
Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoumusttypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePort andDestinationPortfields.
7 8 9
(Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
To create a firewall rule at the port group level 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. Selectaportgroupfromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. ClickAdd. AnewrowisaddedatthebottomoftheSecurePortGroupRulessection. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoumusttypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePort andDestinationPortfields. 7 8 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
Create a Layer 2/Layer 3 Zones Firewall Rule

TheLayer2/Layer3firewallenablesconfigurationofallowordenyrulesforcommonDataLinkLayerand NetworkLayerrequests,suchasICMPpingsandtraceroutes. YoucanchangethedefaultLayer2/Layer3rulesfromallowtodenybasedonyournetworksecuritypolicy. Layer4firewallrulesallowordenytrafficbasedonthefollowingcriteria:
Criteria Source(A.B.C.D/nn) Destination(A.B.C.D/nn) Protocol Description IPaddresswithnetmask(nn)fromwhichthecommunicationoriginated IPaddresswithnetmask(nn)whichthecommunicationistargeting Transportprotocolusedforcommunication
To create a Layer 2/Layer 3 firewall rule 1 2 3 4 5 6 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. ClickL2/L3Rules. ClickAdd. AnewrowisaddedatthebottomoftheDataCenterRulessectionofthetable.
30 VMware, Inc.
Chapter 4 Zones Firewall Management
Doubleclickeachcellinthenewrowtotypeorselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields
8 9
(Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommit.
Validating Active Sessions against the Current Zones Firewall Rules

Bydefault,avShieldZonesinstancematchesfirewallrulesagainsteachnewsession.Afterasessionhasbeen established,anyfirewallrulechangesdonotaffectactivesessions. TheCLIcommandvalidate sessionsenablesyoutovalidateactivesessionsagainstthecurrentZones Firewallrulesettopurgeanysessionsthatareinviolationofthecurrentruleset.Afterafirewallruleset update,youshouldvalidateactivesessionstopurgeanyexistingsessionsthatareinviolationoftheupdated policy. AftertheZonesFirewallupdateiscomplete,issuethevalidate sessionscommandfromtheCLIofa vShieldZonesinstancetopurgesessionsthatareinviolationofcurrentpolicy. To validate active sessions against the current firewall rules 1 2 UpdateandcommittheZonesFirewallrulesetattheappropriatecontainerlevel. OpenaconsolesessiononavShieldZonesinstanceissuethevalidate sessionscommand.
vShieldZones> enable Password: vShieldZones# validate sessions
Revert to a Previous Zones Firewall Configuration

ThevShieldManagersavesasnapshotofAppFirewallsettingseachtimeyoucommitanewrule.Clicking CommitcausesthevShieldManagertosavethepreviousconfigurationwithatimestampbeforeaddingthe newrule.ThesesnapshotsareavailablefromtheReverttoSnapshotdropdownmenu. To revert to a previous App Firewall configuration 1 2 3 4 5 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheinventorypanel. ClickthevShieldZonestab. ClickZonesFirewall. FromtheReverttoSnapshotdropdownlist,selectasnapshot. Snapshotsarepresentedintheorderoftimestamps,withthemostrecentsnapshotlistedatthetop. 6 7 Viewsnapshotconfigurationdetails. Dooneofthefollowing:

Toreturntothecurrentconfiguration,selecttheoptionfromtheReverttoSnapshotdropdownlist. ClickCommittooverwritethecurrentconfigurationwiththesnapshotconfiguration.
VMware, Inc.
31
Delete a Zones Firewall Rule

YoucandeleteanyAppFirewallruleyouhavecreated.YoucannotdeletetheanyrulesintheDefaultRules sectionofthetable. To delete an App Firewall rule 1 2 3 ClickanexistingrowintheZonesFirewalltable. ClickDelete. ClickCommit.
32
VMware, Inc.
User Management
Securityoperationsareoftenmanagedbymultipleindividuals.Managementoftheoverallsystemis delegatedtodifferentpersonnelaccordingtosomelogicalcategorization.However,permissiontocarryout tasksislimitedonlytouserswithappropriaterightstospecificresources.FromtheUserssection,youcan delegatesuchresourcemanagementtousersbygrantingapplicablerights. UsermanagementinthevShieldManageruserinterfaceisseparatefromusermanagementintheCLIofany vShieldcomponent. Thischapterincludesthefollowingtopics:

ManagingUserRightsonpage 33 AddaUseronpage 34 AssignaRoleandRightstoaUseronpage 34 EditaUserAccountonpage 34 DeleteaUserAccountonpage 35
Managing User Rights

WithinthevShieldManageruserinterface,ausersrightsdefinetheactionstheuserisallowedtoperformon agivenresource.Rightsdeterminetheusersauthorizedactivitiesonthegivenresource,ensuringthatauser hasaccessonlytothefunctionsnecessarytocompleteapplicableoperations.Thisallowsdomaincontrolover specificresources,orsystemwidecontrolifyourrightencompassestheSystemresource. Thefollowingrulesareenforced:

Ausercanonlyhaveonerighttooneresource. Ausercannotaddtoorremoveassignedrightsandresources.
Table 5-1. vShield Manager User Rights

Right R CRUD Description Readonly ReadandWrite
Table 5-2. vShield Manager User Resources

Resource System Datacenter Cluster None Description AccesstoentirevShieldsystem Accesstoaspecifieddatacenterresource Accesstoaspecifiedclusterresource Accesstonoresources
VMware, Inc.
33
Managing the Default User Account

ThevShieldManageruserinterfaceincludesonedefaultuseraccount,usernameadmin,whichhasrightsto allresources.Youcannotedittherightsofordeletethisuser.Thedefaultpasswordforadminisdefault. ChangethepasswordforthisaccountuponinitiallogintothevShieldManager.SeeEditaUserAccounton page 34.
Add a User
Basicuseraccountcreationrequiresassigningtheuseraloginnameandpassword. To create a new user account 1 2 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. ClickCreateUser. TheNewUserscreenopens. 4 TypeaUserName. ThisisusedforlogintothevShieldManageruserinterface.Thisusernameandassociatedpassword cannotbeusedtoaccessthevShieldApporvShieldManagerCLIs. 5 6 7 8 9 (Optional)TypetheusersFullNameforidentificationpurposes. (Optional)TypeanEmailAddress. TypeaPasswordforlogin. RetypethepasswordintheRetypePasswordfield. ClickOK. Afteraccountcreation,youconfigurerightandresourceassignmentseparately.
Assign a Role and Rights to a User

Aftercreatingauseraccount,youcanassigntheuseraroleandrightstosystemresources.Theroledefines theresource,andtherightdefinestheusersaccesstothatresource. To assign a role and right to a user 1 2 3 4 5 6 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. DoubleclicktheResourcecellfortheuser. Fromthedropdownmenuthatopens,selectanavailableresource. DoubleclicktheAccessRightcellfortheuser. Fromthedropdownmenuthatopens,selectanavailableaccessright.
Edit a User Account

Youcaneditauseraccounttochangethepassword. To edit an existing user account 1 2 3
34
ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. Clickacellinthetablerowthatidentifiestheuseraccount.

VMware, Inc.
Chapter 5 User Management
4 5
ClickUpdateUser. Makechangesasnecessary. Ifyouarechangingthepassword,confirmthepasswordbytypingitasecondtimeintheRetype Passwordfield.
ClickOKtosaveyourchanges.
Delete a User Account

Youcandeleteanycreateduseraccount.Youcannotdeletetheadminaccount.Auditrecordsfordeletedusers aremaintainedinthedatabaseandcanbereferencedinanAuditLogreport. To delete a user account 1 2 3 4 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. Clickacellinthetablerowthatidentifiestheuseraccount. ClickDeleteUser.
VMware, Inc.
35
36
VMware, Inc.
Updating System Software
vShieldsoftwarerequiresperiodicupdatestomaintainsystemperformance.UsingtheUpdatestaboptions, youcaninstallandtracksystemupdates. Thischapterincludesthefollowingtopics:

ViewtheCurrentSystemSoftwareonpage 37 UploadanUpdateonpage 37 ReviewtheUpdateHistoryonpage 38
View the Current System Software

ThecurrentversionsofvShieldcomponentsoftwaredisplayundertheUpdateStatustab. To view the current system software 1 2 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUpdatestab. ClickUpdateStatus.
Upload an Update
vShieldupdatesareavailableasofflineupdates.Whenanupdateismadeavailable,youcandownloadthe updatetoyourPC,andthenuploadtheupdatebyusingthevShieldManageruserinterface. Whentheupdateisuploaded,thevShieldManagerisupdatedfirst,afterwhich,eachvShieldAppisupdated. IfarebootofeitherthevShieldManageroravShieldAppisrequired,theUpdateStatusscreenpromptsyou torebootthecomponent.IntheeventthatboththevShieldManagerandallvShieldAppinstancesmustbe rebooted,youmustrebootthevShieldManagerfirst,andthenrebooteachvShieldApp. To upload an update 1 2 3 4 5 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUpdatestab. ClickUploadSettings. ClickBrowsetolocatetheupdate. Afterlocatingthefile,clickUploadFile.
VMware, Inc.
37
ClickConfirmInstalltoconfirmupdateinstallation. Therearetwotablesonthisscreen.Duringinstallation,youcanviewthetoptableforthedescription,start time,successstate,andprocessstateofthecurrentupdate.Viewthebottomtablefortheupdatestatusof eachvShieldApp.AllvShieldAppinstanceshavebeenupgradedwhenthestatusofthelastvShieldApp isdisplayedasFinished.
7 8 9 10
AfterthevShieldManagerreboots,clicktheUpdateStatustab. ClickRebootManagerifprompted. ClickFinishInstalltocompletethesystemupdate. ClickConfirm.
Review the Update History

TheUpdateHistorytabliststheupdatesthathavealreadybeeninstalled,includingtheinstallationdateand abriefdescriptionofeachupdate. To view a history of installed updates 1 2 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUpdatestab. ClickUpdateHistory.
38
VMware, Inc.
Backing Up vShield Manager Data
YoucanbackupandrestoreyourvShieldManagerdata,whichcanincludesystemconfiguration,events,and auditlogtables.Configurationtablesareincludedineverybackup.Youcan,however,excludesystemand auditlogevents.BackupsaresavedtoaremotelocationthatmustbeaccessiblebythevShieldManager. Backupscanbeexecutedaccordingtoascheduleorondemand. Thischapterincludesthefollowingtopics:

BackUpYourvShieldManagerDataonDemandonpage 39 ScheduleaBackupofvShieldManagerDataonpage 40 RestoreaBackuponpage 40
Back Up Your vShield Manager Data on Demand

YoucanbackupvShieldManagerdataatanytimebyperforminganondemandbackup. To back up the vShield Manager database 1 2 3 4 5 6 7 8 9 10 11 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickBackups. (Optional)SelecttheExcludeSystemEventscheckboxifyoudonotwanttobackupsystemeventtables. (Optional)SelecttheExcludeAuditLogscheckboxifyoudonotwanttobackupauditlogtables. TypetheHostIPAddressofthesystemwherethebackupwillbesaved. (Optional)TypetheHostNameofthebackupsystem. TypetheUserNamerequiredtologintothebackupsystem. TypethePasswordassociatedwiththeusernameforthebackupsystem. IntheBackupDirectoryfield,typetheabsolutepathwherebackupsaretobestored. TypeatextstringinFilenamePrefix. Thistextisprependedtothebackupfilenameforeasyrecognitiononthebackupsystem.Forexample,if youtypeppdb,theresultingbackupisnamedasppdbHH_MM_SS_DayDDMonYYYY. 12 13 FromtheTransferProtocoldropdownmenu,selecteitherSFTPorFTP. ClickBackup. Oncecomplete,thebackupappearsinatablebelowthisform. 14 ClickSaveSettingstosavetheconfiguration.
VMware, Inc.
39
vShield Zones Administration Guide
Schedule a Backup of vShield Manager Data

Youcanonlyscheduletheparametersforonetypeofbackupatanygiventime.Youcannotschedulea configurationonlybackupandacompletedatabackuptorunsimultaneously. To schedule periodic backups of your vShield Manager data 1 2 3 4 5 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickBackups. FromtheScheduledBackupsdropdownmenu,selectOn. FromtheBackupFrequencydropdownmenu,selectHourly,Daily,orWeekly. TheDayofWeek,HourofDay,andMinutedropdownmenusaredisabledbasedontheselected frequency.Forexample,ifyouselectDaily,theDayofWeekdropdownmenuisdisabledasthisfieldis notapplicabletoadailyfrequency. 6 7 8 9 10 11 12 13 (Optional)SelecttheExcludeSystemEventscheckboxifyoudonotwanttobackupsystemeventtables. (Optional)SelecttheExcludeAuditLogcheckboxifyoudonotwanttobackupauditlogtables. TypetheHostIPAddressofthesystemwherethebackupwillbesaved. (Optional)TypetheHostNameofthebackupsystem. TypetheUserNamerequiredtologintothebackupsystem. TypethePasswordassociatedwiththeusernameforthebackupsystem. IntheBackupDirectoryfield,typetheabsolutepathwherebackupswillbestored. TypeatextstringinFilenamePrefix. Thistextisprependedtoeachbackupfilenameforeasyrecognitiononthebackupsystem.Forexample, ifyoutypeppdb,theresultingbackupisnamedasppdbHH_MM_SS_DayDDMonYYYY. 14 15 FromtheTransferProtocoldropdownmenu,selecteitherSFTPorFTP,basedonwhatthedestination supports. ClickSaveSettings.
Restore a Backup
Torestoreanavailablebackup,theHostIPAddress,UserName,Password,andBackupDirectoryfieldsin theBackupsscreenmusthavevaluesthatidentifythelocationofthebackuptoberestored.Whenyourestore abackup,thecurrentconfigurationisoverridden.Ifthebackupfilecontainssystemeventandauditlogdata, thatdataisalsorestored. IMPORTANTBackupyourcurrentdatabeforerestoringabackupfile. To restore an available vShield Manager backup 1 2 3 4 5 6 7 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickBackups. ClickViewBackupstoviewallavailablebackupssavedtothebackupserver. Selectthecheckboxforthebackuptorestore. ClickRestore. ClickOKtoconfirm.
40
VMware, Inc.
System Events and Audit Logs
SystemeventsareeventsthatarerelatedtovShieldoperation.Theyareraisedtodetaileveryoperational event,suchasavShieldApprebootorabreakincommunicationbetweenavShieldAppandthevShield Manager.Eventsmightrelatetobasicoperation(Informational)ortoacriticalerror(Critical). Thischapterincludesthefollowingtopics:

ViewtheSystemEventReportonpage 41 SystemEventNotificationsonpage 42 SyslogFormatonpage 42 ViewtheAuditLogonpage 43
View the System Event Report

ThevShieldManageraggregatessystemeventsintoareportthatcanbefilteredbyvShieldAppandevent severity. To view the System Event report 1 2 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheSystemEventstab. (Optional)SelectoneormorevShieldAppinstancesfromthevShieldfield. AllvShieldAppinstancesareselectedbydefault. 4 FromtheandSeveritydropdownmenu,selectaseveritybywhichtofilterresults. Allseveritiesareincludedbydefault.Youcanselectoneormoreseveritiesatatime. 5 6 ClickViewReport. Inthereportoutput,clickanEventTimelinktoviewdetailsaboutaspecificevent.
VMware, Inc.
41
System Event Notifications

vShield Manager Virtual Appliance Events
Power Off Local CLI GUI Runshow log follow command. NA Power On Runshow log follow command. NA Interface Down Runshow log follow command. NA Interface Up Runshow log follow command. NA
CPU Local CLI GUI Runshow process monitor command. SeeViewvShieldManager SystemStatusonpage 24.
Memory Runshow system memory command. SeeViewvShieldManager SystemStatusonpage 24.
Storage Runshow filesystem command. SeeViewvShieldManager SystemStatusonpage 24.
vShield App Events

Power Off Local CLI Runshow log followcommand. NA Power On Runshow log follow command. SeeSyslog Formaton page 42. Interface Down Runshow log follow command. e1000: mgmt: e1000_watchdog_task: NIC Link is Up/Down 100 Mbps Full Duplex.For scriptingonthesyslogserver, searchforNIC Link is.
SeeViewtheCurrentSystem
Interface Up Runshow log follow command. e1000: mgmt: e1000_watchdog_task: NIC Link is Up/Down 100 Mbps Full Duplex.Forscripting onthesyslogserver,search forNIC Link is.
SeeViewtheCurrentSystem
Syslog
GUI
Heartbeatfailure eventinSystem Eventlog.See ViewtheSystem EventReporton page 41.
SeeViewthe CurrentSystem StatusofavShield Apponpage 64.
StatusofavShieldAppon page 64.
StatusofavShieldAppon page 64.
CPU Local CLI Runshow process monitorcommand. NA

SeeViewtheCurrent SystemStatusofa vShieldAppon page 64.
Memory Runshow system memorycommand. NA

Storage Runshow filesystem command. NA

Session reset due to DoS, inactivity, or data timeouts Runshow log follow command. SeeSyslogFormaton page 42.
RefertotheSystemEventLog. SeeViewtheSystemEvent Reportonpage 41.
Syslog GUI
Syslog Format
Thesystemeventmessageloggedinthesysloghasthefollowingstructure:
syslog header (timestamp + hostname + sysmgr/) Timestamp (from the service) Name/value pairs Name and value separated by delimiter '::' (double colons) Each name/value pair separated by delimiter ';;' (double semi-colons)
42 VMware, Inc.
Chapter 8 System Events and Audit Logs
Thefieldsandtypesofthesystemeventare:
Event ID :: 32 bit unsigned integer Timestamp :: 32 bit unsigned integer Application Name :: string Application Submodule :: string Application Profile :: string Event Code :: integer (possible values: 10007 10016 10043 20019) Severity :: string (possible values: INFORMATION LOW MEDIUM HIGH CRITICAL) Message ::
View the Audit Log

TheAuditLogstabprovidesaviewintotheactionsperformedbyallvShieldManagerusers.ThevShield Managerretainsauditlogdataforoneyear,afterwhichtimethedataisdiscarded. To view the Audit Log 1 2 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheAuditLogstab. Narrowtheoutputbyclickingoneormoreofthefollowingcolumnfilters:
Column UserName Module Operation Status OperationSpan Description Selecttheloginnameofauserwhoperformedtheaction. SelectthevShieldresourceonwhichtheactionwasperformed. Selectthetypeofactionperformed. SelecttheresultofactionaseitherSuccessorFailure. SelectthevShieldcomponentonwhichtheactionwasperformed.Local referstothevShieldManager.
VMware, Inc.
43
44
VMware, Inc.
Uninstalling vShield Components
ThischapterdetailsthestepsrequiredtouninstallvShieldcomponentsfromyourvCenterinventory. Thischapterincludesthefollowingtopics:

UninstallavShieldApporvShieldZonesonpage 45 UninstallavShieldEdgefromaPortGrouponpage 46 UninstallPortGroupIsolationfromanESXHostonpage 46 UninstallavShieldEndpointModuleonpage 47
NOTEThevShieldQuickStartGuidedetailsinstallationofvShieldcomponents.
Uninstall a vShield App or vShield Zones

UninstallingavShieldApporvShieldZonesremovestheagentfromthenetwork. CAUTIONUninstallingavShieldApporvShieldZonesplacestheESXhostinmaintenancemode.After uninstallationiscomplete,theESXhostreboots.Ifanyofthevirtualmachinesthatarerunningonthetarget ESXhostcannotbemigratedtoanotherESXhost,thesevirtualmachinesmustbepoweredofformigrated manuallybeforetheuninstallationcancontinue.IfthevShieldManagerisonthesameESXhost,thevShield ManagermustbemigratedpriortouninstallingthevShieldApporvShieldZones. To uninstall a vShield App or vShield Zones instance 1 2 3 4 LogintothevSphereClient. SelecttheESXhostfromtheinventorytree. ClickthevShieldtab. ClickUninstallforthevShieldApporvShieldZonesservice. Theinstanceisuninstalled.
VMware, Inc.
45
Uninstall a vShield Edge from a Port Group

YoucanuninstallavShieldEdgefromaportgroupbyusingthevSphereClient. CAUTIONIfyouhaveenabledPortGroupIsolation,youmustmigrateorpoweroffthevirtualmachineson theESXhostfromwhichyouwanttouninstallavShieldEdge.UninstallingPortGroupIsolationplacesthe ESXhostinmaintenancemode.Afteruninstallationiscomplete,theESXhostreboots.Ifanyofthevirtual machinesthatarerunningonthetargetESXhostcannotbemigratedtoanotherESXhost,thesevirtual machinesmustbepoweredofformigratedmanuallybeforetheuninstallationcancontinue.IfthevShield ManagerisonthesameESXhost,thevShieldManagermustbemigratedpriortouninstallingPortGroup Isolation. IfyoudidnotinstallandenablePortGroupIsolationonanESXhost,youdonothavetomigratevirtual machinestouninstallavShieldEdge. To uninstall a vShield Edge 1 2 3 4 LogintothevSphereClient. GotoView>Inventory>Networking. ClicktheEdgetab. ClickUninstall.
Uninstall Port Group Isolation from an ESX Host

UninstallingPortGroupIsolationrequiresmultiplestepsthatmustbeperformedinthefollowingorder. CAUTIONUninstallingPortGroupIsolationplacestheESXhostinmaintenancemode.Afteruninstallationis complete,theESXhostreboots.IfanyofthevirtualmachinesthatarerunningonthetargetESXhostcannot bemigratedtoanotherESXhost,thesevirtualmachinesmustbepoweredofformigratedmanuallybeforethe uninstallationcancontinue.IfthevShieldManagerisonthesameESXhost,thevShieldManagermustbe migratedpriortouninstallingPortGroupIsolation. To uninstall Port Group Isolation 1 2 3 4 5 6 7 8 MigrateallvShieldEdgeinstancesandtheirsecuredportgroupsofftheESXhostfromwhichPortGroup Isoaltionisbeinguninstalled. GotoView>Inventory>Networking. RightclickthevDSfromwhichPortGroupIsolationwillbeuninstalled. SelectvShield>DisableIsolation. GotoView>Inventory>HostsandClusters. ClicktheESXhostfromthevSphereClientinventorypanelonwhichPortGroupIsolationisinstalled. ClickthevShieldtab. ClickUninstallfortothevShieldEdgePortGroupIsolationservice.
46
VMware, Inc.
Chapter 9 Uninstalling vShield Components
Uninstall a vShield Endpoint Module

BeforeyouuninstalltheavShieldEndpointmodulefromthevShieldManager,youmustunregistertheSVM fromthevShieldEndpointmodule. CAUTIONUninstallingvShieldEndpointplacestheESXhostinmaintenancemode.Afteruninstallationis complete,theESXhostreboots.IfanyofthevirtualmachinesthatarerunningonthetargetESXhostcannot bemigratedtoanotherESXhost,thesevirtualmachinesmustbepoweredofformigratedmanuallybeforethe uninstallationcancontinue.IfthevShieldManagerisonthesameESXhost,thevShieldManagermustbe migratedpriortouninstallingvShieldEndpoint.
Unregister an SVM from a vShield Endpoint Module

YoumustspecifythevirtualmachineIDoftheSVMtounregistertheSVMfromthevShieldEndpointmodule. Example 9-1. Unregistering an SVM Request:
DELETE <vshieldmanager-uri>/endpointsecurity/svm/<vmId>
Example:
DELETE /api/1.0/endpointsecurity/svm/vm-1234 HTTP/1.1 host: 10.112.199.123:80 Authorization: Basic YWRtaW46ZGVmYXVsdA==
Response:
HTTP HTTP HTTP HTTP 204 No Content: The Endpoint Security VM is successfully unregistered. 401 Unauthorized: The username or password sent in Authorized header is wrong. 405 Method Not Allowed: If the vmId is missed in the URI. 400 Bad Request: Internal error codes. Please refer the Error Schema for more details. 40002=Acquiring data from VC failed for <> 40007=SVM with moid: <> not registered 40015=vmId is malformatted or of incorrect length : <>
Uninstall the vShield Endpoint Module from the vSphere Client

UninstallinganvShieldEndpointmoduleputstheESXhostintomaintenancemodeandrebootsit. CAUTIONMigrateyourvShieldManagerandanyothervirtualmachinestoanotherESXhosttoavoid shuttingdownthesevirtualmachinesduringreboot. To uninstall an vShield Endpoint module from an ESX host 1 2 3 4 LogintothevSphereClient. SelectanESXhostfromtheinventorytree. ClickthevShieldtab. ClickUninstallfortothevShieldEndpointservice. Uninstallationremovesportgroupepsec-vmk-1andvSwitchepsec-vswitch-2.
VMware, Inc.
47
48
VMware, Inc.
vShield Edge and Port Group Isolation
VMware, Inc.
49
50
VMware, Inc.
10
vShield Edge Management
10
vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport group,vDSportgroup,orCiscoNexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared (uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing. CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloud environmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs). Thischapterincludesthefollowingtopics:

ViewtheStatusofavShieldEdgeonpage 51 SpecifyaRemoteSyslogServeronpage 52 ManagingthevShieldEdgeFirewallonpage 52 ManageNATRulesonpage 53 ManageDHCPServiceonpage 54 ManageVPNServiceonpage 56 ManageLoadBalancerServiceonpage 58 StartorStopvShieldEdgeServicesonpage 59
View the Status of a vShield Edge

TheStatusoptionpresentsthenetworkconfigurationandstatusofservicesofavShieldEdgemodule.Details includeinterfaceaddressingandnetworkID.YoucanusethenetworkIDtosendRESTAPIcommandstoa vShieldEdgemodule. To view the status of a vShield App 1 2 3 4 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClicktheEdgetab. ClicktheStatuslink.
VMware, Inc.
51
Specify a Remote Syslog Server

YoucansendvShieldEdgeevents,suchasviolatedfirewallrules,toasyslogserver. To specify a remote syslog server 1 2 3 4 5 6 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheStatuslink. UnderRemoteSyslogServers,placethecursorinthetoptextboxandtypetheIPaddressofaremote syslogserver. ClickCommittosavetheconfiguration.
Managing the vShield Edge Firewall

ThevShieldEdgeprovidesfirewallprotectionforincomingandoutgoingsessions.Thedefaultfirewallpolicy allowsalltraffictopass.Inadditiontothedefaultfirewallpolicy,youcanconfigureasetofrulestoallowor denytrafficsessionstoandfromspecificsourcesanddestinations.Youmanagethedefaultfirewallpolicyand firewallrulesetseparatelyforeachvShieldEdgeagent. YoucanchangetheDefaultPolicyfromAllowtoDenyonavShieldEdgetodenyanysessionsthatdonot matchanyofthecurrentfirewallrules.
Create a vShield Edge Firewall Rule

vShieldEdgefirewallrulespolicetrafficbasedonthefollowingcriteria:
Criteria SourceIP SourcePort DestinationIP DestinationPort Protocol Direction Action Description IPaddressfromwhichthecommunicationoriginated.ToenteranIPaddressrange, useahyphen.Forexample,192.168.10.1192.168.10.5. Portorrangeofportsfromwhichthecommunicationoriginated.Toenteraport range,useahyphen.Forexample,10001100. IPaddresswhichthecommunicationistargeting.ToenteranIPaddressrange,use ahyphen.Forexample,192.168.10.1192.168.10.5. Portorrangeofportswhichthecommunicationistargeting.Toenteraportrange, useahyphen.Forexample,10001100. Transportprotocolusedforcommunication. Directionoftransmission.OptionsareIN,OUT,orBOTH. Actiontoenforceontransmission.OptionsareALLOWorDENY.Thedefaultaction onalltrafficisALLOW.
YoucanadddestinationandsourceportrangestoarulefordynamicservicessuchasFTPandRPC,which requiremultipleportstocompleteatransmission.Ifyoudonotallowalloftheportsthatmustbeopenedfor atransmission,thetransmissionisblocked. To create a vShield Edge firewall rule 1 2 3 4 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheFirewalllink.
52
VMware, Inc.
Chapter 10 vShield Edge Management
ClickAdd. Anewrowappearsinthetable.
Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. YoumusttypeIPaddressesintheSourceandDestinationfields.
7 8 9
(Optional)ClickLogtosendlogeventstoaspecifiedsyslogserverwhenthefirewallruleisviolated. (Optional)SelectthenewrowandclickMoveUptomovetheruleupinpriority. ClickCommittosavetherule.
Validate Active Sessions Against Current vShield Edge Firewall Rules

Bydefault,avShieldEdgematchesfirewallrulesagainsteachnewsession.Afterasessionhasbeen established,anyfirewallrulechangesdonotaffectactivesessions. TheCLIcommandvalidate sessionsenablesyoutovalidateactivesessionsagainstthecurrentvShield Edgefirewallrulesettopurgeanysessionsthatareinviolationofthecurrentruleset.Afterafirewallruleset update,youshouldvalidateactivesessionstopurgeanyexistingsessionsthatareinviolationoftheupdated policy. AfteravShieldEdgefirewallupdateiscomplete,issuethevalidate sessionscommandfromtheCLIofa vShieldEdgeinstancetopurgesessionsthatareinviolationofcurrentpolicy. To validate active sessions against the current firewall rules 1 2 UpdateandcommitthevShieldEdgefirewallruleset. OpenaconsolesessiononavShieldEdgeinstancetoissuethevalidate sessionscommand.
vShieldEdge> validate sessions
Manage NAT Rules

ThevShieldEdgeprovidesnetworkaddresstranslation(NAT)servicetoprotecttheIPaddressesofinternal, privatenetworksfromthepublicnetwork.YoumustconfigureNATrulestoprovideaccesstoservices runningonprivatelyaddressedvirtualmachines. TheNATserviceconfigurationisseparatedintoSNATandDNATrules.AnSNATruletranslatesaprivate internalIPaddressintoapublicIPaddressforoutboundtraffic.ADNATrulemapsapublicIPaddresstoa privateinternalIPaddress. NATrulesadheretothefollowingcriteria:
Criteria Original(Internal)Source IP/Range Translated(External)Source IP/Range Translated(Internal) DestinationIP/Rangeand Port/Range Original(External) DestinationIP/Rangeand Port/Range Protocol Log Description SNATonly.InternalIPaddressorIPaddressrangeofprotectedvirtualmachines.To enteranIPaddressrange,useahyphen.Forexample,192.168.10.1192.168.10.5. SNATonly.ExternalIPaddressorIPaddressrangeusedtomasqueradeinternal addressingofprotectedvirtualmachines.ToenteranIPaddressrange,usea hyphen.Forexample,192.168.10.1192.168.10.5. DNATonly.InternalIPaddressorIPaddressrangeofprotectedvirtualmachines. ToenteranIPaddressrange,useahyphen.Forexample,192.168.10.1192.168.10.5. DNATonly.ExternalIPaddressorIPaddressrangeusedtomasqueradeinternal addressingofprotectedvirtualmachines.ToenteranIPaddressrange,usea hyphen.Forexample,192.168.10.1192.168.10.5. DNATonly.Transportprotocolusedforcommunication. SelectthecheckboxtosendNATeventstoaconfiguredsyslogserver.
VMware, Inc.
53
To configure an SNAT rule for a vShield Edge 1 2 3 4 5 IntothevSphereClient,gotoInventory>Networking. SelectanInternalportgroupwhereavShieldEdgehasbeeninstalled. ClickthevShieldEdgetab. ClicktheNATlink. UnderDirectionOUT(SNAT),clickAddRule. Anewrowappearsinthetable. 6 7 Doubleclickeachcellintherowtoentertheappropriateinformation. ClickCommittosavetherule.
To configure a DNAT rule for a vShield Edge 1 2 3 4 5 IntothevSphereClient,gotoInventory>Networking. SelectanInternalportgroupwhereavShieldEdgehasbeeninstalled. ClickthevShieldEdgetab. ClicktheNATlink. UnderDirectionIn(DNAT),clickAddRule. Anewrowappearsinthetable. 6 7 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ClickCommittosavetherule.
Manage DHCP Service

vShieldEdgesupportsIPaddresspoolingandonetoonestaticIPaddressallocation.StaticIPaddress bindingisbasedonthevCentermanagedobjectIDandinterfaceIDoftherequestingclient. vShieldEdgeDHCPserviceadherestothefollowingrules:

ListensonthevShieldEdgeinternalinterfaceforDHCPdiscovery. UsestheIPaddressoftheinternalinterfaceonthevShieldEdgeasthedefaultgatewayaddressforall clients,andthebroadcast andsubnetmaskvaluesoftheinternalinterfaceforthecontainernetwork.
To add a DHCP IP pool 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheDHCPlink. UnderIPPools,clickAddPool. Anewrowappearsinthetable. 6 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ThePrimaryNameServerandSecondaryNameServerfieldsrefertoDNSservice.YoumustentertheIP addressofaDNSserverforhostnametoIPaddressresolution. TheDomainNameandLeaseTimefieldsareoptional.Thedefaultleasetimeisoneday.
54
VMware, Inc.
7 8
ClickCommittosavetherule. IfDHCPservicehasnotbeenenabled,enableDHCPservice. SeeStartorStopvShieldEdgeServicesonpage 59.
To add a DHCP static binding 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheDHCPlink. UnderStaticBindings,clickAddBindings. Anewrowappearsinthetable. 6 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ThePrimaryNameServerandSecondaryNameServerfieldsrefertoDNSservice.YoumustentertheIP addressofaDNSserverforhostnametoIPaddressresolution. TheDomainNameandLeaseTimefieldsareoptional.Thedefaultleasetimeisoneday. 7 8 ClickCommittosavetherule. IfDHCPservicehasnotbeenenabled,enableDHCPservice. SeeStartorStopvShieldEdgeServicesonpage 59.
VMware, Inc.
55
Manage VPN Service

vShieldEdgemodulessupportsitetositeIPSecVPNbetweenavShieldEdgeandremotesites. Figure 10-1. vShield Edge Providing VPN Access from a Remote Site to a Secured Port Group
Atthistime,vShieldEdgesupportspresharedkeymode,IPunicasttraffic,andnodynamicroutingprotocol betweenthevShieldEdgeandremoteVPNrouters.BehindeachremoteVPNrouter,youcanconfigure multiplesubnetstoconnecttotheinternalnetworkbehindavShieldEdgethroughIPSectunnels.These subnetsandtheinternalnetworkbehindavShieldEdgemusthavenonoverlappingaddressranges. YoucandeployavShieldEdgeagentbehindaNATdevice.Inthisdeployment,theNATdevicetranslatesthe VPNaddressofavShieldEdgeintoapubliclyaccessibleaddressfacingtheInternet.RemoteVPNroutersuse thispublicaddresstoaccessthevShieldEdge. RemoteVPNrouterscanbelocatedbehindaNATdeviceaswell.YoumustprovideboththeVPNnative addressandtheNATpublicaddresstosetupthetunnel. Onbothends,staticonetooneNATisrequiredfortheVPNaddress. To configure VPN on a vShield Edge 1 2 3 4 5 6 7 8 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheVPNlink. TypeanExternalIPAddressfortheVPNserviceonthevShieldEdge. TypetheNATedPublicIPthatrepresentstheExternalIPAddresstotheexternalnetwork. SelecttheLogcheckboxtologVPNactivity. ClickApply. Next,identifyapeersite.
56
VMware, Inc.
To identify a VPN peer site 1 2 3 4 5 6 7 8 9 10 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheVPNlink. UnderPeerSiteConfiguration,clickCreateSite. TypeanametoidentifythesiteinSiteName. TypetheIPaddressofthesiteinRemoteEndPoint. TypetheSharedSecret. TypeanMTUthreshold. ClickAdd. Next,addatunneltoconnecttothesite. To identify a VPN peer tunnel 1 2 3 4 5 6 7 8 9 10 11 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheVPNlink. UnderPeerSiteConfiguration,selecttheappropriatepeerfromtheSelectorcreateasitedropdownlist. ClickAddTunnel. DoubleclicktheTunnelNamecellandtypeanametoidentifythetunnel. DoubleclicktheRemoteSiteSubnetcellandentertheIPaddressinCIDRformat(A.B.C.D/M). DoubleclicktheEncryptioncellandselecttheappropriateencryptiontype. ClickCommit. EnableVPNservice.SeeStartorStopvShieldEdgeServicesonpage 59.
VMware, Inc.
57
Manage Load Balancer Service

ThevShieldEdgeprovidesloadbalancingforHTTPtraffic.Loadbalancing(uptoLayer7)enablesWeb applicationautoscaling. Figure 10-2. vShield Edge Providing Load Balancing Service for Protected Virtual Machines
Youmapanexternal(orpublic)IPaddresstoasetofinternalserversforloadbalancing.Theloadbalancer acceptsHTTPrequestsontheexternalIPaddressanddecideswhichinternalservertouse.Port80isthe defaultlisteningportforloadbalancerservice. To configure load balancer service 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheLoadBalancerlink. ClickAddConfigurationabovetheExternalIPAddressestable. Anewrowappearsinthetable. 6 7 8 9 10 EntertheExternalIPAddressfortheservice. SelecttheroutingalgorithmfromtheAlgorithmdropdownlist. (Optional)SelecttheLogcheckboxtosendasyslogeventforeachrequesttotheexternalIPaddress. ClickAdd. EntertheIPaddressofthefirstwebserverandclickAdd. Youcanaddadditionalwebserversinthesamemanner. 11 12 ClickCommit. Ifloadbalancerservicehasnotbeenenabled,enabletheservice. SeeStartorStopvShieldEdgeServicesonpage 59.
58
VMware, Inc.
Start or Stop vShield Edge Services

YoucanstartandstoptheVPN,DHCP,andloadbalancingservicesofavShieldEdgefromthevSphereClient. Bydefault,allservicesarestopped,orinNotConfiguredstate. NOTEYoushouldconfigureaservicebeforestartingit. To manage services on a vShield Edge 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheStatuslink. UnderEdgeServices,selectaserviceandclickStarttostarttheservice. SelectaserviceandclickStoptostoparunningservice. 6 Ifaservicehasbeenstartedbutisnotresponding,clickRefreshStatustosendasynchronizationrequest fromthevShieldManager.tothevShieldEdge.
VMware, Inc.
59
60
VMware, Inc.
vShield App and vShield Endpoint
VMware, Inc.
61
62
VMware, Inc.
11
vShield App Management
11
vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicycreation. vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS, vMotion,DPM,andmaintenancemode. vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteroneveryvirtual networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetworkchangesor modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers, likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to reducethenumberoffirewallrulesandmaketheruleseasiertotrack. YoucanmonitorthehealthofvShieldAppinstancesbyusingthevShieldManageruserinterfaceandby sendingvShieldAppsystemeventstoasyslogserver. Thischapterincludesthefollowingtopics:

SendvShieldAppSystemEventstoaSyslogServeronpage 63 BackUptheRunningCLIConfigurationofavShieldApponpage 64 ViewtheCurrentSystemStatusofavShieldApponpage 64
Send vShield App System Events to a Syslog Server

YoucansendvShieldAppsystemeventstoasyslogserver. To send vShield App system events to a syslog server 1 2 3 4 5 6 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSyslogServers. TypetheIPAddressofthesyslogserver. FromtheLogLeveldropdownmenu,selecttheeventlevelatandabovewhichtosendvShieldApp eventstothesyslogserver. Forexample,ifyouselectEmergency,thenonlyemergencyleveleventsaresenttothesyslogserver.If youselectCritical,thencritical,alert,andemergencyleveleventsaresenttothesyslogserver. 7 ClickAddtosavenewsettings.YousendvShieldAppeventstouptofivesysloginstances.
VMware, Inc.
63
Back Up the Running CLI Configuration of a vShield App

TheCLIConfigurationoptiondisplaystherunningconfigurationofthevShieldApp.Youcanbackupthe runningconfigurationtothevShieldManagertopreservetheconfiguration. To back up the running CLI configuration of a vShield App 1 2 3 4 5 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickCLIConfiguration. ClickBackupConfiguration. TheconfigurationispopulatedintheBackupConfigurationfield.Youcancutandpastethistextintothe vShieldAppCLIattheConfigurationmodeprompt.
View the Current System Status of a vShield App

TheSystemStatusoptionletsyouviewandinfluencethehealthofavShieldApp.Detailsincludesystem statistics,statusofinterfaces,softwareversion,andenvironmentalvariables. To view the health of a vShield App 1 2 3 4 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. FromtheSystemStatusscreen,youcanperformthefollowingactions:

ForceavShieldApptoSynchronizewiththevShieldManageronpage 64 RestartavShieldApponpage 65 ViewTrafficStatisticsbyvShieldAppInterfaceonpage 65 DownloadtheFirewallLogsofavShieldApponpage 65
Force a vShield App to Synchronize with the vShield Manager

TheForceSyncoptionforcesavShieldApptoresynchronizewiththevShieldManager.Thismightbe necessaryafterasoftwareupgrade. To force a vShield App to re-synchronize with the vShield Manager 1 2 3 4 5 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. ClickForceSync.
64
VMware, Inc.
Chapter 11 vShield App Management
Restart a vShield App

YoucanrestartavShieldApptotroubleshootanoperationalissue. To restart a vShield App 1 2 3 4 5 6 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. ClickRestart. ClickOKinthepopupwindowtoconfirmreboot.
View Traffic Statistics by vShield App Interface

YoucanviewthetrafficstatisticsforeachvShieldinterface. To view traffic statistics by vShield port 1 2 3 4 5 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. ClickaninterfaceunderthePortcolumntoviewtrafficstatistics. Forexample,toviewthetrafficstatisticsforthevShieldAppmanagementinterface,clickmgmt.
Download the Firewall Logs of a vShield App

YoucandownloadalogofthefirewallactivityfromavShieldApp.Thefirewalllogdetailstheresultsofthe firewalloperationbasedonmatchingfirewallrulesagainsttraffic. To download and view the firewall log for a vShield App 1 2 3 4 5 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. UnderAppFirewall,clickShowLogs. ThevShieldAppuploadsthelogtothevShieldManager. 6 TodownloadthelogfromthevShieldManagertoyourPC,clickDownloadAppFirewallLogs.
VMware, Inc.
65
66
VMware, Inc.
12
Flow Monitoring
12
FlowMonitoringisatrafficanalysistoolthatprovidesadetailedviewofthetrafficonyourvirtualnetwork thatpassedthroughavShieldApp.TheFlowMonitoringoutputdefineswhichmachinesareexchangingdata andoverwhichapplication.Thisdataincludesthenumberofsessions,packets,andbytestransmittedper session.Sessiondetailsincludesources,destinations,directionofsessions,applications,andportsbeingused. SessiondetailscanbeusedtocreateAppFirewallallowordenyrules. YoucanuseFlowMonitoringasaforensictooltodetectrogueservicesandexamineoutboundsessions. Thischapterincludesthefollowingtopics:

UsingFlowMonitoringonpage 67 ViewaSpecificApplicationintheFlowMonitoringChartsonpage 68 ChangetheDateRangeoftheFlowMonitoringChartsonpage 68 ViewtheFlowMonitoringReportonpage 68 AddanAppFirewallRulefromtheFlowMonitoringReportonpage 69 EditingPortMappingsonpage 70
Using Flow Monitoring

TheFlowMonitoringtabdisplaysthroughputstatisticsasreturnedbyavShieldApp.FlowMonitoring displaystrafficstatisticsinthreecharts:

Sessions/hr:Totalnumberofsessionsperhour ServerKBytes/hr:Numberofoutgoingkilobytesperhour Client/hr:Numberofincomingkilobytesperhour
FlowMonitoringorganizesstatisticsbytheapplicationprotocolsusedinclientservercommunications,with eachcolorinachartrepresentingadifferentapplicationprotocol.Thischartingmethodenablesyoutotrack yourserverresourcesperapplication. Trafficstatisticsdisplayallinspectedsessionswithinthetimespanspecified.Thelastsevendaysofdataare displayedbydefault.
VMware, Inc.
67
View a Specific Application in the Flow Monitoring Charts

YoucanselectaspecificapplicationtoviewinthechartsbyclickingtheApplicationdropdownmenu. To view the data for a specific application in the Flow Monitoring charts 1 2 3 4 5 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickFlowMonitoring. FromtheApplicationdropdownmenu,selecttheapplicationtoview. TheFlowMonitoringchartsarerefreshedtoshowdatacorrespondingtotheselectedapplication.
Change the Date Range of the Flow Monitoring Charts

YoucanchangethedaterangeoftheFlowMonitoringchartsforanhistoricalviewoftrafficdata. To change the date range of the Flow Monitoring chart 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickFlowMonitoring. Thechartsareupdatedtodisplaythemostcurrentinformationforthelastsevendays.Thismighttake severalseconds. 5 IntheStartDatefield,typeanewdate. Thisdaterepresentsthedatefurthestinthepastonwhichtostartthequery. 6 TypeanewdateintheEndDatefield. Thisrepresentsthemostrecentdateonwhichtostopthequery. 7 ClickUpdateChart.
View the Flow Monitoring Report

TheFlowMonitoringreportpresentsthetrafficstatisticsintabularformat.Thereportsupportsdrillingdown intotrafficstatisticsbasedonthefollowinghierarchy: 1 2 Selectthefirewallaction:AllowedorBlocked. SelectanL4orL2/L3protocol.

L4:TCPorUDP L2/L3:ICMP,OtherIPv4,orARP
3 4 5 6
IfanL2/L3protocolwasselected,selectanL2/L3protocolormessagetype. Selectthetrafficdirection:Incoming,Outgoing,orIntra(betweenvirtualmachines). Selecttheporttype:Categorized(standardizedports)orUncategorized(nonstandardizedports). Selectanapplicationprotocolorport.
68
VMware, Inc.
Chapter 12 Flow Monitoring
7 8
SelectadestinationIPaddress. SourceasourceIPaddress. AtthesourceIPaddresslevel,youcancreateanAppFirewallrulebasedonthespecificsourceand destinationIPaddresses.
To view the Flow Monitoring report 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickFlowMonitoring. Thechartsupdatetodisplaythemostcurrentinformationforthelastsevendays.Thismighttakeseveral seconds. 5 6 7 ClickShowReport. Drilldownintothereport. ClickShowLatesttoupdatethereportstatistics.
Add an App Firewall Rule from the Flow Monitoring Report

Bydrillingdownintothetrafficdata,youcanevaluatetheuseofyourresourcesandsendsessioninformation toAppFirewalltocreateanewLayer4allowordenyrule.AppFirewallrulecreationfromFlowMonitoring dataisavailableatthedatacenterandclusterlevelsonly. To add an App Firewall rule from the Flow Monitoring report 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldApptab. ClickFlowMonitoring. Thechartsupdatetodisplaythemostcurrentinformationforthelastsevendays.Thismighttakeseveral seconds. 5 6 7 8 9 10 11 12 13 ClickShowReport. Expandthefirewallactionlist. ExpandtheLayer4protocollist. Expandthetrafficdirectionlist. Expandtheporttypelist. Expandtheapplicationorportlist. ExpandthedestinationIPaddresslist. ReviewthesourceIPaddresses. SelecttheZonesFirewallcolumnradiobuttonforasourceIPaddresstocreateanAppFirewallrule. Apopupwindowopens.ClickOktoproceed. TheAppFirewalltableappears.AnewtablerowisdisplayedatthebottomoftheDataCenterLow PrecedenceRulesorClusterLevelRulessectionwiththesessioninformationcompleted.
VMware, Inc.
69
14 15 16 17
(Optional)DoubleclicktheActioncolumncelltochangethevaluetoAlloworDeny. (Optional)Withthenewrowselected,clickUptomovetheruleupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
Delete All Recorded Flows

Atthedatacenterlevel,youcandeletethedataforallrecordedtrafficsessionswithinthedatacenter.This clearsthedatafromcharts,thereport,andthedatabase.Typically,thisisonlyusedwhenmovingyourvShield Zonesdeploymentfromalabenvironmenttoaproductionenvironment.Ifyoumustmaintainahistoryof trafficsessions,donotusethisfeature. To delete traffic statistics for a datacenter 1 2 3 4 Selectadatacenterresourcefromtheinventorypanel. ClicktheFlowMonitoringtab. ClickDeleteAllFlows. ClickOkinthepopupwindowtoconfirmdeletion.
CAUTIONYoucannotrecovertrafficdataafteryouclickDeleteAllFlows.
Editing Port Mappings

WhenyouclickEditPortMappings,atableappears,listingwellknownapplicationsandprotocols,their respectiveports,andadescription.vShieldrecognizescommonprotocolandportmappings,suchasHTTP overport80.Yourorganizationmightemployanapplicationorprotocolthatusesanonstandardport.Inthis case,youcanuseEditPortMappingstoidentifyacustomprotocolportpair.Yourcustommappingappears intheFlowMonitoringreportoutput. TheEditPortMappingstableofferscompletemanagementcapabilities,andprovidesamodelforyouto follow.Youcannoteditordeletethedefaultentries.
Add an Application-Port Pair Mapping

Youcanaddacustomapplicationportmappingtotheportmappingstable. To add an application port-pair mapping 1 2 3 4 5 6 GotoInventory>NetworkinginthevSphereClient. Selectaportgroupfromtheinventorypanel. ClicktheFlowMonitoringtab. ClickEditPortMappings. Clickarowinthetable. ClickAdd. Anewrowisinsertedabovetheselectedrow. 7 8 9 DoubleclicktheApplicationcellandtypetheapplicationname. DoubleclickthePortNumbercellandtypetheportnumber. DoubleclicktheProtocolcelltoselectthetransportprotocol.
70
VMware, Inc.
Chapter 12 Flow Monitoring
10
DoubleclicktheResourcecelltoselectthecontainerinwhichtoenforcethenewmapping. TheANYvalueaddstheportmappingtoallcontainers.
11 12
DoubleclicktheDescriptioncellandtypeabriefdescription. ClickHidePortMappings.
Delete an Application-Port Pair Mapping

Youcandeleteanyapplicationportpairmappingfromthetable.Whenyoudeleteamapping,anytrafficto theapplicationportpairislistedasUncategorizedintheFlowMonitoringstatistics. To delete an application-port pair mapping 1 2 3 4 5 6 GotoInventory>NetworkinginthevSphereClient. Selectaportgroupfromtheinventorypanel. ClicktheFlowMonitoringtab. ClickEditPortMappings. Clickarowinthetable. ClickDeletetodeleteitfromthetable.
Hide the Port Mappings Table

WhenyouclickEditPortMappings,thelabelchangesfromEditPortMappingstoHidePortMappings.Click HidePortMappings.
VMware, Inc.
71
72
VMware, Inc.
13
App Firewall Management
13
vShieldAppprovidesfirewallprotectionthroughaccesspolicyenforcement.TheAppFirewalltabrepresents thevShieldAppfirewallaccesscontrollist. NOTEAppFirewallrulesapplytovShieldAppinstances,butnotvShieldEdgeorvShieldEndpointinstances. TheZonesFirewalltabbecomestheAppFirewalltabwhenthevShieldApplicenseisactivated. Thischapterincludesthefollowingtopics:

UsingAppFirewallonpage 73 CreateanAppFirewallRuleonpage 75 CreateaLayer2/Layer3AppFirewallRuleonpage 77 CreatingandProtectingSecurityGroupsonpage 77 ValidatingActiveSessionsagainsttheCurrentAppFirewallRulesonpage 78 ReverttoaPreviousAppFirewallConfigurationonpage 79 DeleteanAppFirewallRuleonpage 79
Using App Firewall

TheAppFirewallserviceisacentralized,hierarchicalfirewallforESXhosts.AppFirewallenablesyouto createrulesthatallowordenyaccesstoandfromyourvirtualmachines.EachinstalledvShieldAppenforces theAppFirewallrules. YoucanmanageAppFirewallrulesatthedatacenter,cluster,andportgrouplevelstoprovideaconsistentset ofrulesacrossmultiplevShieldAppinstancesunderthesecontainers.Asmembershipinthesecontainerscan changedynamically,AppFirewallmaintainsthestateofexistingsessionswithoutrequiringreconfiguration offirewallrules.Inthisway,AppFirewalleffectivelyhasacontinuousfootprintoneachESXhostunderthe managedcontainers.
Securing Containers and Designing Security Groups

WhencreatingAppFirewallrules,youcancreaterulesbasedontraffictoorfromaspecificcontainerthat encompassesalloftheresourceswithinthatcontainer.Forexample,youcancreatearuletodenyanytraffic frominsideofaclusterthattargetsaspecificdestinationoutsideofthecluster.Youcancreatearuletodeny anyincomingtrafficthatisnottaggedwithaVLANID.Whenyouspecifyacontainerasthesourceor destination,allIPaddresseswithinthatcontainerareincludedintherule. AsecuritygroupisatrustzonethatyoucreateandassignresourcestoforAppFirewallprotection.Security groupsarecontainers,likeavApporacluster.Securitygroupsenablesyoutocreateacontainerbyassigning resourcesarbitrarily,suchasvirtualmachinesandnetworkadapters.Afterthesecuritygroupisdefined,you addthegroupasacontainerinthesourceordestinationfieldofanAppFirewallrule.SeeCreatingand ProtectingSecurityGroupsonpage 77.
VMware, Inc. 73
Default Rules
Bydefault,theAppFirewallenforcesasetofrulesallowingtraffictopassthroughallvShieldAppinstances. TheserulesappearintheDefaultRulessectionoftheAppFirewalltable.Thedefaultrulescannotbedeleted oraddedto.However,youcanchangetheActionelementofeachrulefromAllowtoDeny.
Layer 4 Rules and Layer 2/Layer 3 Rules

TheAppFirewalltabofferstwosetsofconfigurablerules:L4(Layer4)rulesandL2/L3(Layer2/Layer3)rules. LayersrefertolayersoftheOpenSystemsInterconnection(OSI)ReferenceModel. Layer4rulesgovernTCPandUDPtransportofLayer7,orapplicationspecific,traffic.Layer2/Layer3rules monitortrafficfromICMP,ARP,andotherLayer2andLayer3protocols.YoucanconfigureLayer2/Layer 3 rulesatthedatacenterlevelonly.Bydefault,allLayer4andLayer2/Layer3trafficisallowedtopass.
Hierarchy of App Firewall Rules

EachvShieldAppenforcesAppFirewallrulesintoptobottomordering.AvShieldAppcheckseachtraffic sessionagainstthetopruleintheAppFirewalltablebeforemovingdownthesubsequentrulesinthetable. Thefirstruleinthetablethatmatchesthetrafficparametersisenforced. Therulesareenforcedinthefollowinghierarchy: 1 2 3 4 5 DataCenterHighPrecedenceRules ClusterLevelRules DataCenterLowPrecedenceRules(seenasRulesbelowthislevelhavelowerprecedencethancluster levelruleswhenadatacenterresourceisselected) SecurePortGroupRules DefaultRules
AppFirewallofferscontainerlevelandcustompriorityprecedenceconfigurations:
Containerlevelprecedencereferstorecognizingthedatacenterlevelasbeinghigherinprioritythanthe clusterlevel.Whenaruleisconfiguredatthedatacenterlevel,theruleisinheritedbyallclustersand vShieldagentstherein.AclusterlevelruleisonlyappliedtothevShieldAppwithinthecluster. Custompriorityprecedencereferstotheoptionofassigninghighorlowprecedencetorulesatthe datacenterlevel.Highprecedencerulesworkasnotedinthecontainerlevelprecedencedescription.Low precedencerulesincludetheDefaultRulesandtheconfigurationofDataCenterLowPrecedencerules. Thisflexibilityallowsyoutorecognizemultiplelayersofappliedprecedence. Attheclusterlevel,youconfigurerulesthatapplytoallvShieldAppinstanceswithinthecluster.Because DataCenterHighPrecedenceRulesareaboveClusterLevelRules,ensureyourClusterLevelRulesare notinconflictwithDataCenterHighPrecedenceRules.
Planning App Firewall Rule Enforcement

UsingAppFirewall,youcanconfigureallowanddenyrulesbasedonyournetworkpolicy.Thefollowing examplesrepresenttwocommonfirewallpolicies:
Allowalltrafficbydefault.YoukeepthedefaultallowallrulesandadddenyrulesbasedonFlow MonitoringdataormanualAppFirewallruleconfiguration.Inthisscenario,ifasessiondoesnotmatch anyofthedenyrules,thevShieldAppallowsthetraffictopass. Denyalltrafficbydefault.YoucanchangetheActionstatusofthedefaultrulesfromAllowtoDeny,and addallowrulesexplicitlyforspecificsystemsandapplications.Inthisscenario,ifasessiondoesnot matchanyoftheallowrules,thevShieldAppdropsthesessionbeforeitreachesitsdestination.Ifyou changeallofthedefaultrulestodenyanytraffic,thevShieldAppdropsallincomingandoutgoingtraffic.
74
VMware, Inc.
Chapter 13 App Firewall Management
Create an App Firewall Rule

AppFirewallrulesallowordenytrafficbasedonthefollowingcriteria:
Criteria Source(A.B.C.D/nn) SourcePort Description Container,directioninrelationtocontainer,orIPaddresswithnetmask(nn)from whichthecommunicationoriginated. Portorrangeofportsfromwhichthecommunicationoriginated.Toenteraport range,separatethelowandhighendoftherangewithacolon.Forexample, 1000:1100. Container,directioninrelationtocontainer,orIPaddresswithnetmask(nn)which thecommunicationistargeting. Theapplicationonthedestinationthesourceistargeting.Ifyouselectaprotocol fromthedropdownlist,thewellknownportfortheselectedprotocolappearsin theDestinationPortfield. Portorrangeofportswhichthecommunicationistargeting.Toenteraportrange, separatethelowandhighendoftherangewithacolon.Forexample,1000:1100. Transportprotocolusedforcommunication.
Destination(A.B.C.D/nn) DestinationApplication
DestinationPort Protocol
YoucanadddestinationandsourceportrangestoarulefordynamicservicessuchasFTPandRPC,which requiremultipleportstocompleteatransmission.Ifyoudonotallowalloftheportsthatmustbeopenedfor atransmission,thetransmissionfails. To create a firewall rule at the datacenter level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3AppFirewallRuleonpage 77. 5 Dooneofthefollowing:
ClickAddtoaddanewruletotheDataCenterLowPrecedenceRules(Rulesbelowthislevelhave lowerprecedence...). SelectarowintheDataCenterHighPrecedenceRulessectionofthetableandclickAdd.Anew appearsbelowtheselectedrow.
Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields.
7 8 9
(Optional)SelectthenewrowandclickUptomovetheruleupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
NOTELayer4firewallrulescanalsobecreatedfromtheFlowMonitoringreport.SeeAddanAppFirewall RulefromtheFlowMonitoringReportonpage 69.
VMware, Inc.
75
To create a firewall rule at the cluster level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectaclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3AppFirewallRuleonpage 77. 5 ClickAdd. AnewrowappearsintheClusterLevelRulessectionofthetable. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields. 7 8 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
NOTELayer4firewallrulescanalsobecreatedfromtheFlowMonitoringreport.SeeAddanAppFirewall RulefromtheFlowMonitoringReportonpage 69. To create a firewall rule at the port group level 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. Selectaportgroupfromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. ClickAdd. AnewrowisaddedatthebottomoftheSecurePortGroupRulessection. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields. 7 8 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
NOTELayer4firewallrulescanalsobecreatedfromtheFlowMonitoringreport.SeeAddanAppFirewall RulefromtheFlowMonitoringReportonpage 69.
76
VMware, Inc.
Create a Layer 2/Layer 3 App Firewall Rule

TheLayer2/Layer3firewallenablesconfigurationofallowordenyrulesforcommonDataLinkLayerand NetworkLayerrequests,suchasICMPpingsandtraceroutes.YoucanchangethedefaultLayer2/Layer3rules fromallowtodenybasedonyournetworksecuritypolicy. Layer2/Layer3firewallrulesallowordenytrafficbasedonthefollowingcriteria:
Criteria Source(A.B.C.D/nn) Destination(A.B.C.D/nn) Protocol Description Container,directioninrelationtocontainer,orIPaddresswithnetmask(nn)from whichthecommunicationoriginated Container,directioninrelationtocontainer,orIPaddresswithnetmask(nn)which thecommunicationistargeting Transportprotocolusedforcommunication
To create a Layer 2/Layer 3 firewall rule 1 2 3 4 5 6 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. ClickL2/L3Rules. ClickAdd. AnewrowisaddedatthebottomoftheDataCenterRulessectionofthetable. 7 Doubleclickeachcellinthenewrowtotypeorselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields 8 9 (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommit.
NOTELayer2/Layer3firewallrulescanalsobecreatedfromtheFlowMonitoringreport.SeeAddanApp FirewallRulefromtheFlowMonitoringReportonpage 69.
Creating and Protecting Security Groups

TheSecurityGroupsfeatureenablesyoutocreatecustomcontainerstowhichyoucanassignresources,such asvirtualmachinesandnetworkadapters,forAppFirewallprotection.Afterasecuritygroupisdefined,you addthesecuritygrouptoafirewallruleforprotection.
Add a Security Group

InthevSphereClient,youcanaddasecuritygroupatthedatacenterresourcelevel. To add a security group by using the vSphere Client 1 2 3 4 ClickadatacenterresourcefromthevSphereClient. ClickthevShieldApptab. ClickSecurityGroups. ClickAddGroup.
VMware, Inc.
77
5 6
Doubleclicktherowandtypeanameforthegroup. ClickAdd. Aftersecuritygroupcreationiscomplete,assignresourcestothegroup.
Assign Resources to a Security Group

Youcanassignvirtualmachinesandnetworkadapterstoasecuritygroup.TheseresourceshaveassociatedIP addressesthatdefinethesourceordestinationparametersforwhichanAppFirewallruleenforcesanaccess policy. To assign resources to a security group 1 2 3 4 5 ClickadatacenterresourcefromthevSphereClient. ClickthevShieldApptab. ClickSecurityGroups. Clickthearrownexttothenameofasecuritygrouptoexpandthedetailsofthegroup. SelectavNICfromthedropdownlistandclickAdd. TheselectedvNICappearsundervNICMembership. RepeatthesestepsforeachvNICyouwanttoplaceinthissecuritygroup. 6 ClickCommit. Afterassigningresources,addthesecuritygrouptoafirewallruleasacontainer.SeeCreateanApp FirewallRuleonpage 75.
Validating Active Sessions against the Current App Firewall Rules

Bydefault,avShieldEdgematchesfirewallrulesagainsteachnewsession.Afterasessionhasbeen established,anyfirewallrulechangesdonotaffectactivesessions. TheCLIcommandvalidate sessionsenablesyoutovalidateactivesessionsthatareinviolationofthe currentruleset.Youwouldusethisprocedureforthefollowingscenarios:
Youupdatedthefirewallruleset.Afterafirewallrulesetupdate,youshouldvalidateactivesessionsto purgeanyexistingsessionsthatareinviolationoftheupdatedpolicy. YouviewedsessionsinFlowMonitoringanddeterminedthatanexistingorhistoricalflowrequiresanew accessrule.Aftercreatingafirewallrulethatmatchestheoffendingsession,youshouldvalidateactive sessionstopurgeanyexistingsessionsthatareinviolationoftheupdatedpolicy.
AftertheAppFirewallupdateiscomplete,issuethevalidate sessionscommandfromtheCLIofavShield Apptopurgesessionsthatareinviolationofcurrentpolicy. To validate active sessions against the current firewall rules 1 2 UpdateandcommittheAppFirewallrulesetattheappropriatecontainerlevel. OpenaconsolesessiononavShieldAppissuethevalidate sessionscommand.
vShieldApp> enable Password: vShieldApp# validate sessions
78
VMware, Inc.
Revert to a Previous App Firewall Configuration

ThevShieldManagersavesasnapshotofAppFirewallsettingseachtimeyoucommitanewrule.Clicking CommitcausesthevShieldManagertosavethepreviousconfigurationwithatimestampbeforeaddingthe newrule.ThesesnapshotsareavailablefromtheReverttoSnapshotdropdownlist. To revert to a previous App Firewall configuration 1 2 3 4 5 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheinventorypanel. ClickthevShieldApptab. ClickAppFirewall. FromtheReverttoSnapshotdropdownlist,selectasnapshot. Snapshotsarepresentedintheorderoftimestamps,withthemostrecentsnapshotlistedatthetop. 6 7 Viewsnapshotconfigurationdetails. Dooneofthefollowing:

Toreturntothecurrentconfiguration,selecttheoptionfromtheReverttoSnapshotdropdownlist. ClickCommittooverwritethecurrentconfigurationwiththesnapshotconfiguration.
Delete an App Firewall Rule

YoucandeleteanyAppFirewallruleyouhavecreated.YoucannotdeletetheanyrulesintheDefaultRules sectionofthetable. To delete an App Firewall rule 1 2 3 ClickanexistingrowintheAppFirewalltable. ClickDelete. ClickCommit.
VMware, Inc.
79
80
VMware, Inc.
14
vShield Endpoint Events and Alarms
14
vShieldEndpointdeliversanintrospectionbasedantivirussolution.vShieldEndpointusesthehypervisorto scanguestvirtualmachinesfromtheoutsidewithoutabulkyagent.vShieldEndpointisefficientinavoiding resourcebottleneckswhileoptimizingmemoryuse. vShieldEndpointhealthstatusisconveyedbyusingalarmsthatshowinredandyellowonthevCenterServer console.Inaddition,morestatusinformationcanbegatheredbylookingattheeventlogs. IMPORTANTYourvCenterServermustbecorrectlyconfiguredforvShieldEndpointsecurity:

NotallguestoperatingsystemsaresupportedbyvShieldEndpoint.Virtualmachineswithnonsupported operatingsystemsarenotprotectedbythesecuritysolution. Allvirtualmachines(withsupportedoperatingsystems)thatresideonavShieldEndpointprotectedESX hostmustbeprotectedbyavShieldEndpointmodule. NotallESXhostsinavCenterServermustbeprotectedbythesecuritysolution,buteachprotectedESX musthaveanSVMinstalledonit. CAUTIONvMotionmigrationofaprotectedvirtualmachineareblockedifthetargetESXisnotenabled forvShieldEndpoint.MakesurethattheresourcepoolforvMotionofprotectedvirtualmachines containsonlysecurityenabledESXhosts.
Thischapterincludesthefollowingtopics:

ViewvShieldEndpointStatusonpage 81 Alarmsonpage 82 Eventsonpage 83 AuditMessagesonpage 86
View vShield Endpoint Status

MonitoringavShieldEndpointinstanceinvolvescheckingforstatuscomingfromthevShieldEndpoint components:thesecurityvirtualmachine(SVM),theESXhostresidentvShieldEndpointmodule,andthe protectedvirtualmachineresidentthinagent. To view vShield Endpoint status 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenter,cluster,orESXhostresourcefromtheresourcetree. ClickthevShieldApptab(orvShieldtabonESXhosts). ClickEndpointStatus.
VMware, Inc.
81
Alarms
AlarmssignalthevCenterServeradministratoraboutvShieldEndpointeventsthatrequireattention.Alarms areautomaticallycancelledincasethealarmstateisnolongerpresent. vCenterServeralarmscanbedisplayedwithoutacustomvSphereplugin.SeethevCenterServer AdministrationGuideoneventsandalarms. UponregisteringasavCenterServerextension,thevShieldManagerdefinestherulesthatcreateandremove alarms,basedoneventscomingfromthethreevShieldEndpointcomponents:SVM,vShieldEndpoint module,andthinagent.Rulescanbecustomized.Forinstructionsonhowtocustomizerulesforalarms,see thevCenterServerdocumentation.Insomecases,therearemultiplepossiblecausesforthealarm.Thetables thatfollowlistthepossiblecausesandthecorrespondingactionsyoumightwanttotakeforremediation. vShieldEndpointdefinesthreesetsofalarms:

HostAlarmsonpage 82 SVMAlarmsonpage 82 VMAlarmsonpage 83
Host Alarms
HostalarmsaregeneratedbyeventsaffectingthehealthstatusofthevShieldEndpointmodule. Table 14-1. Warnings (Marked Yellow)
Possible Cause SVMisregistered,butvShieldEndpoint moduledoesnotseeanyvirtualmachinesto protect.Norequestsforprotectionarecoming fromanyvirtualmachines.Novirtualmachines arecurrentlyprotected. Action
Usuallyatransientstateoccurringwhileexistingvirtual machinesarebeingmovedwithvMotion,orarejustcomingup. Noactionrequired. TheESXhosthasnovirtualmachinesyet,oronlyvirtual machineswithnonsupportedoperatingsystems.Noaction required. CheckthevShieldManagerconsoleforthestatusofthevirtual machinesthatshouldbeprotectedonthathost.Ifoneormore haveanerrorstatus,theEndpointthinagentsinthosemachines maybemalfunctioning.
Table 14-2. Errors (Marked Red)

Possible Cause TheSVMversionisnotcompatiblewiththe vShieldEndpointmoduleversion. Action Installcompatiblecomponents.LookinthevShieldEndpoint InstallationGuideforcompatibleversionsforvShieldEndpoint moduleandSVM.
SVM Alarms
SVMalarmsaregeneratedbyeventsaffectingthehealthstatusofthevShieldEndpointmodule. Table 14-3. Red SVM Alarms
Problem ThevShieldMonitorisnotreceivingstatusfrom theSVM. TheSVMfailedtoinitialize Action EithertherearenetworkissuesbetweenthevShieldMonitorandthe SVM,ortheSVMisnotoperatingproperly. ContactyoursecurityproviderforhelpwithSVMerrors.
82
VMware, Inc.
Appendix 14 vShield Endpoint Events and Alarms
VM Alarms
VMalarmsaregeneratedbyeventsaffectingthehealthstatusofthevShieldEndpointmodule. Table 14-4. Warnings
Possible Cause TheSVMisoverloaded.Thevirtualmachines willnotbeprotectedwhilethealarmpersists. Action CheckresourcesallocationfortheSVMandallocatemoreresources, ifnecessary.CheckthevCenterServereventlogfortheESXtheSVM isattachedto.Aneventcodeof1002canindicateanoverloaded SVM. Thisisusuallyatransientalarmthatdoesnotrequireattention.Ifit persistsorturnstored,lookatthevCenterServereventlogforthe protectedVM.Aneventcodeof1000indicatesanonfunctioning thinagent.
Thethinagentinoneormorevirtualmachinesis initializedbutnotreportingevents.Thosevirtual machinesarenotprotectedwhilethiswarning persists.
Table 14-5. Errors

Possible Cause Thethinagentversionisnotcompatiblewiththe vShieldEndpointmodule ThethinagentisnotreportingvShieldEndpoint events.Thevirtualmachineisnotprotected. Thevirtualmachineisstillpoweredon,butthe thinagentisdisabled.Thevirtualmachineisnot protected. Action Installcompatiblecomponents.LookinthevShieldEndpoint InstallationGuideforcompatibleversionsforvShieldEndpoint moduleandSVM. Thethinagentismalfunctioning,ornotinitialized.Lookattheevent logtoseeifthethinagentwasinitializedsuccessfully. Iftheerrorpersists,thisthinagentismalfunctioning.(Avirtual machinethatisshuttingdownorintheprocessofavMotionmove doesnotgeneratearedalarm.)
Events
EventsareusedforloggingandauditingconditionsinsidethevShieldEndpointbasedsecuritysystem. EventscanbedisplayedwithoutacustomvSphereplugin.SeethevCenterServerAdministrationGuideon eventsandalarms. Eventsarethebasisforalarmsthataregenerated.UponregisteringasavCenterServerextension,thevShield Managerdefinestherulesthatcreateandremovealarms. DefaultbaseargumentsforaneventarethereportedtimeandthevShieldManagerevent_id. Table 146listsvShieldEndpointeventsreportedbytheSVMandthevShieldManager(VSM)inorderbycode number.Thetableshowstheevencode,name,theVCarguments,theeventcategory,andadescription.Inthe EventCategorycolumn,eventsthatgenerateerroralarmsarecoloredred.Eventsthatgeneratewarning alarmsarecoloredyellow. Table 14-6. vShield Endpoint Events
Code 0001 Name VSM_FSFD_EVENT_VERSION_MISMATCH VC Arguments Event Category Description vShieldEndpoint:TheSVMwas contactedbyanoncompatibleversion ofthevShieldEndpointThinAgent.
timestamp, error SVMversion ofFSFD protocol, FSFDversion ofFSFD protocol timestamp warning
0003
VSM_FSFD_EVENT_DISK_FULL
ThevShieldEndpointThinAgent encounteredadiskfullerrorwhile attemptingtowritetothelocaldisk. Atimeoutoccurredinthe communicationbetweentheSVMand theThinAgent.
0004
VSM_FSFD_EVENT_TIMEOUT
timestamp
warning
VMware, Inc.
83
Table 14-6. vShield Endpoint Events (Continued)

Code 0005 0006 0007 Name VSM_FSFD_EVENT_UNKNOWN_STATE VSM_FSFD_EVENT_MISSING_TIMER VSM_FSFD_EVENT_TIMER_RESTORED VC Arguments timestamp timestamp Event Category warning error Description N/A LostcommunicationwithThinAgent. EstablishedcommunicationwithThin Agent.
timestamp, info FSFDversion ofFSFD protocol timestamp timestamp timestamp timestamp info info warning info
1000 1001 1002 N/A 2000
VSM_VM_EVENT_CONNECTED VSM_VM_EVENT_DISCONNECTED VSM_VM_EVENT_UNKNOWN_STATE VM_POWERED_OFF VSM_SVM_EVENT_ENABLED
VMhasconnectedwiththeSVM. VMhasdisconnectedfromtheSVM ThinAgentHealthStatusInformation hasbeenlost. DetectedVMpoweroff. SVMenabled.
timestamp, info SVMversion ofLKM protocol, SVMversion ofFSFD protocol,port SVMis listeningon. timestamp timestamp timestamp timestamp timestamp error warning warning error info
2001 2003 2005 2006 2007 3000
VSM_SVM_EVENT_INIT_FAILURE VSM_SVM_EVENT_FSFD_FLOOD_DETECTED VSM_SVM_EVENT_DROPPED_EVENTS VSM_SVM_EVENT_MISSING_REPORT VSM_SVM_EVENT_REPORT_RESTORED VSM_HOST_EVENT_VERSION_MISMATCH
SVMinitializationfailed. SVMdetectedhighvolumeofvShield Endpointevents. HealthStatusinformationhasbeen lost. vShieldManagerlostcommunication withSVM. vShieldManagercommunicationwith SVMhavebeenrestored. vShieldEndpoint:TheSVMwas contactedbyanoncompatibleversion ofthevShieldEndpointmodule.
timestamp, error SVMversion ofLKM protocol,Host versionof LKMprotocol timestamp timestamp timestamp warning info info
3002 3003 3004 3005
VSM_HOST_EVENT_UNKNOWN_STATE VSM_HOST_EVENT_SVM_REGISTERED VSM_HOST_EVENT_SVM_UNREGISTERED VSM_HOST_EVENT_VMS_CONNECTED
vShieldEndpointModuleStatus Informationhasbeenlost. SVMisregisteredwiththevShield Manager. SVMisunregisteredwiththevShield Manager. vShieldEndpointmodulehas connectedwithSVM.
timestamp, info Hostversion ofvShield Endpoint module protocol timestamp info
3006
VSM_HOST_EVENT_VMS_DISCONNECTED
vShieldEndpointmodulehas disconnectedfromtheSVM
84
VMware, Inc.
Appendix 14 vShield Endpoint Events and Alarms
PossiblecausesforeventsarelistedinTable 147: Table 14-7. Possible Causes for Events

Code 0001 0003 Event VSM_FSFD_EVENT_VERSION_MISMATCH VSM_FSFD_EVENT_DISK_FULL Possible Cause CompatibleversionsofthevShieldEndpointmodulesmustbeused.Please refertothevShieldEndpointInstallationguideforacompatibilitylist. ThevShieldEndpointThinAgentmayneedtowritetoafileonthelocal diskforfileremediationpurposes,aswellasfortemporarystorage.Thefile locationforthetemporaryfilesis:%SYSTEMROOT%\temp\vmware\eps010\ Forremediationpurposes,theneededstorageiscomparabletothesizeof thefilebeingremediated.Itisrecommendedthatlocaldisksareat95%or lesscapacity.RunningoutofdiskspacemaypreventvShieldEndpointfrom functioningproperlyandfromeffectivelyprotectingtheaffectedVM. 0004 0005 0006 0007 1000 VSM_FSFD_EVENT_TIMEOUT VSM_FSFD_EVENT_UNKNOWN_STATE VSM_FSFD_EVENT_MISSING_TIMER VSM_FSFD_EVENT_TIMER_RESTORED VSM_VM_EVENT_CONNECTED VMisslowtorespondtoSVMrequests.ThismayhappenwhentheVMis temporarilyrunninglowonCPUresources. N/A Thinagentisnotoperatingproperly. N/A VMconfiguredforvShieldEndpointprotectionwillgeneratethisevent whenloadedonthecorrespondingESXhost,forexample,duringpowerup orincomingvMotion. VMconfiguredforvShieldEndpointprotectionwillgeneratethisevent whenloadedonthecorrespondingESXhost,forexample,duringshutdown oroutgoingvMotion. HeavyloadofeventreportingontheSVM,oracommunicationproblem betweentheSVMandthevShieldManager. N/A N/A vShieldEndpointSVMcomponentfailedtoinitialize.Pleaseconsultpartner SVMinstallationdocumentationforcauses. TheSVMisoverloaded.Thenumberofeventsexceedsthemaximum concurrenteventsthreshold. HeavyloadofeventreportingontheSVM,orcommunicationproblem betweentheSVMandthevShieldManager. 1 2 2007 3000 3002 3003 3004 3005 3006 VSM_SVM_EVENT_REPORT_RESTORED VSM_HOST_EVENT_VERSION_MISMATCH VSM_HOST_EVENT_UNKNOWN_STATE VSM_HOST_EVENT_SVM_REGISTERED VSM_HOST_EVENT_SVM_UNREGISTERED VSM_HOST_EVENT_VMS_CONNECTED VSM_HOST_EVENT_VMS_DISCONNECTED CheckSVMstatus. ChecknetworkconnectionbetweenvShieldManagerandSVM.
1001
VSM_VM_EVENT_DISCONNECTED
1002 N/A 2000 2001 2003 2005 2006
VSM_VM_EVENT_UNKNOWN_STATE VM_POWERED_OFF VSM_SVM_EVENT_ENABLED VSM_SVM_EVENT_INIT_FAILURE VSM_SVM_EVENT_FSFD_FLOOD_DETECTED VSM_SVM_EVENT_DROPPED_EVENTS VSM_SVM_EVENT_MISSING_REPORT
N/A CompatibleversionsofthevShieldEndpointmodulesmustbeused.Please refertothevShieldEndpointInstallationguideforacompatibilitylist. HeavyloadofeventreportingontheSVM,orcommunicationproblem betweentheSVMandthevShieldManager. N/A N/A N/A N/A
VMware, Inc.
85
Audit Messages
Auditmessagesincludefatalerrorsandotherimportantauditmessagesandareloggedto vmware.log.The followingconditionsareloggedasAUDITmessages:

Thinagentinitializationsuccess(andversionnumber.) Thinagentinitializationfailure. SuccessfullyfoundSCSIdevicetocommunicatewiththesecurityvirtualmachine(SVM). Failuretocreatefilterdeviceobject,orfailuretoattachtodevicestack. EstablishedfirsttimecommunicationwithSVM. FailuretoestablishcommunicationwithSVM(whenfirstsuchfailureoccurs).
Generatedlogmessageshavethefollowingsubstringsnearthebeginningofeachlogmessage:vf-AUDIT, vf-ERROR,vf-WARN,vf-INFO,vf-DEBUG.
86
VMware, Inc.
Appendixes
VMware, Inc.
87
88
VMware, Inc.
Command Line Interface
EachvShieldvirtualmachinecontainsacommandlineinterface(CLI).ThisappendixdetailsCLIusageand commands. UseraccountmanagementintheCLIisseparatefromuseraccountmanagementinthevShieldManageruser interface. Thisappendixincludesthefollowingtopics:

LoggingInandOutoftheCLIonpage 89 CLICommandModesonpage 89 CLISyntaxonpage 90 MovingAroundintheCLIonpage 90 GettingHelpwithintheCLIonpage 91 SecuringCLIUserAccountsandthePrivilegedModePasswordonpage 91 CommandReferenceonpage 93
Logging In and Out of the CLI

BeforeyoucanrunCLIcommands,youmustinitiateaconsolesessiontoavShieldvirtualmachine.Toopen aconsolesessionwithinthevSphereClient,selectthevShieldvirtualmachinefromtheinventorypaneland clicktheConsoletab.YoucanlogintotheCLIbyusingthedefaultusernameadminandpassworddefault. YoucanalsouseSSHtoaccesstheCLI.Bydefault,SSHaccessisdisabled.Usethesshcommandtoenable anddisabletheSSHserviceonavShieldvirtualappliance.Seesshonpage 102. Tologout,typeexit fromeitherBasicorPrivilegedmode.
CLI Command Modes

Thecommandsavailabletoyouatanygiventimedependonthemodeyouarecurrentlyin. NOTEvShieldEdgevirtualmachineshaveBasicmodeonly.

Basic:Basicmodeisareadonlymode.Tohaveaccesstoallcommands,youmustenterPrivilegedmode. Privileged:Privilegedmodecommandsallowsupportleveloptionssuchasdebuggingandsystem diagnostics.Privilegedmodeconfigurationsarenotsaveduponreboot.Youmustrunthewrite memory commandtosavePrivilegedmodeconfigurations.
VMware, Inc.
89
Configuration:Configurationmodecommandsallowyoutochangethecurrentconfigurationofutilities onavShieldvirtualmachine.YoucanaccessConfigurationmodefromPrivilegedmode.From Configurationmode,youcanenterInterfaceconfigurationmode. InterfaceConfiguration:InterfaceConfigurationmodecommandsallowyoutochangetheconfiguration ofvirtualmachineinterfaces.Forexample,youcanchangetheIPaddressandIProuteforthe managementportofthevShieldManager.
CLI Syntax
Runcommandsatthepromptasshown.Donottypethe(),<>,or[]symbols.
command A.B.C.D (option1 | option2) <0-512> [word]
Textandnumericalvaluesthatmustbeenteredareitalicized. Multiple,requiredkeywordsorvaluesareenclosedinparenthesesandseparatedbyapipecharacter. Requiredvalueandnumericalrangesareenclosedinanglebrackets. Anoptionalkeywordorvalueisenclosedinsquarebrackets.
Moving Around in the CLI

Thefollowingcommandsmovethepointeraroundonthecommandline.
Keystrokes CTRL+A CTRL+Bor theleftarrowkey CTRL+C CTRL+D CTRL+E CTRL+For therightarrowkey CTRL+K CTRL+Nor thedownarrowkey CTRL+Por theuparrowkey CTRL+U CTRL+W ENTER ESC+B ESC+D ESC+F SPACE Deletesallcharactersfromthepointertotheendoftheline. Displaysmorerecentcommandsinthehistorybufferafterrecallingcommands withCTRL+P(ortheuparrowkey).Repeattorecallotherrecentlyrun commands. Recallscommandsinthehistory,startingwiththemostrecentcompleted command.Repeattorecallsuccessivelyoldercommands. Deletesallcharactersfromthepointertobeginningoftheline. Deletesthewordtotheleftofpointer. Scrollsdownoneline. Movesthepointerbackoneword. Deletesallcharactersfromthepointertotheendoftheword. Movesthepointerforwardoneword. Scrollsdownonescreen. Endsanyoperationthatcontinuestopropagate,suchasaping. Deletesthecharacteratthepointer. Movesthepointertoendoftheline. Movesthepointerforwardonecharacter. Description Movesthepointertobeginningoftheline. Movesthepointerbackonecharacter.
90
VMware, Inc.
Appendix A Command Line Interface
Getting Help within the CLI

TheCLIcontainsthefollowingcommandsforassistingyouruse.
Command ? sho? exp+TAB show ? show log ? list Description Movesthepointertothebeginningoftheline. Displaysalistofcommandsthatbeginwithaparticularcharacterstring. Completesapartialcommandname. Liststheassociatedkeywordsofacommand. Liststheassociatedargumentsofakeyword. Displaystheverboseoptionsofallcommandsforthecurrentmode.
Securing CLI User Accounts and the Privileged Mode Password

YoumustmanageCLIuseraccountsseparatelyoneachvShieldvirtualmachine.Bydefault,youusethe adminuseraccounttologintotheCLIofeachvShieldvirtualmachine.TheCLIadminaccountandpassword areseparatefromthevShieldManageruserinterfaceadminaccountandpassword. YoushouldcreateanewCLIuseraccountandremovetheadminaccounttosecureaccesstotheCLIoneach vShieldvirtualmachine. UseraccountmanagementintheCLIconformstothefollowingrules.

YoucancreateCLIuseraccounts.EachcreateduseraccounthasadministratorlevelaccesstotheCLI. YoucannotchangethepasswordforanyCLIuseraccountonavShieldManagerorvShieldAppvirtual machine.IfyouneedtochangeaCLIuseraccountpassword,youmustdeletetheuseraccount,andthen readditwithanewpassword.YoucanchangethepasswordofanynonadminaccountonthevShield Edge.
TheCLIadminaccountpasswordandthePrivilegedmodepasswordaremanagedseparately.Thedefault PrivilegedmodepasswordisthesameforeachCLIuseraccount.YoushouldchangethePrivilegedmode passwordtosecureaccesstotheCLIconfigurationoptions. IMPORTANTEachvShieldvirtualmachinehastwobuiltinCLIuseraccountsforsystemuse:nobodyand vs_comm.Donotdeleteormodifytheseaccounts.Iftheseaccountsaredeletedormodified,thevirtual machinewillnotwork.
Add a CLI User Account

YoucanaddauseraccountwithastrongpasswordtosecureCLIaccesstoeachvShieldvirtualmachine.After addingauseraccount,youshoulddeletetheadminuseraccount. To add a CLI user account 1 2 3 4 LogintothevSphereClient. SelectavShieldvirtualmachinefromtheinventory. ClicktheConsoletabtoopenaCLIsession. Loginbyusingtheadminaccount.
manager login: admin password: manager>
SwitchtoPrivilegedmode.
manager> enable password: manager#
VMware, Inc.
91
SwitchtoConfigurationmode.
manager# configure terminal
Addauseraccount.
manager(config)# user root password plaintext password
Savetheconfiguration.
manager(config)# write memory Building Configuration... Configuration saved. [OK]
ExittheCLI.
manager(config)# exit manager# exit
Delete the admin User Account from the CLI

AfteraddingaCLIuseraccount,youcandeletetheadminuseraccounttosecureaccesstotheCLI. IMPORTANTDonotdeletetheadminuseraccountuntilyouaddauseraccounttoreplacetheadminaccount. ThispreventsyoufrombeinglockedoutoftheCLI. To delete the admin user account 1 2 3 4 5 6 7 LogintothevSphereClient. SelectavShieldvirtualmachinefromtheinventory. ClicktheConsoletabtoopenaCLIsession. Loginbyusingauseraccountotherthanadmin. SwitchtoPrivilegedmode. SwitchtoConfigurationmode. Deletetheadminuseraccount.
manager(config)# no user admin
8 9
Savetheconfiguration. RuntheexitcommandtwicetologoutoftheCLI.
Change the CLI Privileged Mode Password

YoucanchangethePrivilegedmodepasswordtosecureaccesstotheconfigurationoptionsoftheCLI. To change the Privileged mode password 1 2 3 4 5 6 7 LogintothevSphereClient. SelectavShieldvirtualmachinefromtheinventory. ClicktheConsoletabtoopenaCLIsession. LogintotheCLI. SwitchtoPrivilegedmode. SwitchtoConfigurationmode. ChangethePrivilegedmodepassword.
manager(config)# enable password (hash | plaintext) password
92
VMware, Inc.
8 9 10 11
Savetheconfiguration. RuntheexitcommandtwicetologoutoftheCLI. LogintotheCLI. SwitchtoPrivilegedmodebyusingthenewpassword.
Command Reference
ThecommandreferencedetailseachCLIcommand,includingsyntax,usage,andrelatedcommands.

AdministrativeCommandsonpage 93 CLIModeCommandsonpage 94 ConfigurationCommandsonpage 97 DebugCommandsonpage 104 ShowCommandsonpage 108 DiagnosticsandTroubleshootingCommandsonpage 125 UserAdministrationCommandsonpage 128 TerminalCommandsonpage 129 DeprecatedCommandsonpage 131
Administrative Commands
list
Listsallinmodecommands. Syntax
list
CLI Mode Basic,Privileged,Configuration,InterfaceConfiguration Example

vShieldMgr> list enable exit list ping WORD quit show interface show ip route ssh WORD telnet WORD telnet WORD PORT traceroute WORD ...
reboot
RebootsavShieldvirtualmachine.YoucanalsorebootavShieldAppfromthevShieldManageruser interface.SeeRestartavShieldApponpage 65. Syntax
reboot
VMware, Inc.
93
CLI Mode Privileged Example

vShield# reboot
Related Commands shutdown
shutdown
In Privileged mode, the shutdown command powers off the virtual machine. In Interface Configuration mode, the shutdown command disables the interface. Toenableadisabledinterface,usenobeforethe command. Syntax
[no] shutdown
CLI Mode Privileged,InterfaceConfiguration Example

vShield# shutdown
or
vShield(config)# interface mgmt vShield(config-if)# shutdown vShield(config-if)# no shutdown
Related Commands reboot
CLI Mode Commands

configure terminal
SwitchestoConfigurationmodefromPrivilegedmode. Syntax
configure terminal

vShield# configure terminal vShield(config)#
Related Commands interface
disable
SwitchestoBasicmodefromPrivilegedmode. Syntax
disable
94
VMware, Inc.
CLI Mode Basic Example

vShield# disable vShield>
Related Commands enable
enable
SwitchestoPrivilegedmodefromBasicmode. Syntax
enable
CLI Mode Basic Example

vShield> enable password: vShield#
Related Commands disable
end
EndsthecurrentCLImodeandswitchestothepreviousmode. Syntax
end
CLI Mode Basic,Privileged,Configuration,andInterfaceConfiguration Example

vShield# end vShield>
Related Commands exit quit
exit
Exitsfromthecurrentmodeandswitchestothepreviousmode,orexitstheCLIsessionifrunfromPrivileged orBasicmode. Syntax
exit
CLI Mode Basic,Privileged,Configuration,andInterfaceConfiguration
VMware, Inc.
95
Example
vShield(config-if)# exit vShield(config)# exit vShield#
Related Commands end quit
interface
SwitchestoInterfaceConfigurationmodeforthespecifiedinterface. Todeletetheconfigurationofaninterface,usenobeforethecommand. Syntax
[no] interface (mgmt | p0 | u0) Option mgmt p0 u0 Description ThemanagementportonavShieldvirtualmachine. vShieldAppp0interface. vShieldAppu0interface.
CLI Mode Configuration Example

vShield# configure terminal vShield(config)# interface mgmt vShield(config-if)# or vShield(config)# no interface mgmt
Related Commands show interface
quit
QuitsInterfaceConfigurationmodeandswitchestoConfigurationmode,orquitstheCLIsessionifrunfrom PrivilegedorBasicmode. Syntax
quit
CLI Mode Basic,Privileged,andInterfaceConfiguration Example

vShield(config-if)# quit vShield(config)#
Related Commands end exit
96
VMware, Inc.
Configuration Commands
clear vmwall rules
ResetsthefirewallrulesetonavShieldApptothedefaultruleset.Thisisatemporaryconditionthatcanbe usedtotroubleshootfirewallissues.Youcanrestorethefirewallrulesetbyperformingaforcesyncoperation forthevShieldAppfromthevShieldManager.Foremoreinformationonforcingsynchronization,seeForce avShieldApptoSynchronizewiththevShieldManageronpage 64. Syntax
clear vmwall rules
CLI Mode Privileged Usage Guidelines vShieldAppCLI Example

manager# clear vmwall rules
Related Commands show vmwall log show vmwall rules
cli ssh allow

EnableordisableaccesstotheCLIviaSSHsession. Syntax
[no] cli ssh allow
CLI Mode Configuration Usage Guidelines UsethiscommandwiththesshcommandtoallowordisallowCLIaccessviaSSH. Example

manager(config)# ssh start manager(config)# cli ssh allow
Related Commands ssh
copy running-config startup-config

Copiesthecurrentsystemconfigurationtothestartupconfiguration.Youcanalsocopyandsavetherunning CLIconfigurationofavShieldAppfromthevShieldManageruserinterface.SeeBackUptheRunningCLI ConfigurationofavShieldApponpage 64. Syntax
copy running-config startup-config
CLI Mode Privileged
VMware, Inc.
97
Example
manager# copy running-config startup-config Building Configuration... Configuration saved. [OK]
Related Commands show running-config show startup-config
database erase
ErasesthevShieldManagerdatabase,resettingthedatabasetofactorydefaults.Thiscommandclearsall configurationdatafromthevShieldManageruserinterface,includingvShieldAppconfigurations,eventdata, andsoforth.ThevShieldManagerCLIconfigurationisnotaffectedbythiscommand. Syntax
database erase
CLI Mode Privileged Usage Guidelines vShieldManagerCLI Example

manager# database erase
enable password
ChangesthePrivilegedmodepassword.YoushouldchangethePrivilegedmodepasswordforeachvShield virtualmachine.CLIuserpasswordsandthePrivilegedmodepasswordaremanagedseparately.The PrivilegedmodepasswordisthesameforeachCLIuseraccount. Syntax
enable password (hash | plaintext) password Option hash plaintext password Description MasksthepasswordbyusingtheMD5hash.YoucanviewandcopytheprovidedMD5hash byrunningtheshow running-config command. Keepsthepasswordunmasked. Passwordtouse.Thedefaultpasswordisdefault.

vShield# configure terminal vShield(config)# enable password plaintext abcd123
Related Commands enable
98
VMware, Inc.
hostname
ChangesthenameoftheCLIprompt.The default prompt name for the vShield Manager is manager, and
the default prompt name for the vShield App is vShield.

Syntax
hostname word Option word Description Promptnametouse.

vShield(config)# hostname vs123 vs123(config)#
ip address
AssignsanIPaddresstoaninterface.OnthevShieldvirtualmachines,youcanassignanIPaddressestothe mgmtinterfaceonly. ToremoveanIPaddressfromaninterface,usenobeforethecommand. Syntax
[no] ip address A.B.C.D/M Option A.B.C.D M Description IPaddresstouse. Subnetmasktouse.
CLI Mode InterfaceConfiguration Example

vShield(config)# interface mgmt vShield(config-if)# ip address 192.168.110.200/24
or
vShield(config)# interface mgmt vShield(config-if)# no ip address 192.168.110.200/24
Related Commands show interface
ip name server
IdentifiesaDNSservertoprovideaddressresolutionservice.YoucanalsoidentifyoneormoreDNSservers byusingthevShieldManageruserinterface.SeeIdentifyDNSServicesonpage 22. ToremoveaDNSserver,usenobeforethecommand.
VMware, Inc.
99
Syntax
[no] ip name server A.B.C.D Option A.B.C.D Description IPaddresstouse.

vShield(config)# ip name server 192.168.1.3
or
vShield(config)# no ip name server 192.168.1.3
ip route
Addsastaticroute. TodeleteanIProute,usenobeforethecommand. Syntax
[no] ip route A.B.C.D/M W.X.Y.Z Option A.B.C.D M W.X.Y.Z Description IPaddresstouse. Subnetmasktouse. IPaddressofnetworkgateway.

vShield# configure terminal vShield(config)# ip route 0.0.0.0/0 192.168.1.1
or
vShield(config)# no ip route 0.0.0.0/0 192.168.1.1
Related Commands show ip route
manager key
SetsasharedkeyforauthenticatingcommunicationbetweenavShieldAppandthevShieldManager.Youcan setasharedkeyonanyvShieldApp.ThiskeymustbeenteredduringvShieldAppinstallation.Iftheshared keybetweenavShieldAppandthevShieldManagerisnotidentical,theservicecannotinstallandis inoperable. Syntax
manager key key Option key Description ThekeythatthevShieldAppandvShieldManagermustmatch.
100
VMware, Inc.

vShield# manager key abc123
Related Commands setup
ntp server
IdentifiesaNetworkTimeProtocol(NTP)serverfortimesynchronizationservice.InitialNTPserver synchronizationmighttakeupto15minutes.FromthevShieldManageruserinterface,youcanconnecttoan NTPserverfortimesynchronization.SeeSetthevShieldManagerDateandTimeonpage 23. AllvShieldAppinstancesusetheNTPserverconfigurationofthevShieldManager.Youcanusethis commandtoconnectavShieldApptoanNTPservernotusedbythevShieldManager. ToremovetheNTPserver,usenobeforethecommand. Syntax
[no] ntp server (hostname | A.B.C.D) Option hostname A.B.C.D Description HostnameoftheNTPserver. IPaddressofNTPserver.
CLI Mode Configuration Usage Guidelines vShieldAppCLI Example

vShield# configure terminal vShield(config)# ntp server 10.1.1.113
or
vShield# configure terminal vShield(config)# no ntp server
Related Commands show ntp
set clock
Setsthedateandtime.FromthevShieldManageruserinterface,youcanconnecttoanNTPserverfortime synchronization.AllvShieldAppinstancesusetheNTPserverconfigurationofthevShieldManager.You shouldusethiscommandifyoumeetoneofthefollowingconditions.

YoucannotconnecttoanNTPserver. YoufrequentlypoweroffandpoweronavShieldApp,suchasinalabenvironment.AvShieldAppcan becomeoutofsyncwiththevShieldManagerwhenitisfrequentlypoweronandoff.
VMware, Inc.
101
Syntax
set clock HH:MM:SS MM DD YYYY Option HH:MM:SS MM DD YYYY Description Hours:minutes:seconds Month Day Year

vShield(config)# set clock 00:00:00 08 28 2009
Related Commands ntp server show clock show ntp
setup
OpenstheCLIinitializationwizardforvShieldvirtualmachineinstallation.Youconfiguremultiplesettings byusingthiscommand.YourunthesetupcommandduringvShieldManagerinstallationandmanual installationofvShieldAppinstances.PressENTERtoacceptadefaultvalue. Syntax
setup
CLI Mode Basic Usage Guidelines TheManager keyoptionisapplicabletovShieldAppsetuponly. Example

manager(config)# setup Default settings are in square brackets '[]'. Hostname [manager]: IP Address (A.B.C.D or A.B.C.D/MASK): 192.168.0.253 Default gateway (A.B.C.D): 192.168.0.1 Old configuration will be lost, and system needs to be rebooted Do you want to save new configuration (y/[n]): y Please log out and log back in again. manager>
ssh
StartsorstopstheSSHserviceonavShieldvirtualappliance. Syntax
ssh (start | stop)
102
VMware, Inc.
CLI Mode Configuration Usage Guidelines StartingtheSSHserviceandenablingCLIaccessviaSSH(cli ssh allow)allowsusertoaccesstheCLIvia SSH. Example
manager(config)# ssh start manager(config)# cli ssh allow
or
manager(config)# no cli ssh allow manager(config)# ssh stop
Related Commands cli ssh allow
syslog
IdentifiesasyslogservertowhichavShieldvirtualmachinecansendsystemevents.Youcanalsoidentifyone ormoresyslogserversbyusingthevShieldManageruserinterface.SeeSendvShieldAppSystemEventsto aSyslogServeronpage 63. Todisablesyslogexport,usenobeforethecommand. Syntax
[no] syslog (hostname | A.B.C.D) Option hostname A.B.C.D Description Hostnameofthesyslogserver. IPaddressofsyslogserver.

vShield(config)# syslog 192.168.1.2
Related Commands show syslog
write
Writestherunningconfigurationtomemory.Thiscommandperformsthesameoperationasthewrite memorycommand. Syntax
write

manager# write
VMware, Inc.
103
Related Commands write memory
write erase
ResetstheCLIconfigurationtofactorydefaultsettings. Syntax
write erase

manager#writeerase
write memory
Writesthecurrentconfigurationtomemory.Thiscommandisidenticaltothewritecommand. Syntax
write memory
CLI Mode Privileged,Configuration,andInterfaceConfiguration Example

manager# write memory
Related Commands write
Debug Commands
debug copy
Copiesoneorallpackettraceortcpdumpfilesandexportsthemtoaremoteserver.Youmustenablethedebug packet capturecommandbeforeyoucancopyandexportfiles. Syntax
debug copy (scp|ftp) URL (packet-traces | tcpdumps) (filename | all) Option scp ftp URL packet-traces tcpdumps filename all Description UseSCPastransportprotocol. UseFTPastransportprotocol. AddaURLintheformatuserid@<ip_address>:<directory>.Forexample: admin@10.10.1.10:/tmp Copyandexportpackettraces. Copyandexportsystemtcpdumps. Identifyaspecificpackettraceortcpdumpfiletoexport. Copyandexportallpackettraceortcpdumpfiles.
CLI Mode Privileged
104
VMware, Inc.
Usage Guidelines vShieldAppCLI Example

vShield# debug copy ftp 192.168.1.1 tcpdumps all
Related Commands debug packet capture debug remove debug show files
debug packet capture

CapturesallpacketsprocessedbyavShieldApp,similartoatcpdump.Enablingthiscommandcanslow vShieldAppperformance.Packetdebugcaptureisdisabledbydefault. Todisablepacketcapture,usenobeforethecommand. Syntax
[no] debug packet capture (segment 0 | interface (mgmt | u0 | p0)) [expression] Option segment 0 Description ThesegmentonthevShieldAppforwhichthedebugfunctioncapturestcpdump information.Segment0istheonlyactivesegment.Segments1and2havebeen deprecated. Thespecificinterfacefromwhichtocapturepackets.Interfacep1,u1,p2,u2,p3,and u3havebeendeprecated. Atcpdumpformattedstring.Youmustuseanunderscorebetweenwordsinthe expression.
interface (mgmt | u0 | p0) expression

vShield# debug packet capture segment 0 host_10.10.11.11_port_8
Related Commands debug copy debug packet display interface
debug packet display interface

DisplaysallpacketscapturedbyavShieldApporvShieldEdgeinterface,similartoatcpdump.Enablingthis commandcanimpactvShieldApporvShieldEdgeperformance. Todisablethedisplayofpackets,usenobeforethecommand.
VMware, Inc.
105
Syntax vShieldApp
[no] debug packet display interface (mgmt | u0 | p0) [expression] Option mgmt | u0 | p0 expression Description ThespecificvShieldAppinterfacefromwhichtocapturepackets. Atcpdumpformattedstring.Youmustuseanunderscorebetweenwordsintheexpression.
vShieldEdge
[no] debug packet display interface (intif | extif) [expression] Option intif | extif expression Description ThespecificvShieldEdgeinterfacefromwhichtocapturepackets. Atcpdumpformattedstring.Youmustuseanunderscorebetweenwordsintheexpression.
CLI Mode Privileged Usage Guidelines vShieldApporvShieldEdgeCLI Example

vShield# debug packet display interface mgmt host_10.10.11.11_and_port_80
Related Commands debug copy debug packet capture
debug remove
RemovesoneorallpackettraceortcpdumpfilesfromavShieldApp. Syntax
debug remove (packet-traces|tcpdumps) (filename|all) Option packet-traces tcpdumps filename all Description Removeoneorallpackettracefiles. Removeoneoralltcpdumpfiles. Identifyaspecificpackettraceortcpdumpfiletoexport. Removeallpackettraceortcpdumpfiles.

vShield# debug remove tcpdumps all
106
VMware, Inc.
Related Commands debug copy debug packet capture
debug service
Enablesloggingforaservice,notingthespecificenginefortheserviceandtheseverityofeventstolog.You canruntheshow servicescommandtoviewthelistofrunningservices. Todisableloggingforaspecificservice,usenobeforethecommand. Syntax
[no] debug service (ice|sysmgr|vdb|word) (low|medium|high) Option service ice sysmgr vdb word low medium high Description Nameoftheservice. vShieldAppprotocoldecodingengine. vShieldAppsystemmanager. Deprecated. Reservedfortechnicalsupport. Lowseverityevents. Mediumseverityevents. Highseverityevents.

vShield# debug 2050001_SAFLOW-FTPD-Dynamic-Port-Detection sysmgr high
Related Commands show services
debug service flow src

Debugsmessagesforaservicethatisprocessingtrafficbetweenaspecificsourcetodestinationpair.Youcan runtheshow servicescommandtoviewthelistofrunningservices. Todisablelogging,usenobeforethecommand. Syntax
[no] debug service flow src A.B.C.D/M:P dst W.X.Y.Z/M:P Option service A.B.C.D M P W.X.Y.Z Description Thenameoftheservice. SourceIPaddresstouse. Sourcesubnetmasktouse. Sourceporttouse. DestinationIPaddressofuse.
VMware, Inc.
107
Option M P
Description Destinationsubnetmasktouse. Destinationporttouse.
CLI Mode Privileged Usage Guidelines vShieldAppCLI.Asourceordestinationvalueof0.0.0.0/0:0matchesallvalues. Example

vShield# debug 2050001_SAFLOW-FTPD-Dynamic-Port-Detection src 192.168.110.199/24:1234 dst 192.168.110.200/24:4567
Related Commands show services
debug show files

Showsthetcpdumpfilesthathavebeensaved. Syntax
debug show files

vShield_Zones_host_49_269700# debug show files total 0 -rw-r--r-- 1 0 Jun 23 16:04 tcpdump.d0.0
Related Commands debug copy debug remove
Show Commands
show alerts
Showssystemalertsastheyrelatetotheprotocoldecodersornetworkevents.Ifnoalertshavebeenraised,no outputisreturned. Syntax
show alerts (vulnerability|decoder|events) Option vulnerability decoder events Description Deprecated. Alertsraisedbyprotocoldecodererrors. Alertsraisedbynetworkevents.
108
VMware, Inc.
CLI Mode Basic,Privileged Usage Guidelines vShieldAppCLI Example

vShield# show alerts events IP address HW type 192.0.2.130 0x1 192.168.110.1 0x1 Flags 0x6 0x2 HW address 00:00:00:00:00:81 00:0F:90:D5:36:C1 Mask * * Device virteth1 mgmt
show arp
ShowsthecontentsoftheARPcache. Syntax
show arp
CLI Mode Basic,Privileged Example

vShield# show arp IP address HW type 192.0.2.130 0x1 192.168.110.1 0x1 Flags 0x6 0x2 HW address 00:00:00:00:00:81 00:0F:90:D5:36:C1 Mask * * Device virteth1 mgmt
show clock
Showsthecurrenttimeanddateofthevirtualmachine.IfyouuseanNTPserverfortimesynchronization,the timeisbasedonCoordinatedUniversalTime(UTC). Syntax
show clock

vShield# show clock Wed Feb 9 13:04:50 UTC 2005
Related Commands ntp server set clock
show configuration
ShowseitherthecurrentglobalconfigurationortheconfigurationforaspecifiedserviceonavShieldEdge. Syntax
show configuration (dhcp | firewall | ipsec | lb | nat | syslog | system) Option dhcp firewall Description ShowthecurrentDHCPconfiguration. Showthecurrentfirewallconfiguration.
VMware, Inc.
109
Option ipsec lb nat syslog system
Description ShowthecurrentVPNconfiguration. ShowthecurrentLoadBalancerconfiguration. ShowthecurrentNATconfiguration. Showthecurrentsyslogconfiguration. Showthecurrentglobalconfiguration.
CLI Mode Basic,Privileged Usage Guidelines vShieldEdgeCLI Example

vShieldEdge# show configuration system
show debug
Showthedebugprocessesthatareenabled.Youmustenableadebugpathbyrunningthedebug packetor oneofthedebug servicecommands. Syntax
show debug

vShield# show debug No debug logs enabled
Related Commands debug service debug service flow src
show ethernet
ShowsEthernetinformationforvirtualmachineinterfaces. Syntax
show ethernet
CLI Mode Basic,Privileged
110
VMware, Inc.
Example
vShield# show ethernet Settings for mgmt: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full
show filesystem
ShowstheharddiskdrivecapacityforavShieldvirtualmachine.vShieldAppinstanceshaveonediskdrive; thevShieldManagerhastwodiskdrives. Syntax
show filesystem

vShield# show filesystem Filesystem Size /dev/hda3 4.9G /dev/hda6 985M /dev/hda7 24G Used Avail Use% Mounted on 730M 3.9G 16% / 17M 919M 2% /tmp 1.7G 21G 8% /common
show gateway rules

ShowsthecurrentIPrulesrunningonthevShieldApp. Syntax
show gateway rules

vShield# show gateway rules bufsz:8192 inadaquate for all rules; new bufsz = 9980 size of rule_details = 36 Kernel Rules Begin Proxy Id = 0, Service Name = proxy-unused, Num Threads = 0 ACTION=FORWARD Proxy Id = 1, Service Name = proxy-zombie, Num Threads = 0 ACTION=FORWARD Proxy Id = 2, Service Name = vproxy-forward-allow, Num Threads = 0 ACTION=VPROXY Proxy Id = 3, Service Name = vproxy-reverse-allow, Num Threads = 0 ACTION=UNKNOWN ...
VMware, Inc.
111
show hardware
ShowsthecomponentsofthevShieldvirtualmachine. Syntax
show hardware

manager# show hardware -[0000:00]-+-00.0 Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge +-01.0-[0000:01]-+-07.0 Intel Corporation 82371AB/EB/MB PIIX4 ISA +-07.1 Intel Corporation 82371AB/EB/MB PIIX4 IDE +-07.3 Intel Corporation 82371AB/EB/MB PIIX4 ACPI +-07.7 VMware Inc Virtual Machine Communication Interface +-0f.0 VMware Inc Abstract SVGA II Adapter +-10.0 BusLogic BT-946C (BA80C30) [MultiMaster 10] +-11.0-[0000:02]----00.0 Intel Corporation 82545EM Gigabit Etherne t Controller (Copper) +-15.0-[0000:03]-...
show hostname
ShowsthecurrenthostnameforavShieldEdge. Syntax
show hostname

vshieldEdge# show hostname
show interface
Showsthestatusandconfigurationforallinterfacesorasingleinterface.Youcanalsoviewinterfacestatistics foravShieldAppfromthevShieldManageruserinterface.SeeViewtheCurrentSystemStatusofavShield Apponpage 64. Syntax
show interface [mgmt | p0 | u0] Option mgmt p0 u0 Description Managementinterface vShieldAppP0interface vShieldAppportU0interface
CLI Mode Basic,Privileged
112
VMware, Inc.
Example
manager# show interface mgmt Interface mgmt is up, line protocol is up index 1 metric 1 mtu 1500 <UP,BROADCAST,RUNNING,MULTICAST> HWaddr: 00:50:56:9e:7a:60 inet 10.115.216.63/22 broadcast 10.115.219.255 Auto-duplex (Full), Auto-speed (1000Mb/s) input packets 5492438, bytes 2147483647, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 2754582, bytes 559149291, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
Related Commands interface
show ip addr
ShowstheprotocoladdressesconfiguredonavShieldEdgeforalldevices. Syntax
show ip addr

vShield# show ip addr
show ip route
ShowstheIProutingtable. Syntax
show ip route [A.B.C.D/M] Option A.B.C.D M Description IPaddresstouse. Subnetmasktouse.

vShield# show ip route Codes: K - kernel route, C - connected, S - static, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 192.168.110.1, mgmt C>* 192.168.110.0/24 is directly connected, mgmt
Related Commands ip route
show iptables
ShowstheIProutingtable.
VMware, Inc.
113
Syntax
show iptables [filter | mangle | nat | raw] Option filter mangle nat raw Description Showthepacketfilteringtable. Showthemangletable.ThemangletableisresponsibleformodificationoftheTCPpacketQoS bitsbeforeroutingoccurs. ShowtheNATtable.NATfacilitatesthetransformationofthedestinationIPaddresstobe compatiblewiththefirewallsroutingtable. Showtherawtable.Therawtableisusedtosetamarkonpacketsthatshouldnotbehandled bytheconnectiontrackingsystem.

vShield# show iptables
show kernel message

Showsthelast10kernelmessagesforavShieldEdge. Syntax
show kernel message

vshieldEdge# show kernel message
Related Commands show kernel message last
show kernel message last

ShowslastnkernelmessagesforavShieldEdge. Syntax
show kernel message last n

vshieldEdge# show kernel message last 20
Related Commands show kernel message
114
VMware, Inc.
show log
Showsthesystemlog. Syntax
show log [follow | reverse] Option follow reverse Description Updatethedisplayedlogevery5seconds. Showtheloginreversechronologicalorder.

vShield# show log Aug 7 17:32:37 vShield_118 syslog-ng[27397]: Configuration reload request received, reloading configuration; Aug 7 17:32:37 vShield_118 udev[21427]: removing device node '/dev/vcs12' Aug 7 17:32:37 vShield_118 udev[21429]: removing device node '/dev/vcsa12' Aug 7 17:32:37 vShield_118 udev[21432]: creating device node '/dev/vcs12' Aug 7 17:32:37 vShield_118 udev[21433]: creating device node '/dev/vcsa12' Aug 7 17:33:37 vShield_118 ntpdate[21445]: adjust time server 10.115.216.84 offset 0.011031 sec Aug 7 17:34:37 vShield_118 ntpdate[21466]: adjust time server 10.115.216.84 offset 0.002739 sec Aug 7 17:35:37 vShield_118 ntpdate[21483]: adjust time server 10.115.216.84 offset 0.010884 sec ...
Related Commands show log alerts show log events show log last
show log alerts

Showsthelogoffirewallrulealerts. Syntax
show log alerts

vShield# show log alerts
Related Commands show log
show log events

ShowsthelogofvShieldAppsystemevents. Syntax
show log events
VMware, Inc.
115

vShield# show log events
show log last

Showslastnlinesofthelog. Syntax
show log last n Option n Description numberofloglinestodisplay

vShield# show log last 2 Feb 9 12:30:55 localhost ntpdate[24503]: adjust time server 192.168.110.199 off set -0.000406 sec Feb 9 12:31:54 localhost ntpdate[24580]: adjust time server 192.168.110.199 off set -0.000487 sec
show manager log

ShowsthesystemlogofthevShieldManager. Syntax
show manager log [follow | reverse] Option follow reverse Description Updatethedisplayedlogevery5seconds. Showtheloginreversechronologicalorder.
CLI Mode Basic,Privileged Usage Guidelines vShieldManagerCLI Example

vShield# show manager log SEM Debug Nov 15, 2005 02:46:23 PM PropertyUtils Prefix:applicationDir
116
VMware, Inc.
SEM Debug Nov 15, 2005 02:46:23 PM PropertyUtils Props Read:[] SEM Info Nov 15, 2005 02:46:23 PM RefreshDb UpdateVersionNumbers info does not e xist SEM Debug Nov 15, 2005 02:46:23 PM RefreshDb Applications: [] SEM Info Nov 15, 2005 02:46:23 PM RefreshDb Compiler version pairs found: []
Related Commands show manager loglast
show manager log last

ShowsthelastnnumberofeventsinthevShieldManagerlog. Syntax
show manager log last n Option n Description Numberofeventstodisplay.

manager# show manager log last 10
Related Commands show manager log
show ntp
ShowstheIPaddressofthenetworktimeprotocol(NTP)server.YousettheNTPserverIPaddressbyusing thevShieldManageruserinterface. Syntax
show ntp

manager# show ntp NTP server: 192.168.110.199
Related Commands ntp server
VMware, Inc.
117
show process
ShowsinformationrelatedtovShieldEdgeprocesses. Syntax
show process (list | monitor) Option list monitor Description ListallcurrentlyrunningprocessesonthevShieldEdge. Continuouslymonitorthelistofprocesses.

vShieldEdge# show process list
show route
ShowsthecurrentroutesconfiguredonavShieldEdge. Syntax
show route

vShieldEdge# show route
show running-config
Showsthecurrentrunningconfiguration. Syntax
show running-config

vShield# show running-config Building configuration... Current configuration: ! segment 0 default bypass !
118
VMware, Inc.
Related Commands copy running-config startup-config show startup-config
show service
ShowsthestatusofthespecifiedvShieldEdgeservice. Syntax
show service (dhcp | ipsec | lb) Option dhcp ipsec lb Description ShowthestatusoftheDHCPservice. ShowthestatusoftheVPNservice. ShowthestatusoftheLoadBalancerservice.

vShieldEdge# show service dhcp
show service statistics

ShowsthecurrentstatusofallservicesonavShieldEdge.DetailsincludetherunningstatusforVPNandthe LoadBalancer,DHCPleases,andiptableentriesforfirewallandNAT. Syntax
show service statistics

vShieldEdge# show service statistics
show services
ShowstheservicesprotectedbyavShieldApp. Syntax
show services
CLI Mode Basic,Privileged Usage Guidelines vShieldAppCLI.Intheexample,2050001_SAFLOWFTPDDynamicPortDetectionisthefullnameofa service.Youmustcopyandpastethisstringintothedebug servicecommandastheservicename.

VMware, Inc. 119
Example
vShield# show services nproxy_D_T_0001 is ACTIVE 56 - 2050001_SAFLOW-FTPD-Dynamic-Port-Detection 57 - 2050001_SAFLOW-MSRPC-Dynamic-Port-Detection 58 - 2050001_SAFLOW-ORACLE-Dynamic-Port-Detection-Reverse 59 - 2050001_SAFLOW-FTPD-Dynamic-Port-Detection-Reverse 60 - 2050001_SAFLOW-SUNRPC-Dynamic-Port-Detection 61 - 2050001_SAFLOW-MSRPC-Dynamic-Port-Detection-Reverse 62 - 2050001_SAFLOW-SUNRPC-Dynamic-Port-Detection-Reverse 63 - 2050001_SAFLOW-ORACLE-Dynamic-Port-Detection 64 - 2050001_SAFLOW-Generic-Single-Session-Inverse-Attached 65 - 2050001_SAFLOW-Generic-Single-Session-Forward-Attached
Related Commands debug service debug service flow src
show session-manager counters

ShowshistoricalstatisticsonthesessionsprocessedbyavShieldApp,suchasthenumberofSYNsreceived, thenumberofretransmittedSYNs,andsoforth. Syntax
show session-manager counters

vShield# show session-manager counters sa_tcp_sockets_allocated_high_water_mark 8 sa_tcp_tw_count_high_water_mark 3 SA_TCP_STATS_OpenreqCreated 61 SA_TCP_STATS_SockCreated 61 SA_TCP_STATS_NewSynReceived 61 SA_TCP_STATS_RetransSynReceived 0
Related Commands show session-manager sessions
show session-manager sessions

ShowsthecurrentsessionsinprocessonavShieldApp. Syntax
show session-manager sessions
CLI Mode Basic,Privileged Usage Guidelines vShieldAppCLI
120
VMware, Inc.
Example
vShield# show session-manager sessions Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address tcp 0 0 0.0.0.0:2601 0.0.0.0:* tcp 0 0 0.0.0.0:7060 0.0.0.0:* V_Listen tcp 0 0 192.168.110.229:46132 0.0.0.0:*
State LISTEN LISTEN LISTEN
Related Commands show session-manager counters
show slots
ShowsthesoftwareimagesontheslotsofavShieldvirtualmachine.Bootindicatestheimagethatisusedto bootthevirtualmachine. Syntax
show slots

manager# show slots Recovery: Slot 1: Slot 2: System Recovery v0.3.2 13Aug09-09.49PDT * 16Aug09-23.52PDT (Boot)
show stacktrace
Showsthestacktracesoffailedcomponents.Ifnocomponentshavefailed,nooutputisreturned. Syntax
show stacktrace

vShield# show stacktrace
show startup-config
Showsthestartupconfiguration. Syntax
show startup-config

vShield# show startup-config
VMware, Inc.
121
Related Commands copy running-config startup-config show running-config
show syslog
Showsthesyslogconfiguration. Syntax
show syslog

vShield# show syslog *.* -/var/log/messages *.emerg /dev/tty1
Related Commands syslog
show system events

ShowsthelatestvShieldEdgesystemeventswhichhavenotyetbeenreadbythevShieldManager. Syntax
show system events [follow | reverse] Option follow reverse Description Updatethedisplayedlogevery5seconds. Showtheloginreversechronologicalorder.

vShieldEdge# show system events
show system load

ShowstheaverageprocessingloadonavShieldEdge. Syntax
show system memory
CLI Mode Basic,Privileged Usage Guidelines vShieldEdgeCLI
122
VMware, Inc.
Example
vShield# show system mem MemTotal: 2072204 kB MemFree: 1667248 kB Buffers: 83120 kB
show system memory

Showsthesummaryofmemoryutilization. Syntax
show system memory

vShield# show system mem MemTotal: 2072204 kB MemFree: 1667248 kB Buffers: 83120 kB
show system network_connections

ShowsthecurrentlyopenednetworkconnectionsandlisteninginterfacesforavShieldEdge. Syntax
show system network_connections

vShield# show system network_connections
show system storage

ShowsthediskusagedetailsforavShieldEdge. Syntax
show system storage

vShield# show system storage
VMware, Inc.
123
show system uptime

ShowsthelengthoftimethevShieldvirtualmachinehasbeenoperationalsincelastreboot. Syntax
show system uptime

vShield# show system uptime 0 day(s), 8 hour(s), 50 minute(s), 26 second(s)
show version
Showsthesoftwareversioncurrentlyrunningonthevirtualmachine. Syntax
show version

vShield# show version
show vmwall log

Showsthesessionsthatmatchedafirewallrule. Syntax
show vmwall log [follow | reverse]

vShield# show vmwall log
Related Commands show vmwall rules
show vmwall rules

ShowsthefirewallrulesthatareactiveonthevShieldApp. Syntax
show vmwall rules
CLI Mode Basic,Privileged Usage Guidelines vShieldAppCLI

124 VMware, Inc.
Example
vShield# show vmwall rules Printing VMWall Rules and IP Lists...
Related Commands clear vmwall rules show vmwall log
Diagnostics and Troubleshooting Commands

export tech-support scp
ExportsthesystemdiagnosticstoaspecificlocationviaSecureCopyProtocol(SCP).Youcanalsoexport systemdiagnosticsforavShieldvirtualmachinefromthevShieldManageruserinterface.SeeDownloada TechnicalSupportLogfromaComponentonpage 23. Syntax
export tech-support scp URL Option URL Description Enterthecompletepathofthedestination.
CLI Mode BasicandPrivileged Example

vShield# export tech-support scp user123@host123:file123
link-detect
Enableslinkdetectionforaninterface.Linkdetectionchecksthestatusofaninterfaceasenabledordisabled. Linkdetectionisenabledbydefault. Todisablelinkdetectionforaninterface,usenobeforethecommand. Syntax
[no] link-detect
CLI Mode InterfaceConfiguration Example

vShield(config-if)# link-detect
or
vShield(config-if)# no link-detect
ping
PingsadestinationbyitshostnameorIPaddress. Syntax
ping (hostname | A.B.C.D) Option hostname | A.B.C.D Description ThehostnameorIPaddressofthetargetsystem.
VMware, Inc.
125
CLI Mode Basic,Privileged Usage Guidelines EnterCTRL+Ctoendpingreplies. Example

vShield# ping 192.168.1.1
ping interface addr

PingsanexternaldestinationfromtheinternaladdressofavirtualmachineprotectedbyavShieldEdge. Syntax
ping interface addr (source hostname | A.B.C.D) (destination hostname | A.B.C.D) Option sourcehostname| A.B.C.D destinationhostname| A.B.C.D Description ThehostnameorinternalIPaddressofavirtualmachineprotectedbyavShieldEdge. ThehostnameorIPaddressofthedestination.
CLI Mode Basic,Privileged Usage Guidelines vShieldEdgeonly ThiscommandisusefulfordebuggingIPSecrelatedissues. EnterCTRL+Ctoendpingreplies. Example

vshieldEdge# ping interface addr 192.168.1.1 69.147.76.15
show tech support

Showsthesystemdiagnosticlogthatcanbesenttotechnicalsupportbyrunningtheexport tech-support scpcommand. Syntax
show tech support

vShield# show tech support
Related Commands export tech-support scp
ssh
OpensanSSHconnectiontoaremotesystem.
126
VMware, Inc.
Syntax
ssh (hostname | A.B.C.D) Option hostname | A.B.C.D Description ThehostnameorIPaddressofthetargetsystem.

vShield# ssh server123
telnet
Opensatelnetsessiontoaremotesystem. Syntax
telnet (hostname | A.B.C.D) [port] Option hostname|A.B.C.D port Description ThehostnameorIPaddressofthetargetsystem. Listeningportonremotesystem.

vShield# telnet server123
or
vShield# telnet server123 1221
traceroute
Tracestheroutetoadestination. Syntax
traceroute (hostname | A.B.C.D) Option hostname|A.B.C.D Description ThehostnameorIPaddressofthetargetsystem.

vShield# traceroute 10.16.67.118 traceroute to 10.16.67.118 (10.16.67.118), 30 hops max, 40 byte packets 1 10.115.219.253 (10.115.219.253) 128.808 ms 74.876 ms 74.554 ms 2 10.17.248.51 (10.17.248.51) 0.873 ms 0.934 ms 0.814 ms 3 10.16.101.150 (10.16.101.150) 0.890 ms 0.913 ms 0.713 ms 4 10.16.67.118 (10.16.67.118) 1.120 ms 1.054 ms 1.273 ms
VMware, Inc.
127
validate sessions
Validatestheexistingsessionsagainstthecurrentsetoffirewallrules. Syntax
validate sessions

vShieldApp# validate sessions
User Administration Commands

default web-manager password
ResetsthevShieldManageruserinterfaceadminuseraccountpasswordtodefault. Syntax
default web-manager password
CLI Mode Privilegedmode Usage Guidelines vShieldManagerCLI Example

manager# default web-manager password Password reset
user
AddsaCLIuseraccount.Theuseradministhedefaultuseraccount.TheCLIadminaccountandpassword areseparatefromthevShieldManageruserinterfaceadminaccountandpassword. YoucannotchangethepasswordforaCLIuser.Youmustdeleteauseraccountandreaddittochangethe password.Ifyoumustchangeapassword,createanewuseraccounttopreventCLIlockout. IMPORTANTEachvShieldvirtualmachinehastwobuiltinCLIuseraccountsforsystemuse:nobodyand vs_comm.Donotdeleteormodifytheseaccounts.Iftheseaccountsaredeletedormodified,thevirtual machinewillnotwork. ToremoveaCLIuseraccount,usenobeforethecommand.
128
VMware, Inc.
Syntax
[no] user username password (hash | plaintext) password Option username hash plaintext password Description Loginnameoftheuser. MasksthepasswordbyusingtheMD5hash.YoucanviewandcopytheprovidedMD5hash byrunningtheshow running-config command. Keepsthepasswordunmasked. Passwordtouse.

vShield(config)# user newuser1 password plaintext abcd1234
or
vShield(config) no user newuser1
web-manager
StartstheWebserviceonthevShieldManager.TheWebserviceisstartedafterthevShieldManageris installed. Tostopthewebservice(HTTPdaemon)onthevShieldManager,usenobeforethecommand.Thiscommand makesthevShieldManagerunavailabletoWebConsolebrowsersessions. Syntax
[no] web-manager
CLI Mode Configuration Usage Guidelines vShieldManagerCLI.Youcanusethiscommandafteryouhaveruntheno web-manager commandtostop andthenrestarttheHTTPservicesofthevShieldManager. Example
manager(config)# no web-manager manager(config)# web-manager
Terminal Commands
clear vty
ClearsallotherVTYconnectionstotheCLI. Syntax
clear vty

manager# clear vty
VMware, Inc.
129
reset
Resetstheterminalsettingstoremovethecurrentscreenoutputandreturnacleanprompt. Syntax
reset
CLI Mode Basic,Privileged,Configuration Example

manager# reset
Related Commands terminal length terminal no length
terminal length
SetsthenumberofrowstodisplayatatimeintheCLIterminal. Syntax
terminal length <0-512> Option 0512 Description Enterthenumberofrowstodisplay.Iflengthis0,nodisplaycontrolis performed.

manager# terminal length 50
Related Commands reset terminal no length
terminal no length
Negatestheterminal length command. Syntax
terminal no length

manager# terminal no length
Related Commands reset terminal length
130
VMware, Inc.
Deprecated Commands
ThevShieldCLIcontainscommandsthathavebeendeprecated.Thefollowingtablelistsdeprecated commands. Table A-1. Deprecated Commands
Command close support-tunnel copy http URL slot (1|2) copy http URL temp copy scp URL slot (1|2) copy scp URL temp debug export snapshot debug import snapshot debug snapshot list debug snapshot remove debug snapshot restore duplex auto duplex (half|full) speed (10|100|1000) ip policy-address linkwatch interval <5-60> mode policy-based-forwarding open support-tunnel set support key show raid show raid detail
VMware, Inc.
131
132
VMware, Inc.
Troubleshooting
ThissectionguidesyouthroughtroubleshootingcommonvShieldissues. Thisappendixcoversthefollowingtopics:

TroubleshootingvShieldManagerInstallationonpage 133 TroubleshootingOperationIssuesonpage 134 TroubleshootingOperationIssuesonpage 134 TroubleshootingPortGroupIsolationIssuesonpage 135 TroubleshootingvShieldEdgeIssuesonpage 138 TroubleshootingvShieldEndpointIssuesonpage 139
Troubleshooting vShield Manager Installation

vShield OVA File Extracted to a PC Where vSphere Client Is Not Installed
Problem
IobtainedthevShieldOVAfileanddownloadedittomyPC.IfIdonothavethevSphereClientonmyPC, howdoIinstallvShield?
Solution
YoumusthavethevSphereClienttoinstallvShield.
vShield OVA File Cannot Be Installed in vSphere Client

Problem
WhenItrytoinstallthevShieldOVAfile,theinstallfails.
Solution
IfavShieldOVAfilecannotbeinstalled,anerrorwindowinthevSphereClientnotesthelinewherethefailure occurred.SendthiserrorinformationwiththevSphereClientbuildinformationtoVMwaretechnicalsupport.
VMware, Inc.
133
Cannot Log In to CLI After the vShield Manager Virtual Machine Starts
Problem
IcannotlogintothevShieldManagerCLIafterIinstalledtheOVF.
Solution
WaitafewminutesaftercompletingthevShieldManagerinstallationtologintothevShieldManagerCLI.In theConsoletabview,pressEntertocheckforacommandpromptifthescreenisblank.
Cannot Log In to the vShield Manager User Interface

Problem
WhenItrytologintothevShieldManageruserinterfacefrommyWebbrowser,IgetaPageNotFound exception.
Solution
ThevShieldManagerIPaddressisinasubnetthatisnotreachablebytheWebbrowser.TheIPaddressofthe vShieldManagermanagementinterfacemustbereachablebytheWebbrowsertousevShield.
Troubleshooting Operation Issues

vShield Manager Cannot Communicate with a vShield App
Problem
IcannotconfigureavShieldAppfromthevShieldManager.
Solution
IfyoucannotconfigurethevShieldAppfromthevShieldManager,thereisabreakinconnectivitybetween thetwovirtualmachines.ThevShieldmanagementinterfacecannottalktothevShieldManagermanagement interface.Makesurethatthemanagementinterfacesareinthesamesubnet.IfVLANsareused,makesure thatthemanagementinterfacesareinthesameVLAN. AnotherreasoncouldbethatthevShieldApporvShieldManagervirtualmachineispoweredoff.
Cannot Configure a vShield App

Problem
IcannotconfigureavShieldApp.
Solution
Thismightbetheresultofoneofthefollowingconditions.
ThevShieldAppvirtualmachineiscorrupt.UninstalltheoffendingvShieldAppfromthevShield Manageruserinterface.InstallanewvShieldApptoprotecttheESXhost. ThevShieldManagercannotcommunicatewiththevShieldApp. Thestorage/LUNhostingthevShieldconfigurationfilehasfailed.Whenthishappens,youcannotmake anyconfigurationchanges.However,thefirewallcontinuestorun.YoucanstorevShieldvirtual machinestolocalstorageifremotestorageisnotreliable.
TakeasnapshotorcreateaTARoftheaffectedvShieldAppbyusingthevSphereClient.Sendthisinformation toVMwaretechnicalsupport.
134
VMware, Inc.
Appendix B Troubleshooting
Firewall Block Rule Not Blocking Matching Traffic

Problem
IconfiguredanAppFirewallruletoblockspecifictraffic.IusedFlowMonitoringtoviewtraffic,andthetraffic Iwantedtoblockisbeingallowed.
Solution
Checktheorderingandscopeoftherule.Thisincludesthecontainerlevelatwhichtheruleisbeingenforced. IssuesmightoccurwhenanIPaddressbasedruleisconfiguredunderthewrongcontainer. Checkwheretheaffectedvirtualmachineresides.IsthevirtualmachinebehindavShieldApp?Ifnot,then thereisnoagenttoenforcetherule.Selectthevirtualmachineintheresourcetree.TheAppFirewalltabfor thisvirtualmachinedisplaysalloftherulesthataffectthisvirtualmachine. PlaceanyunprotectedvirtualmachinesontoavShieldprotectedswitchorprotectthevSwitchthattheVMis onbyinstallingavShield. EnableloggingfortheAppFirewallruleinquestion.ThismightslownetworktrafficthroughthevShieldApp. VerifyvShieldAppconnectivity.CheckforthevShieldAppbeingoutofsyncontheSystemStatuspage.Ifout ofsync,clickForceSync.Ifitisstillnotinsync,gototheSystemEventlogtodeterminethecause.
No Flow Data Displaying in Flow Monitoring

Problem IhaveinstalledthevShieldManagerandavShieldApp.WhenIopenedtheFlowMonitoringtab,Ididnot seeanydata. Solution Thismightbetheresultofoneormoreofthefollowingconditions.
YoudidnotallowenoughtimeforthevShieldApptomonitortrafficsessions.Allowafewminutesafter vShieldAppinstallationtocollecttrafficdata.YoucanrequestdatacollectionbyclickingGetLateston theFlowMonitoringtab. TrafficisdestinedtovirtualmachinesthatarenotprotectedbyavShieldApp.Makesureyourvirtual machinesareprotectedbyavShieldApp.VirtualmachinesmustbeinthesameportgroupasthevShield Appprotected(p0)port. ThereisnotraffictothevirtualmachinesprotectedbyavShieldApp. CheckthesystemstatusofeachvShieldAppforoutofsyncissues.
Troubleshooting Port Group Isolation Issues

Validate Installation of Port Group Isolation
To validate installation of Port Group Isolation
1 MakesurethatthesameportgroupandvirtualmachinesarenotalsoconfiguredforvCloudService DirectornetworkisolationorLabManagercrosshostfencing.Doubleencapsulationmodeisnot supportedcurrently. VerifythatthePortGroupIsolationbundleisinstalled:esxupdate query Verifythatvshdisrunning.

2 3
ESXi:ps | grep vsh.Theresultsmightcontainmorethanoneinstance,whichisok. ESXClassic:ps eaf | grep vshd
VMware, Inc.
135
4 5
Verifythatthekernelmoduleisloaded:vmkload_mod l | grep vshd -ni Verifythatthemirrorvirtualmachineispoweredon. OntheESXhost,lookforapoweredonvirtualmachinewithnahe vshield-infra-ni-<string>.
6 7
VerifythatthePortGroupIsolationvirtualmachineisconnectedtothecorrectportgroup. VerifythattheVMXfilesfortheprotectedvirtualmachinescontainthefilterentries. OpentheVMXfileandsearchforfilter15.Thereshouldbethreeentries.Makesuretheseentriesare presentonthecorrectEthernetcard.EachVMXfileshouldhaveonlythreeentriespervNICrelatedtothe fencemodule(filter15).Iftheentriesarerepeated,thatmeansthattheVMXfilehadisolationentries fromapreviousconfigurationthatwasnotcleanedupandlaterduplicateentrieswereadded.
8 9
VerifythatallvirtualmachinesbelongingtotheportgrouphaveidenticalfiltersettingsintheVMXfiles. Verifythatthevshdconfigurationisintact. a b Goto/etc/opt/vmware/vslad/config. Reviewthefilesinthisdirectory.Ensureallfilescontainsomedata.Theyshouldnotbeempty.
Ifalloftheaboveiscorrect,theESXhostissetupproperlyforPortGroupIsolation.
Verify Install or Uninstall Script

Theinstallationscriptcreatesthefollowingentities.
Createsausernamedvslauserandsetsadefaultpassword. Toseeiftheuserwasadded:vi /etc/passwd
Addstherolevslauserandassociatestheuservslausertotherole. Addsentriestostartvshdandthescriptsvm-autostart acrosseveryreboot. YoucanverifythisonESXibylookingforentriesrelatedtovshdandsvmautostartinthefile /etc/chkConfig.db.OnESX,youcanverifythisbydoingfind / -name *vsh*andconfirmingthat therearescriptsnamedS<value>vsladandsvm-autostart.
AddsanentrytotheserviceslistonESXtoexposeVSHDservices.Youcanverifythisentrybyopening thefile/etc/vmware/hostd/proxy.xmlandsearchingforwordvsh.
Theremovalscriptremovesalloftheoperationscreatedbytheinstallationscript.

Removesuservslauser. Removestherolevslauser. Removestheinitentriesforvshdandsvm-autostart. Removesthevshdentryfromproxy.xml.
Validate the Data Path

To troubleshoot packet drops, such as a ping between virtual machines in the same isolated port group 1 2 3 4 Makesurethataddresses,routes,netmasks,andgatewaysareconfiguredcorrectly. Installtcpdumponavirtualmachineintheisolatedportgroup. Runapacketcaptureinsidethatvirtualmachine. Pingfromtheproblematicvirtualmachinetothevirtualmachinewherecapturesarerunning. IfanARPpacketisreceived,thatmeansthatbroadcastpacketsarereceived.IfyoudonotreceiveanARP packet,thatmeansnoneofthepacketswerereceived.
136
VMware, Inc.
To troubleshoot if broadcast packets are being received but unicast packets are being dropped 1 Run/opt/vmware/vslad/fence-util setSwitchMode 1onallESXhostsinquestion.Thiscommand instructsthevshdmoduletobroadcastallfencedpackets. Ifafterrunningthecommandonallhoststhingsstartworking,mostofthetimes,thismeansthattheissue lieswithmirrorvirtualmachinesbecausemirrorvirtualmachinesarerequiredtobeconfiguredcorrectly fortheunicastpacketdeliverytowork. Formoreonfence-util,seeDetailsofthefenceutilUtilityonpage 137. 2 3 OneachESXhost,checkthemirrorvirtualmachinesNICstomakesurethatatleastoneNICisconnected tothevSwitchtowhichthesevirtualmachinesareconnected. ConfirmthatthefilterentriesforthisNICinthemirrorvirtualmachinesVMXfilesarecorrect.Allofthe entriesforthatvSwitchshouldhavethesameLanId?value. Afterfixingtheproblem,resetthemodeto0byrunning/opt/vmware/vslad/fence-util setSwitchMode 0. 4 ConfirmthatthepacketsarereachingtheotherESXhost.Ifthemirrorvirtualmachinesare misconfigured,packetsaredroppedatthedestinationESXhost,notbythesourcehost. Ifstillthingsarenotworking,thiswouldmostlikelymeanthattheunicastswitchingisbroken somewhereonthephysicalboxesinthenetwork.Thisisrarebecauseifbroadcastpacketsarereaching, thatmeansphysicalconnectivityispresentbetweenthevirtualmachinescommunicatingwitheachother. Ifbroadcastisworkingandunicastisnotworkingevenafterputtingallvshdmodulesinbroadcastmode usingfenceutils,thenproblemsmaybepresentinthephysicalnetworkforsuchunicasts. ThereisalsoachanceofmorethanonevShieldManager,PortGroupIsolation,vCenterinstallationson thesamenetwork.Inthatcase,someofthehostkeyMACaddressesmaygetduplicatedwithinthesame physicalnetwork.Becauseofthis,thebroadcasttrafficmayworkfine,buttheunicasttrafficmayreach thewronghostsbecausethephysicalswitchesonthenetworkmaylearnaboutsameMACfromtwo differentplaces. To troubleshoot if no packets are being received and broadcasts are being dropped 1 2 3 4 ConfirmthatthetwoESXhostsarepresentonacommonphysicalnetworkandonthesameVLAN. Inthecaseoflegacyswitches,confirmthatthesameportgroupisconnectedtothesamenamedvswitch onalltheESXhostsinquestion. ConfirmthattheNICconnectedtothesevSwitchesconnecttothesamephysicalnetwork. Run/opt/vmware/vslad/fence-util infocommandmultipletimesonallESXhoststoseeifany droppedpacketcountersareincremented. ThismodulealsoshowsdroppedpacketnumbersforunfencedpacketsenteringintofencedvNICs.This wouldmeanthatalltheotherbroadcastsonthenetworkaredroppedwhentheyreachthefencedvNIC. LookforFenced From VMandFenced To VM counters. 5 IsolatethepointwherepacketsaregettingdroppedbyrunningcapturesontheESXinterfaceatbothends. IncaseswherepacketsarecomingoutofsourceESXbutarenotreachingthedestinationESX,thereare rarechancesthatsomeintelligentdeviceinbetweenmaybedroppingthesepacketsbecauseofan unknownethtypeinthepackets.
Details of the fence-util Utility

Log Levelindicatesdebugloglevel. HostkeyistheconfiguredhostID.Thereisaprintingmistakeinthefenceutilprogramwhereitsattachinga 0attheendofthehostid.hostidof0x30meanshostId3. Configured LAN MTUsrefertotheexplicitelysetMTUvaluesviavsdh.
VMware, Inc.
137
Port Id isthefirstcolumninallothertables(ActivePorts,SwitchState,andPortstats).Thisisaunique identifierassignedbythevshdmoduleforeachfenceenabledport.ThisIDisinternalandhasnoexternal meaning.ItisthedvfilternameforthatporttypecastedtoUint64.TheportIDisusefultoqueryvaluesfora specificportusingthefenceutilportInfo <portId>commandwhichoutputsdetailsofonlyoneport. Active Portsshowsalltheports/vNICswherefencingisactive.ThisincludesthemirrorvNICs.Yourfirst hosthasfiveportsenabledforfencing,twoofwhicharemirrorvNICs.ThemirrorvNICscanbeidentifiedby aspecialfenceIDoffffffe.TheOPIcolumnindicatesthefenceID.Inyoursetup,thefirsthosthasonefence withID000001.ThenextcolumnindicatesLanId?configuredforthatport.Thisisanindicationofwhich vSwitchtheportsmightbeconnectedto.Intheoutputbelow,yourfirsthosthastwovSwitches(legacy+ dvswitches).OnehasbeenassignedLanId?1andtheotheronehasLanId?2.Thus,youseetwomirrorvirtual machinevNICs(oneforeachvSwitch)withdifferentLanIds?inactiveports. Switch Stateshowsthelearningtableoftheinternalunicastlearninginfencemodule.InnerMACmeans theMACofdestinationVM,theouterMACmeansthehostkeyMACofthehostonwhichthisVMispresent. ThelearningbuildsthistablebylookingatpacketsandittriestolearnwhichVMisonwhichhost.Thisway, whenoneVMonthathosttriestoreachanothervirtualmachine,thistableislookedup.Ifthedestination VMsmacisseenintheinnerMACcolumn,thentheOuterMac?isusedasthedestinationhostkeymactobe putintheOuterMACheaderaddedbythefencemodule.Ifanentryisnotfoundhere,suchapacketwillbe broadcast(outerMACheadersdestinationMACwillbesettobroadcast.).Likeanyotherlearningsystem,this onealsohasmechanismstotimeout/modifylearntentries.ThiswilltakecareofthingslikeVMsmovingto differenthostsortomakesurethatthetabledoesnotgrowtoomuchinsizewithstalemacentries.The used/age/seenbitsrepresenttheflagsusedbyfencemoduletotrackfrequencyoftheseMACentries.The learningisdoneonaperportlevel,henceyouwouldseethesameinnerMACouterMACpairsondifferent ports.ThistablealsoshowssamehostkeymacinouterMACsectionsbecauseevenforVMsonthesamehost, thesamecodeisusedwhereapacketisencapsulatedandsentfromsourceportanddecapsulatedonthe destinationport.ThereisnooptimizationforsamehostVMs.ThusforVMsonthesamehost,theouterMAC willbehostkeyMACofthesamehost. Port Statisticsshowspacketstatsonaperportbasis.Oneportperrow.ThefromandTovmstatsindicate packetstoandfromvm.Thesubcategoriesindicatethespecificsaboutthepacket.Thedetailsofeachcounter areinthefollowingstructure.Letmeknowifyouneedanymoreinfoonthis.
Troubleshooting vShield Edge Issues

Virtual Machines Are Not Getting IP Addresses from the DHCP Server
To determine why protected virtual machines are not being assigned IP addresses by a vShield Edge 1 2 3 VerifyDHCPconfigurationwassuccessfulonthevShieldEdgebyrunningtheCLIcommand:show configuration dhcp. CheckwhetherDHCPserviceisrunningonthevShieldEdgebyrunningCLIcommand:show service dhcp EnsurethatvmniconvirtualmachineandvShieldEdgeisconnected(vCenter>VirtualMachine>Edit Settings>NetworkAdapter>Connected/ConnectatPowerOncheckboxes). WhenbothavShieldAppandvShieldEdgeareinstalledonthesameESXhost,disconnectionofNICs canoccurifavShieldAppisinstalledafteravShieldEdge.
Load-Balancer Does Not Work

To determine why the load balancer service on a vShield Edge is not working 1 VerifythattheLoadbalancerisrunningbyrunningtheCLIcommand:show service lb. Loadbalancercanbestartedbyissuingthestartcommand. 2 Verifytheloadbalancerconfigurationbyrunningcommand:show configuration lb. Thiscommandalsoshowsonwhichexternalinterfacesthelistenersarerunning.
138 VMware, Inc.
Load-Balancer Throws Error 502 Bad Gateway for HTTP Requests

To determine why the load balancer service on a vShield Edge is throwing a 502 Bad Gateway error ThiserroroccurswhenthebackendorInternalserversarenotrespondingtorequests. 1 VerifythatinternalserverIPaddressesarecorrect. ThecurrentconfigurationcanbeseenthroughthevShieldManagerorthroughtheCLIcommandshow configuration lb. 2 3 VerifythatinternalserverIPaddressesarereachablefromthevShieldEdgeinternalinterface. VerifythatinternalserversarelisteningontheIP:Portcombinationspecifiedatthetimeofloadbalancer configuration. Ifnoportisspecified,thenIP:80mustbechecked.Theinternalservermustnotlistenononly127.0.0.1:80; either0.0.0.0:80or<internalip>:80mustbeopen.
VPN Does Not Work

To determine why VPN does not work on a vShield Edge 1 2 Verifythattheotherendpointofthetunnelisconfiguredcorrectly.UsetheCLIcommand:show configuration ipsec VerifythatIPSecserviceisrunningonthevShieldEdge. ToverifyusingtheCLIcommand:show service ipsec.IPSecservicehastobestartedbyissuingthe startcommand. Ifipsecisrunningandanyerrorshaveoccurredatthetimeoftunnelestablishment,theoutputofshow service ipsecdisplaysrelevantinformation. 3 4 Verifytheconfigurationatbothends(vShieldEdgeandremoteEnd),notablythesharedkeys. DebugMTUorfragmentationrelatedissuesbyusingpingwithsmallandbigpacketsizes.

ping -s 500 ip-at-end-of-the-tunnel ping -s 2000 ip-at-end-of-the-tunnel
Troubleshooting vShield Endpoint Issues

Thin Agent Logging
vShieldEndpointthinagentloggingisdoneinsidetheprotectedvirtualmachines.Tworegistryvaluesare readatboottimefromthewindowsregistry.Theyarepolledagainperiodically. Therearetworegistryvalues,log_destandlog_level.Thetwoentriesarelocatedinthefollowingregistry locations:
HKLM\System\CurrentControlSet\Services\VFileScsiFilter\Parameters\log_dest HKLM\System\CurrentControlSet\Services\VFileScsiFilter\Parameters\log_level
BothareDWORDbitmasksthatcanbeanycombinationofthefollowingvalues:
log_dest WINDBLOG VMWARE_LOG log_level AUDIT ERROR WARN INFO DEBUG 0x1 0x2 0x1 0x2 0x4 0x8 0x10
VMware, Inc.
139
Bydefault,thevaluesinreleasebuildsaresettoVMWARE_LOGandAUDIT. FormoreonmonitoringvShieldEndpointhealth,seeChapter 14,vShieldEndpointEventsandAlarms,on page 81.
Component Version Compatibility

TheSVMversionandthethinagentversionmustbecompatible. (Therewillbeacompatibilitymatrixavailableafter1.0forversioncompatibilitychecking.) Toretrieveversionnumbersforthevariouscomponents,dothefollowing:
SVM:strings libEPSec.so | grep BUILD_NUMBERprovidesthebuildnumber.Also,theauditlogs printsthebuildnumberwhenlibEPSec.soisinitialized. GVM:Rightclickonthepropertiesofthedriverfilestogetthebuildnumber.Also,theauditlogsprints thebuildnumber(vmware.logforrelease). vShieldEndpointModule:Theesxupdatecommandprovidestheinstalledmoduleversion.Also,the auditlogsprintthebuildnumber.
140
VMware, Inc.
Index
A
accessing online help 18 adding a user 34 admin user account 34 alarms for vShield Endpoint 82 App Firewall 73 about L4 and L2/L3 rules 74 adding L2/L3 rules 77 adding L4 rules 75 adding rules from Flow Monitoring 69 Default Rules 74 deleting rules 79 hierarchy of rules 74 planning rule enforcement 74 Revert to Snapshot 79 validate sessions 78 Audit Logs 43, 77, 78 audit messages for vShield Endpoint 86
copy running-config startup-config 97 Create User 34
D
data on-demand backups 39 restoring a backup 40 scheduling backups 40 Data Center High Precedence Rules 28, 74 Data Center Low Precedence Rules 28, 74 database erase 98 date 23 date range for Flow Monitoring 68 debug copy 104 debug packet capture 105 debug packet display interface 105 debug remove 106 debug service 107 debug service flow src 107 debug show files 108 Default Policy 52 Default Rules 28, 74 default web-manager password 128 deleting a port mapping 71 deleting a user 35 DHCP 54 disable 94 DNS 22 downloads, firewall logs 65
B
backing up the vShield Manager 24 Backup Configuration 64 Backups 24 on-demand 39 restoring 40 scheduling 40 basic mode of CLI 89 block sessions 31, 53, 78
C
clear vmwall rules 97 clear vty 129 CLI backing up configuration 64 configuration mode 90 help 91 interface mode 90 logging in 89 modes 89 privileged mode 89 syntax 90 Cluster Level Rules 28, 74 command syntax 90 configuration mode of CLI 90 configure terminal 94 connecting to vCenter Server 21
E
Edit Port Mappings 70 add a mapping 70 deleting 71 Hide Port Mappings 71 editing a user account 34 enable 95 enable password 98 end 95 events sending to syslog 63 syslog format 42 vShield App 42 vShield Manager 42 events for vShield Endpoint 83
VMware, Inc.
141
exit 95 export tech-support scp 125
L
L2/L3 rules about 74 adding 30, 77 L4 rules about 74 adding 29, 75 link-detect 125 list 93 Load Balancer 58 login CLI 89 vShield Manager 17 logs audit 43, 77, 78 firewall 65 technical support 23
F
firewall about 27 add vShield Edge firewall rule 52 adding L2/L3 rules 77 adding L4 rules 29, 75 adding rules from Flow Monitoring 69 adding Zones Firewall L2/L3 rules 30 App Firewall, about 73 deleting rules 32, 79 logs 65 planning rule enforcement 28, 74 Revert to Snapshot 79 validate sessions 31, 53, 78 flow analysis date range 68 Flow Monitoring adding a App Firewall rule 69 date range 68 show report 68 Force Sync 64
M
manager key 100
N
NAT 53 Networks view 18 NTP 23 ntp server 101
G
GUI logging in 17 online help 18
O
online help 18
H
help CLI 91 GUI 18 Hide Port Mappings 71 hierarchy of App Firewall rules 74 hierarchy of Zones Firewall rules 28 history of updates 38 host alarms for vShield Endpoint 82 hostname 99 Hosts & Clusters view 18 HTTP proxy 23
P
password 34 ping 125 ping interface addr 126 plug-in 22 Port Group Isolation, uninstall 46 port mappings 70 add 70 deleting 71 hiding 71 privileged mode of CLI 89 proxy service 23
I
installing, updates 37 interface 96 interface mode of CLI 90 inventory panel 18 ip address 99 ip name server 99 ip route 100
Q
quit 96
R
reboot 93 reports audit log 43, 77, 78 system events 41 reset 130 restarting a vShield App 65
142
VMware, Inc.
Index
restoring backups 40 Revert to Snapshot 79 roles and rights about 33 assigning to a user 34 rules adding L2/L3 rules to App Firewall 77 adding L2/L3 rules to Zones Firewall 30 adding L4 rules to App Firewall 75 adding L4 rules to Zones Firewall 29 deleting App Firewall rules 79 deleting Zones Firewall rules 32
S
scheduling backups 40 Secure Port Group Rules 28, 74 Secured Port Groups view 18 security groups about 73 add 77 assign resources 78 serial number of vShield Manager 24 services DNS 22 NTP 23 proxy 23 set clock 101 setup 102 show alerts 108 show arp 109 show clock 109 show configuration 109 show debug 110 show ethernet 110 show filesystem 111 show gateway rules 111 show hardware 112 show hostname 112 show interface 112 show ip addr 113 show ip route 113 show kernel message 114 show kernel message last 114 show log 115 show log alerts 115 show log events 115 show log last 116 Show Logs 65 show manager log 116 show manager log last 117 show ntp 117 show process 118 Show Report 68
VMware, Inc.
show route 118 show running-config 118 show service 119 show service statistics 119 show services 119 show session-manager counters 120 show session-manager sessions 120 show slots 121 show stacktrace 121 show startup-config 121 show syslog 122 show system events 122 show system load 122 show system memory 123 show system network_connections 123 show system storage 123 show system uptime 124 show tech support 126 show version 124 show vmwall log 124 show vmwall rules 124 shutdown 94 ssh 126 SSL certificate 24 start or stop vShield Edge services 59 status of update 37 of vShield Manager 24 vShield App 64 vShield Edge 51 vShield Endpoint 81 SVM alarms for vShield Endpoint 82 sync with vCenter 21 syncing a vShield App 64 syntax for CLI commands 90 syslog CLI 103 vShield Edge 52 syslog format 42 Syslog Server 63 System Events 41 System Status 64 Force Sync 64 Restart 65 show firewall Logs 65 traffic stats 65 system time 23
T
technical support log 23 telnet 127 terminal length 130 terminal no length 130
143
time 23 traceroute 127 traffic analysis date range 68 traffic stats for a vShield App 65
U
uninstall Port Group Isolation 46 vShield App 45 vShield Edge 46 vShield Endpoint module 47 vShield Zones 45 unregister a vShield Endpoint SVM 47 Update History 38 Update Status 37 Update User 34 Updates installing 37 Update History 38 Update Status 37 user 128 user interface, logging in 17 Users adding 34 admin account 34 assigning a role and rights 34 changing a password 34 deleting 35 editing 34 roles and rights 33
V
validate sessions 128 views Hosts & Clusters 18 Networks 18 Secured Port Groups 18 VM alarms for vShield Endpoint 83 VPN 56 vShield vShield App 14 vShield Edge 14 vShield Endpoint 15 vShield Manager 13 vShield App about 14 CLI configuration 64 firewall logs 65 forcing sync 64 notification based on events 42 restarting 65 sending events to syslog server 63 System Status 64
144
traffic stats 65 uninstall 45 vShield Edge about 14 add firewall rule 52 add NAT rules 53 DHCP 54 firewall Default Policy 52 validate sessions 53 Load Balancer 58 start or stop services 59 status 51 syslog 52 uninstall 46 VPN 56 vShield Endpoint about 15 alarms 82 audit messages 86 events 83 host alarms 82 status 81 SVM alarms 82 uninstall 47 unregister SVM 47 VM alarms 83 vShield Manager about 13 accessing online help 18 Backups 24 date and time 23 DNS 22 inventory panel 18 logging in 17 notification based on events 42 NTP 23 on-demand backups 39 proxy service 23 restoring a backup 40 scheduling a backup 40 serial number 24 SSL Certificate 24 status 24 Support 23 sync with vCenter Server 21 system events 41 user interface panels 18 vSphere Plug-in 22
VMware, Inc.
Index
vShield Zones about 13 uninstall 45 Zones Firewall 27 vSphere Plug-in 22
W
web-manager 129 write 103 write erase 104 write memory 104
Z
Zones Firewall 27 adding L2/L3 rules 30 adding L4 rules 29 deleting rules 32 hierarchy of rules 28 planning rule enforcement 28 validate sessions 31
VMware, Inc.
145
146
VMware, Inc.

Vshield 41 Admin

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Vshield 41 Admin

Загружено:

Авторское право:

Доступные форматы

vShield Administration Guide

vShield Administration Guide

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

vShield Administration Guide

ValidatingActiveSessionsagainsttheCurrentZonesFirewallRules 31 ReverttoaPreviousZonesFirewallConfiguration 31 DeleteaZonesFirewallRule 32

About This Book

Thismanual,thevShieldAdministrationGuide,describeshowtoinstall,configure,monitor,andmaintainthe VMwarevShieldsystembyusingthevShieldManageruserinterface,thevSphereClientplugin,and commandlineinterface(CLI).Theinformationincludesstepbystepconfigurationinstructions,and suggestedbestpractices.

VMware Technical Publications Glossary

vShieldAdministrationGuide,thisguide vShieldQuickStartGuide vShieldAPIProgrammingGuide

Technical Support and Education Resources

Online and Telephone Support

vShield Administration Guide

VMware Professional Services

vShield Manager and vShield Zones

vShield Administration Guide

vShieldComponentsonpage 13 MigrationofvShieldComponentsonpage 15 VMwareToolsonpage 15 PortsRequiredforvShieldCommunicationonpage 15

vShield Administration Guide

Standard vShield Edge services (including Cloud Director)

Advanced vShield Edge services

SitetoSiteVirtualPrivateNetwork(VPN):UsesstandardizedIPsecprotocolsettingstointeroperatewith allmajorfirewallvendors. LoadBalancing:SimpleanddynamicallyconfigurablevirtualIPaddressesandservergroups.

Chapter 1 Overview of vShield

Migration of vShield Components

Ports Required for vShield Communication

RESTAPI:80/TCPand443/TCP GraphicalUserInterface:80/TCPto443/TCPandinitiatesconnectionstovSpherevCenterSDK. SSHaccesstotheCLI(notenabledbydefault):22/TCP

vShield Administration Guide

vShield Manager User Interface Basics

LoggingintothevShieldManagerUserInterfaceonpage 17 AccessingtheOnlineHelponpage 18 vShieldManagerUserInterfaceonpage 18

Logging in to the vShield Manager User Interface

vShield Administration Guide

Accessing the Online Help

vShield Manager User Interface

vShield Manager Inventory Panel

Refreshing the Inventory Panel

Searching the Inventory Panel

Chapter 2 vShield Manager User Interface Basics

vShield Manager Configuration Panel

vShield Administration Guide

Management System Settings

ThevShieldManagerrequirescommunicationwithyourvCenterServerandservicessuchasDNSandNTP toprovidedetailsonyourVMwareInfrastructureinventory. Thechapterincludesthefollowingtopics:

Identify Your vCenter Server

vShield Administration Guide

Register the vShield Manager as a vSphere Client Plug-in

Identify DNS Services

Chapter 3 Management System Settings

Set the vShield Manager Date and Time

Identify a Proxy Server

Download a Technical Support Log from a Component

vShield Administration Guide

UnderTechSupportLogDownload,clickInitiatenexttotheappropriatecomponent. Onceinitiated,thelogisgeneratedanduploadedtothevShieldManager.Thismighttakeseveral seconds.

Afterthelogisready,clicktheDownloadlinktodownloadthelogtoyourPC. Thelogiscompressedandhastheproprietaryfileextension.blsl.Youcanopenthelogusinga decompressionutilitybybrowsingforAllFilesinthedirectorywhereyousavedthefile.

Back Up vShield Manager Data

View vShield Manager System Status

Add an SSL Certificate to Identify the vShield Manager Web Service

Field CommonName OrganizationUnit OrganizationName CityName StateName CountryCode

Chapter 3 Management System Settings

Field KeyAlgorithm KeySize

Description SelectthecryptographicalgorithmtousefromeitherDSAorRSA. Selectthenumberofbitsusedintheselectedalgorithm.

To import an SSL certificate 1 2 3 4 5 6 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickSSLCertificate. UnderImportSignedCertificate,clickBrowseatCertificateFiletofindthefile. SelectthetypeofcertificatefilefromtheCertificateFiledropdownlist. ClickApply.

vShield Administration Guide

Zones Firewall Management

UsingZonesFirewallonpage 27 CreateaZonesFirewallRuleonpage 29 CreateaLayer2/Layer3ZonesFirewallRuleonpage 30 ValidatingActiveSessionsagainsttheCurrentZonesFirewallRulesonpage 31 ReverttoaPreviousZonesFirewallConfigurationonpage 31 DeleteaZonesFirewallRuleonpage 32

Using Zones Firewall

vShield Administration Guide