Академический Документы
Профессиональный Документы
Культура Документы
vShield Manager 4.1 vShield Edge 1.0 vShield App 1.0 vShield Endpoint Security 1.0
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-000374-00
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
Copyright 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
Contents
AboutThisBook
vShieldManagerandvShieldZones
1 OverviewofvShield 13
vShieldComponents 13 vShieldManager 13 vShieldZones 13 vShieldEdge 14 StandardvShieldEdgeservices(includingCloudDirector) 14 AdvancedvShieldEdgeservices 14 vShieldApp 14 vShieldEndpoint 15 MigrationofvShieldComponents 15 VMwareTools 15 PortsRequiredforvShieldCommunication 15
2 vShieldManagerUserInterfaceBasics 17
LoggingintothevShieldManagerUserInterface 17 AccessingtheOnlineHelp 18 vShieldManagerUserInterface 18 vShieldManagerInventoryPanel 18 RefreshingtheInventoryPanel 18 SearchingtheInventoryPanel 18 vShieldManagerConfigurationPanel 19
3 ManagementSystemSettings 21
IdentifyYourvCenterServer 21 RegisterthevShieldManagerasavSphereClientPlugin 22 IdentifyDNSServices 22 SetthevShieldManagerDateandTime 23 IdentifyaProxyServer 23 DownloadaTechnicalSupportLogfromaComponent 23 BackUpvShieldManagerData 24 ViewvShieldManagerSystemStatus 24 AddanSSLCertificatetoIdentifythevShieldManagerWebService
24
4 ZonesFirewallManagement 27
UsingZonesFirewall 27 DefaultRules 28 Layer4RulesandLayer2/Layer3Rules 28 HierarchyofZonesFirewallRules 28 PlanningZonesFirewallRuleEnforcement 28 CreateaZonesFirewallRule 29 CreateaLayer2/Layer3ZonesFirewallRule 30
VMware, Inc.
5 UserManagement 33
ManagingUserRights 33 ManagingtheDefaultUserAccount 34 AddaUser 34 AssignaRoleandRightstoaUser 34 EditaUserAccount 34 DeleteaUserAccount 35
6 UpdatingSystemSoftware 37
ViewtheCurrentSystemSoftware 37 UploadanUpdate 37 ReviewtheUpdateHistory 38
7 BackingUpvShieldManagerData 39
BackUpYourvShieldManagerDataonDemand ScheduleaBackupofvShieldManagerData 40 RestoreaBackup 40 39
8 SystemEventsandAuditLogs 41
ViewtheSystemEventReport 41 SystemEventNotifications 42 vShieldManagerVirtualApplianceEvents 42 vShieldAppEvents 42 SyslogFormat 42 ViewtheAuditLog 43
9 UninstallingvShieldComponents 45
UninstallavShieldApporvShieldZones 45 UninstallavShieldEdgefromaPortGroup 46 UninstallPortGroupIsolationfromanESXHost 46 UninstallavShieldEndpointModule 47 UnregisteranSVMfromavShieldEndpointModule 47 UninstallthevShieldEndpointModulefromthevSphereClient 47
vShieldEdgeandPortGroupIsolation
10 vShieldEdgeManagement 51
ViewtheStatusofavShieldEdge 51 SpecifyaRemoteSyslogServer 52 ManagingthevShieldEdgeFirewall 52 CreateavShieldEdgeFirewallRule 52 ValidateActiveSessionsAgainstCurrentvShieldEdgeFirewallRules 53 ManageNATRules 53 ManageDHCPService 54 ManageVPNService 56 ManageLoadBalancerService 58 StartorStopvShieldEdgeServices 59
VMware, Inc.
vShieldAppandvShieldEndpoint
11 vShieldAppManagement 63
SendvShieldAppSystemEventstoaSyslogServer 63 BackUptheRunningCLIConfigurationofavShieldApp 64 ViewtheCurrentSystemStatusofavShieldApp 64 ForceavShieldApptoSynchronizewiththevShieldManager 64 RestartavShieldApp 65 ViewTrafficStatisticsbyvShieldAppInterface 65 DownloadtheFirewallLogsofavShieldApp 65
12 FlowMonitoring 67
UsingFlowMonitoring 67 ViewaSpecificApplicationintheFlowMonitoringCharts 68 ChangetheDateRangeoftheFlowMonitoringCharts 68 ViewtheFlowMonitoringReport 68 AddanAppFirewallRulefromtheFlowMonitoringReport 69 DeleteAllRecordedFlows 70 EditingPortMappings 70 AddanApplicationPortPairMapping 70 DeleteanApplicationPortPairMapping 71 HidethePortMappingsTable 71
13 AppFirewallManagement 73
UsingAppFirewall 73 SecuringContainersandDesigningSecurityGroups 73 DefaultRules 74 Layer4RulesandLayer2/Layer3Rules 74 HierarchyofAppFirewallRules 74 PlanningAppFirewallRuleEnforcement 74 CreateanAppFirewallRule 75 CreateaLayer2/Layer3AppFirewallRule 77 CreatingandProtectingSecurityGroups 77 AddaSecurityGroup 77 AssignResourcestoaSecurityGroup 78 ValidatingActiveSessionsagainsttheCurrentAppFirewallRules 78 ReverttoaPreviousAppFirewallConfiguration 79 DeleteanAppFirewallRule 79
14 vShieldEndpointEventsandAlarms 81
ViewvShieldEndpointStatus 81 Alarms 82 HostAlarms 82 SVMAlarms 82 VMAlarms 83 Events 83 AuditMessages 86
VMware, Inc.
Appendixes
A CommandLineInterface 89
LoggingInandOutoftheCLI 89 CLICommandModes 89 CLISyntax 90 MovingAroundintheCLI 90 GettingHelpwithintheCLI 91 SecuringCLIUserAccountsandthePrivilegedModePassword 91 AddaCLIUserAccount 91 DeletetheadminUserAccountfromtheCLI 92 ChangetheCLIPrivilegedModePassword 92 CommandReference 93 AdministrativeCommands 93 list 93 reboot 93 shutdown 94 CLIModeCommands 94 configureterminal 94 disable 94 enable 95 end 95 exit 95 interface 96 quit 96 ConfigurationCommands 97 clearvmwallrules 97 clisshallow 97 copyrunningconfigstartupconfig 97 databaseerase 98 enablepassword 98 hostname 99 ipaddress 99 ipnameserver 99 iproute 100 managerkey 100 ntpserver 101 setclock 101 setup 102 ssh 102 syslog 103 write 103 writeerase 104 writememory 104 DebugCommands 104 debugcopy 104 debugpacketcapture 105 debugpacketdisplayinterface 105 debugremove 106 debugservice 107 debugserviceflowsrc 107 debugshowfiles 108
VMware, Inc.
ShowCommands 108 showalerts 108 showarp 109 showclock 109 showconfiguration 109 showdebug 110 showethernet 110 showfilesystem 111 showgatewayrules 111 showhardware 112 showhostname 112 showinterface 112 showipaddr 113 showiproute 113 showiptables 113 showkernelmessage 114 showkernelmessagelast 114 showlog 115 showlogalerts 115 showlogevents 115 showloglast 116 showmanagerlog 116 showmanagerloglast 117 showntp 117 showprocess 118 showroute 118 showrunningconfig 118 showservice 119 showservicestatistics 119 showservices 119 showsessionmanagercounters 120 showsessionmanagersessions 120 showslots 121 showstacktrace 121 showstartupconfig 121 showsyslog 122 showsystemevents 122 showsystemload 122 showsystemmemory 123 showsystemnetwork_connections 123 showsystemstorage 123 showsystemuptime 124 showversion 124 showvmwalllog 124 showvmwallrules 124 DiagnosticsandTroubleshootingCommands 125 exporttechsupportscp 125 linkdetect 125 ping 125 pinginterfaceaddr 126 showtechsupport 126 ssh 126 telnet 127
VMware, Inc. 7
traceroute 127 validatesessions 128 UserAdministrationCommands 128 defaultwebmanagerpassword 128 user 128 webmanager 129 TerminalCommands 129 clearvty 129 reset 130 terminallength 130 terminalnolength 130 DeprecatedCommands 131
B Troubleshooting 133
TroubleshootingvShieldManagerInstallation 133 vShieldOVAFileExtractedtoaPCWherevSphereClientIsNotInstalled 133 Problem 133 Solution 133 vShieldOVAFileCannotBeInstalledinvSphereClient 133 Problem 133 Solution 133 CannotLogIntoCLIAfterthevShieldManagerVirtualMachineStarts 134 Problem 134 Solution 134 CannotLogIntothevShieldManagerUserInterface 134 Problem 134 Solution 134 TroubleshootingOperationIssues 134 vShieldManagerCannotCommunicatewithavShieldApp 134 Problem 134 Solution 134 CannotConfigureavShieldApp 134 Problem 134 Solution 134 FirewallBlockRuleNotBlockingMatchingTraffic 135 Problem 135 Solution 135 NoFlowDataDisplayinginFlowMonitoring 135 TroubleshootingPortGroupIsolationIssues 135 ValidateInstallationofPortGroupIsolation 135 TovalidateinstallationofPortGroupIsolation 135 VerifyInstallorUninstallScript 136 ValidatetheDataPath 136 DetailsofthefenceutilUtility 137 TroubleshootingvShieldEdgeIssues 138 VirtualMachinesAreNotGettingIPAddressesfromtheDHCPServer 138 LoadBalancerDoesNotWork 138 LoadBalancerThrowsError502BadGatewayforHTTPRequests 139 VPNDoesNotWork 139 TroubleshootingvShieldEndpointIssues 139 ThinAgentLogging 139 ComponentVersionCompatibility 140
Index 141
VMware, Inc. 8
Intended Audience
ThismanualisintendedforanyonewhowantstoinstallorusevShieldinaVMwarevCenterenvironment. Theinformationinthismanualiswrittenforexperiencedsystemadministratorswhoarefamiliarwithvirtual machinetechnologyandvirtualdatacenteroperations.ThismanualassumesfamiliaritywithVMware Infrastructure4.x,includingVMwareESX,vCenterServer,andthevSphereClient.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour feedbacktodocfeedback@vmware.com.
vShield Documentation
ThefollowingdocumentscomprisethevShielddocumentationset:
VMware, Inc.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto http://www.vmware.com/support/services.
10
VMware, Inc.
VMware, Inc.
11
12
VMware, Inc.
Overview of vShield
vShield Components
vShieldincludescomponentsandservicesessentialforprotectingvirtualmachines.vShieldcanbeconfigured throughawebbaseduserinterface,avSphereClientplugin,acommandlineinterface(CLI),andRESTAPI. TorunvShield,youneedonevShieldManagervirtualmachineandatleastonevShieldApporvShieldEdge module.
vShield Manager
ThevShieldManageristhecentralizednetworkmanagementcomponentofvShieldandisinstalledfromOVA asavirtualmachinebyusingthevSphereClient.UsingthevShieldManageruserinterface,administrators install,configure,andmaintainvShieldcomponents.AvShieldManagercanrunonadifferentESXhostfrom yourvShieldAppandvShieldEdgemodules. ThevShieldManagerleveragestheVMwareInfrastructureSDKtodisplayacopyofthevSphereClient inventorypanel. FormoreontheusingthevShieldManageruserinterface,seeChapter 2,vShieldManagerUserInterface Basics,onpage 17.
vShield Zones
vShieldZones,includedwiththevShieldManager,providesfirewallprotectionfortrafficbetweenvirtual machines.ForeachZonesFirewallrule,youcanspecifythesourceIP,destinationIP,sourceport,destination port,andservice.
VMware, Inc.
13
vShield Edge
NOTEYoumustobtainanevaluationorfulllicensetousevShieldEdge. vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport group,vDSportgroup,orCiscoNexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared (uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing. CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloud environmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).
vShieldEdgesupportssyslogexportforallservicestoremoteservers.
vShield App
NOTEYoumustobtainanevaluationorfulllicensetousevShieldApp. vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicycreation. vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS, vMotion,DPM,andmaintenancemode. vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteroneveryvirtual networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetworkchangesor modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers, likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to reducethenumberoffirewallrulesandmaketheruleseasiertotrack. YoushouldinstallvShieldAppinstancesonallESXhostswithinaclustersothatVMwarevMotion operationsworkandvirtualmachinesremainprotectedastheymigratebetweenESXhosts.Bydefault,a vShieldAppvirtualappliancecannotbemovedbyusingvMotion. TheFlowMonitoringfeaturedisplaysallowedandblockednetworkflowsattheapplicationprotocollevel. Youcanusethisinformationtoauditnetworktrafficandtroubleshootoperational.
14
VMware, Inc.
vShield Endpoint
NOTEYoumustobtainanevaluationorfulllicensetousevShieldEndpoint. vShieldEndpointdeliversanintrospectionbasedantivirussolution.vShieldEndpointusesthehypervisorto scanguestvirtualmachinesfromtheoutsidewithoutabulkyagent.vShieldEndpointisefficientinavoiding resourcebottleneckswhileoptimizingmemoryuse. vShieldEndpointinstallsasahypervisormoduleandsecurityvirtualappliancefromathirdpartyantivirus vendor(VMwarepartners)onanESXhost. vShieldEndpointprovidesthefollowingfeatures:
Ondemandfilescanninginaservicevirtualmachine. Onaccessfilescanninginaservicevirtualmachine.
VMware Tools
EachvShieldvirtualapplianceincludesVMwareTools.DonotupgradeoruninstalltheversionofVMware ToolsincludedwithavShieldvirtualappliance.
VMware, Inc.
15
16
VMware, Inc.
VMware, Inc.
17
18
VMware, Inc.
VMware, Inc.
19
20
VMware, Inc.
VMware, Inc.
21
4 5
22
VMware, Inc.
VMware, Inc.
23
24
VMware, Inc.
ClickGenerate.
VMware, Inc.
25
26
VMware, Inc.
VMware, Inc.
27
Default Rules
Bydefault,ZonesFirewallenforcesasetofrulesallowingtraffictopassthroughallvShieldZonesinstances. TheserulesappearintheDefaultRulessectionoftheZonesFirewalltable.Thedefaultrulescannotbedeleted oraddedto.However,youcanchangetheActionelementofeachrulefromAllowtoDeny.
ZonesFirewallofferscontainerlevelandcustompriorityprecedenceconfigurations:
Containerlevelprecedencereferstorecognizingthedatacenterlevelasbeinghigherinprioritythanthe clusterlevel.Whenaruleisconfiguredatthedatacenterlevel,theruleisinheritedbyallclustersand vShieldagentstherein.AclusterlevelruleisonlyappliedtothevShieldZonesinstanceswithinthe cluster. Custompriorityprecedencereferstotheoptionofassigninghighorlowprecedencetorulesatthe datacenterlevel.Highprecedencerulesworkasnotedinthecontainerlevelprecedencedescription.Low precedencerulesincludetheDefaultRulesandtheconfigurationofDataCenterLowPrecedencerules. Thisflexibilityallowsyoutorecognizemultiplelayersofappliedprecedence. Attheclusterlevel,youconfigurerulesthatapplytoallvShieldZonesinstanceswithinthecluster. BecauseDataCenterHighPrecedenceRulesareaboveClusterLevelRules,ensureyourClusterLevel RulesarenotinconflictwithDataCenterHighPrecedenceRules.
28
VMware, Inc.
YoucanadddestinationandsourceportrangestoarulefordynamicservicessuchasFTPandRPC,which requiremultipleportstocompleteatransmission.Ifyoudonotallowalloftheportsthatmustbeopenedfor atransmission,thetransmissionfails. To create a firewall rule at the datacenter level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3ZonesFirewallRuleonpage 30. 5 Dooneofthefollowing:
7 8 9
To create a firewall rule at the cluster level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectaclusterresourcefromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3ZonesFirewallRuleonpage 30.
VMware, Inc.
29
ClickAdd. AnewrowappearsintheClusterLevelRulessectionofthetable.
7 8 9
To create a firewall rule at the port group level 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. Selectaportgroupfromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. ClickAdd. AnewrowisaddedatthebottomoftheSecurePortGroupRulessection. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoumusttypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePort andDestinationPortfields. 7 8 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
To create a Layer 2/Layer 3 firewall rule 1 2 3 4 5 6 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldZonestab. ClickZonesFirewall. ClickL2/L3Rules. ClickAdd. AnewrowisaddedatthebottomoftheDataCenterRulessectionofthetable.
30 VMware, Inc.
Doubleclickeachcellinthenewrowtotypeorselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields
8 9
(Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommit.
Toreturntothecurrentconfiguration,selecttheoptionfromtheReverttoSnapshotdropdownlist. ClickCommittooverwritethecurrentconfigurationwiththesnapshotconfiguration.
VMware, Inc.
31
32
VMware, Inc.
User Management
Ausercanonlyhaveonerighttooneresource. Ausercannotaddtoorremoveassignedrightsandresources.
VMware, Inc.
33
Add a User
Basicuseraccountcreationrequiresassigningtheuseraloginnameandpassword. To create a new user account 1 2 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. ClickCreateUser. TheNewUserscreenopens. 4 TypeaUserName. ThisisusedforlogintothevShieldManageruserinterface.Thisusernameandassociatedpassword cannotbeusedtoaccessthevShieldApporvShieldManagerCLIs. 5 6 7 8 9 (Optional)TypetheusersFullNameforidentificationpurposes. (Optional)TypeanEmailAddress. TypeaPasswordforlogin. RetypethepasswordintheRetypePasswordfield. ClickOK. Afteraccountcreation,youconfigurerightandresourceassignmentseparately.
4 5
ClickOKtosaveyourchanges.
VMware, Inc.
35
36
VMware, Inc.
Upload an Update
vShieldupdatesareavailableasofflineupdates.Whenanupdateismadeavailable,youcandownloadthe updatetoyourPC,andthenuploadtheupdatebyusingthevShieldManageruserinterface. Whentheupdateisuploaded,thevShieldManagerisupdatedfirst,afterwhich,eachvShieldAppisupdated. IfarebootofeitherthevShieldManageroravShieldAppisrequired,theUpdateStatusscreenpromptsyou torebootthecomponent.IntheeventthatboththevShieldManagerandallvShieldAppinstancesmustbe rebooted,youmustrebootthevShieldManagerfirst,andthenrebooteachvShieldApp. To upload an update 1 2 3 4 5 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUpdatestab. ClickUploadSettings. ClickBrowsetolocatetheupdate. Afterlocatingthefile,clickUploadFile.
VMware, Inc.
37
7 8 9 10
38
VMware, Inc.
VMware, Inc.
39
Restore a Backup
Torestoreanavailablebackup,theHostIPAddress,UserName,Password,andBackupDirectoryfieldsin theBackupsscreenmusthavevaluesthatidentifythelocationofthebackuptoberestored.Whenyourestore abackup,thecurrentconfigurationisoverridden.Ifthebackupfilecontainssystemeventandauditlogdata, thatdataisalsorestored. IMPORTANTBackupyourcurrentdatabeforerestoringabackupfile. To restore an available vShield Manager backup 1 2 3 4 5 6 7 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickBackups. ClickViewBackupstoviewallavailablebackupssavedtothebackupserver. Selectthecheckboxforthebackuptorestore. ClickRestore. ClickOKtoconfirm.
40
VMware, Inc.
VMware, Inc.
41
CPU Local CLI GUI Runshow process monitor command. SeeViewvShieldManager SystemStatusonpage 24.
Interface Up Runshow log follow command. e1000: mgmt: e1000_watchdog_task: NIC Link is Up/Down 100 Mbps Full Duplex.Forscripting onthesyslogserver,search forNIC Link is.
SeeViewtheCurrentSystem
Syslog
GUI
Session reset due to DoS, inactivity, or data timeouts Runshow log follow command. SeeSyslogFormaton page 42.
RefertotheSystemEventLog. SeeViewtheSystemEvent Reportonpage 41.
Syslog GUI
Syslog Format
Thesystemeventmessageloggedinthesysloghasthefollowingstructure:
syslog header (timestamp + hostname + sysmgr/) Timestamp (from the service) Name/value pairs Name and value separated by delimiter '::' (double colons) Each name/value pair separated by delimiter ';;' (double semi-colons)
42 VMware, Inc.
Thefieldsandtypesofthesystemeventare:
Event ID :: 32 bit unsigned integer Timestamp :: 32 bit unsigned integer Application Name :: string Application Submodule :: string Application Profile :: string Event Code :: integer (possible values: 10007 10016 10043 20019) Severity :: string (possible values: INFORMATION LOW MEDIUM HIGH CRITICAL) Message ::
VMware, Inc.
43
44
VMware, Inc.
ThischapterdetailsthestepsrequiredtouninstallvShieldcomponentsfromyourvCenterinventory. Thischapterincludesthefollowingtopics:
NOTEThevShieldQuickStartGuidedetailsinstallationofvShieldcomponents.
VMware, Inc.
45
46
VMware, Inc.
Example:
DELETE /api/1.0/endpointsecurity/svm/vm-1234 HTTP/1.1 host: 10.112.199.123:80 Authorization: Basic YWRtaW46ZGVmYXVsdA==
Response:
HTTP HTTP HTTP HTTP 204 No Content: The Endpoint Security VM is successfully unregistered. 401 Unauthorized: The username or password sent in Authorized header is wrong. 405 Method Not Allowed: If the vmId is missed in the URI. 400 Bad Request: Internal error codes. Please refer the Error Schema for more details. 40002=Acquiring data from VC failed for <> 40007=SVM with moid: <> not registered 40015=vmId is malformatted or of incorrect length : <>
VMware, Inc.
47
48
VMware, Inc.
VMware, Inc.
49
50
VMware, Inc.
10
10
VMware, Inc.
51
YoucanadddestinationandsourceportrangestoarulefordynamicservicessuchasFTPandRPC,which requiremultipleportstocompleteatransmission.Ifyoudonotallowalloftheportsthatmustbeopenedfor atransmission,thetransmissionisblocked. To create a vShield Edge firewall rule 1 2 3 4 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheFirewalllink.
52
VMware, Inc.
ClickAdd. Anewrowappearsinthetable.
Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. YoumusttypeIPaddressesintheSourceandDestinationfields.
7 8 9
VMware, Inc.
53
To configure an SNAT rule for a vShield Edge 1 2 3 4 5 IntothevSphereClient,gotoInventory>Networking. SelectanInternalportgroupwhereavShieldEdgehasbeeninstalled. ClickthevShieldEdgetab. ClicktheNATlink. UnderDirectionOUT(SNAT),clickAddRule. Anewrowappearsinthetable. 6 7 Doubleclickeachcellintherowtoentertheappropriateinformation. ClickCommittosavetherule.
To configure a DNAT rule for a vShield Edge 1 2 3 4 5 IntothevSphereClient,gotoInventory>Networking. SelectanInternalportgroupwhereavShieldEdgehasbeeninstalled. ClickthevShieldEdgetab. ClicktheNATlink. UnderDirectionIn(DNAT),clickAddRule. Anewrowappearsinthetable. 6 7 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ClickCommittosavetherule.
To add a DHCP IP pool 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheDHCPlink. UnderIPPools,clickAddPool. Anewrowappearsinthetable. 6 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ThePrimaryNameServerandSecondaryNameServerfieldsrefertoDNSservice.YoumustentertheIP addressofaDNSserverforhostnametoIPaddressresolution. TheDomainNameandLeaseTimefieldsareoptional.Thedefaultleasetimeisoneday.
54
VMware, Inc.
7 8
To add a DHCP static binding 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheDHCPlink. UnderStaticBindings,clickAddBindings. Anewrowappearsinthetable. 6 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ThePrimaryNameServerandSecondaryNameServerfieldsrefertoDNSservice.YoumustentertheIP addressofaDNSserverforhostnametoIPaddressresolution. TheDomainNameandLeaseTimefieldsareoptional.Thedefaultleasetimeisoneday. 7 8 ClickCommittosavetherule. IfDHCPservicehasnotbeenenabled,enableDHCPservice. SeeStartorStopvShieldEdgeServicesonpage 59.
VMware, Inc.
55
Atthistime,vShieldEdgesupportspresharedkeymode,IPunicasttraffic,andnodynamicroutingprotocol betweenthevShieldEdgeandremoteVPNrouters.BehindeachremoteVPNrouter,youcanconfigure multiplesubnetstoconnecttotheinternalnetworkbehindavShieldEdgethroughIPSectunnels.These subnetsandtheinternalnetworkbehindavShieldEdgemusthavenonoverlappingaddressranges. YoucandeployavShieldEdgeagentbehindaNATdevice.Inthisdeployment,theNATdevicetranslatesthe VPNaddressofavShieldEdgeintoapubliclyaccessibleaddressfacingtheInternet.RemoteVPNroutersuse thispublicaddresstoaccessthevShieldEdge. RemoteVPNrouterscanbelocatedbehindaNATdeviceaswell.YoumustprovideboththeVPNnative addressandtheNATpublicaddresstosetupthetunnel. Onbothends,staticonetooneNATisrequiredfortheVPNaddress. To configure VPN on a vShield Edge 1 2 3 4 5 6 7 8 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheVPNlink. TypeanExternalIPAddressfortheVPNserviceonthevShieldEdge. TypetheNATedPublicIPthatrepresentstheExternalIPAddresstotheexternalnetwork. SelecttheLogcheckboxtologVPNactivity. ClickApply. Next,identifyapeersite.
56
VMware, Inc.
To identify a VPN peer site 1 2 3 4 5 6 7 8 9 10 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheVPNlink. UnderPeerSiteConfiguration,clickCreateSite. TypeanametoidentifythesiteinSiteName. TypetheIPaddressofthesiteinRemoteEndPoint. TypetheSharedSecret. TypeanMTUthreshold. ClickAdd. Next,addatunneltoconnecttothesite. To identify a VPN peer tunnel 1 2 3 4 5 6 7 8 9 10 11 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheVPNlink. UnderPeerSiteConfiguration,selecttheappropriatepeerfromtheSelectorcreateasitedropdownlist. ClickAddTunnel. DoubleclicktheTunnelNamecellandtypeanametoidentifythetunnel. DoubleclicktheRemoteSiteSubnetcellandentertheIPaddressinCIDRformat(A.B.C.D/M). DoubleclicktheEncryptioncellandselecttheappropriateencryptiontype. ClickCommit. EnableVPNservice.SeeStartorStopvShieldEdgeServicesonpage 59.
VMware, Inc.
57
Youmapanexternal(orpublic)IPaddresstoasetofinternalserversforloadbalancing.Theloadbalancer acceptsHTTPrequestsontheexternalIPaddressanddecideswhichinternalservertouse.Port80isthe defaultlisteningportforloadbalancerservice. To configure load balancer service 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheLoadBalancerlink. ClickAddConfigurationabovetheExternalIPAddressestable. Anewrowappearsinthetable. 6 7 8 9 10 EntertheExternalIPAddressfortheservice. SelecttheroutingalgorithmfromtheAlgorithmdropdownlist. (Optional)SelecttheLogcheckboxtosendasyslogeventforeachrequesttotheexternalIPaddress. ClickAdd. EntertheIPaddressofthefirstwebserverandclickAdd. Youcanaddadditionalwebserversinthesamemanner. 11 12 ClickCommit. Ifloadbalancerservicehasnotbeenenabled,enabletheservice. SeeStartorStopvShieldEdgeServicesonpage 59.
58
VMware, Inc.
VMware, Inc.
59
60
VMware, Inc.
VMware, Inc.
61
62
VMware, Inc.
11
11
vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicycreation. vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS, vMotion,DPM,andmaintenancemode. vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteroneveryvirtual networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetworkchangesor modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers, likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to reducethenumberoffirewallrulesandmaketheruleseasiertotrack. YoucanmonitorthehealthofvShieldAppinstancesbyusingthevShieldManageruserinterfaceandby sendingvShieldAppsystemeventstoasyslogserver. Thischapterincludesthefollowingtopics:
VMware, Inc.
63
64
VMware, Inc.
VMware, Inc.
65
66
VMware, Inc.
12
Flow Monitoring
12
VMware, Inc.
67
L4:TCPorUDP L2/L3:ICMP,OtherIPv4,orARP
3 4 5 6
68
VMware, Inc.
7 8
To view the Flow Monitoring report 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickFlowMonitoring. Thechartsupdatetodisplaythemostcurrentinformationforthelastsevendays.Thismighttakeseveral seconds. 5 6 7 ClickShowReport. Drilldownintothereport. ClickShowLatesttoupdatethereportstatistics.
VMware, Inc.
69
14 15 16 17
CAUTIONYoucannotrecovertrafficdataafteryouclickDeleteAllFlows.
70
VMware, Inc.
10
DoubleclicktheResourcecelltoselectthecontainerinwhichtoenforcethenewmapping. TheANYvalueaddstheportmappingtoallcontainers.
11 12
DoubleclicktheDescriptioncellandtypeabriefdescription. ClickHidePortMappings.
VMware, Inc.
71
72
VMware, Inc.
13
13
Default Rules
Bydefault,theAppFirewallenforcesasetofrulesallowingtraffictopassthroughallvShieldAppinstances. TheserulesappearintheDefaultRulessectionoftheAppFirewalltable.Thedefaultrulescannotbedeleted oraddedto.However,youcanchangetheActionelementofeachrulefromAllowtoDeny.
AppFirewallofferscontainerlevelandcustompriorityprecedenceconfigurations:
Containerlevelprecedencereferstorecognizingthedatacenterlevelasbeinghigherinprioritythanthe clusterlevel.Whenaruleisconfiguredatthedatacenterlevel,theruleisinheritedbyallclustersand vShieldagentstherein.AclusterlevelruleisonlyappliedtothevShieldAppwithinthecluster. Custompriorityprecedencereferstotheoptionofassigninghighorlowprecedencetorulesatthe datacenterlevel.Highprecedencerulesworkasnotedinthecontainerlevelprecedencedescription.Low precedencerulesincludetheDefaultRulesandtheconfigurationofDataCenterLowPrecedencerules. Thisflexibilityallowsyoutorecognizemultiplelayersofappliedprecedence. Attheclusterlevel,youconfigurerulesthatapplytoallvShieldAppinstanceswithinthecluster.Because DataCenterHighPrecedenceRulesareaboveClusterLevelRules,ensureyourClusterLevelRulesare notinconflictwithDataCenterHighPrecedenceRules.
74
VMware, Inc.
Destination(A.B.C.D/nn) DestinationApplication
DestinationPort Protocol
YoucanadddestinationandsourceportrangestoarulefordynamicservicessuchasFTPandRPC,which requiremultipleportstocompleteatransmission.Ifyoudonotallowalloftheportsthatmustbeopenedfor atransmission,thetransmissionfails. To create a firewall rule at the datacenter level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3AppFirewallRuleonpage 77. 5 Dooneofthefollowing:
7 8 9
VMware, Inc.
75
To create a firewall rule at the cluster level 1 2 3 4 InthevSphereClient,gotoInventory>HostsandClusters. Selectaclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3AppFirewallRuleonpage 77. 5 ClickAdd. AnewrowappearsintheClusterLevelRulessectionofthetable. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields. 7 8 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
NOTELayer4firewallrulescanalsobecreatedfromtheFlowMonitoringreport.SeeAddanAppFirewall RulefromtheFlowMonitoringReportonpage 69. To create a firewall rule at the port group level 1 2 3 4 5 InthevSphereClient,gotoInventory>Networking. Selectaportgroupfromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. ClickAdd. AnewrowisaddedatthebottomoftheSecurePortGroupRulessection. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields. 7 8 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
76
VMware, Inc.
To create a Layer 2/Layer 3 firewall rule 1 2 3 4 5 6 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterresourcefromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. ClickL2/L3Rules. ClickAdd. AnewrowisaddedatthebottomoftheDataCenterRulessectionofthetable. 7 Doubleclickeachcellinthenewrowtotypeorselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields 8 9 (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommit.
VMware, Inc.
77
5 6
AftertheAppFirewallupdateiscomplete,issuethevalidate sessionscommandfromtheCLIofavShield Apptopurgesessionsthatareinviolationofcurrentpolicy. To validate active sessions against the current firewall rules 1 2 UpdateandcommittheAppFirewallrulesetattheappropriatecontainerlevel. OpenaconsolesessiononavShieldAppissuethevalidate sessionscommand.
vShieldApp> enable Password: vShieldApp# validate sessions
78
VMware, Inc.
Toreturntothecurrentconfiguration,selecttheoptionfromtheReverttoSnapshotdropdownlist. ClickCommittooverwritethecurrentconfigurationwiththesnapshotconfiguration.
VMware, Inc.
79
80
VMware, Inc.
14
14
Thischapterincludesthefollowingtopics:
VMware, Inc.
81
Alarms
AlarmssignalthevCenterServeradministratoraboutvShieldEndpointeventsthatrequireattention.Alarms areautomaticallycancelledincasethealarmstateisnolongerpresent. vCenterServeralarmscanbedisplayedwithoutacustomvSphereplugin.SeethevCenterServer AdministrationGuideoneventsandalarms. UponregisteringasavCenterServerextension,thevShieldManagerdefinestherulesthatcreateandremove alarms,basedoneventscomingfromthethreevShieldEndpointcomponents:SVM,vShieldEndpoint module,andthinagent.Rulescanbecustomized.Forinstructionsonhowtocustomizerulesforalarms,see thevCenterServerdocumentation.Insomecases,therearemultiplepossiblecausesforthealarm.Thetables thatfollowlistthepossiblecausesandthecorrespondingactionsyoumightwanttotakeforremediation. vShieldEndpointdefinesthreesetsofalarms:
Host Alarms
HostalarmsaregeneratedbyeventsaffectingthehealthstatusofthevShieldEndpointmodule. Table 14-1. Warnings (Marked Yellow)
Possible Cause SVMisregistered,butvShieldEndpoint moduledoesnotseeanyvirtualmachinesto protect.Norequestsforprotectionarecoming fromanyvirtualmachines.Novirtualmachines arecurrentlyprotected. Action
Usuallyatransientstateoccurringwhileexistingvirtual machinesarebeingmovedwithvMotion,orarejustcomingup. Noactionrequired. TheESXhosthasnovirtualmachinesyet,oronlyvirtual machineswithnonsupportedoperatingsystems.Noaction required. CheckthevShieldManagerconsoleforthestatusofthevirtual machinesthatshouldbeprotectedonthathost.Ifoneormore haveanerrorstatus,theEndpointthinagentsinthosemachines maybemalfunctioning.
SVM Alarms
SVMalarmsaregeneratedbyeventsaffectingthehealthstatusofthevShieldEndpointmodule. Table 14-3. Red SVM Alarms
Problem ThevShieldMonitorisnotreceivingstatusfrom theSVM. TheSVMfailedtoinitialize Action EithertherearenetworkissuesbetweenthevShieldMonitorandthe SVM,ortheSVMisnotoperatingproperly. ContactyoursecurityproviderforhelpwithSVMerrors.
82
VMware, Inc.
VM Alarms
VMalarmsaregeneratedbyeventsaffectingthehealthstatusofthevShieldEndpointmodule. Table 14-4. Warnings
Possible Cause TheSVMisoverloaded.Thevirtualmachines willnotbeprotectedwhilethealarmpersists. Action CheckresourcesallocationfortheSVMandallocatemoreresources, ifnecessary.CheckthevCenterServereventlogfortheESXtheSVM isattachedto.Aneventcodeof1002canindicateanoverloaded SVM. Thisisusuallyatransientalarmthatdoesnotrequireattention.Ifit persistsorturnstored,lookatthevCenterServereventlogforthe protectedVM.Aneventcodeof1000indicatesanonfunctioning thinagent.
Events
EventsareusedforloggingandauditingconditionsinsidethevShieldEndpointbasedsecuritysystem. EventscanbedisplayedwithoutacustomvSphereplugin.SeethevCenterServerAdministrationGuideon eventsandalarms. Eventsarethebasisforalarmsthataregenerated.UponregisteringasavCenterServerextension,thevShield Managerdefinestherulesthatcreateandremovealarms. DefaultbaseargumentsforaneventarethereportedtimeandthevShieldManagerevent_id. Table 146listsvShieldEndpointeventsreportedbytheSVMandthevShieldManager(VSM)inorderbycode number.Thetableshowstheevencode,name,theVCarguments,theeventcategory,andadescription.Inthe EventCategorycolumn,eventsthatgenerateerroralarmsarecoloredred.Eventsthatgeneratewarning alarmsarecoloredyellow. Table 14-6. vShield Endpoint Events
Code 0001 Name VSM_FSFD_EVENT_VERSION_MISMATCH VC Arguments Event Category Description vShieldEndpoint:TheSVMwas contactedbyanoncompatibleversion ofthevShieldEndpointThinAgent.
timestamp, error SVMversion ofFSFD protocol, FSFDversion ofFSFD protocol timestamp warning
0003
VSM_FSFD_EVENT_DISK_FULL
0004
VSM_FSFD_EVENT_TIMEOUT
timestamp
warning
VMware, Inc.
83
timestamp, info FSFDversion ofFSFD protocol timestamp timestamp timestamp timestamp info info warning info
timestamp, info SVMversion ofLKM protocol, SVMversion ofFSFD protocol,port SVMis listeningon. timestamp timestamp timestamp timestamp timestamp error warning warning error info
SVMinitializationfailed. SVMdetectedhighvolumeofvShield Endpointevents. HealthStatusinformationhasbeen lost. vShieldManagerlostcommunication withSVM. vShieldManagercommunicationwith SVMhavebeenrestored. vShieldEndpoint:TheSVMwas contactedbyanoncompatibleversion ofthevShieldEndpointmodule.
timestamp, error SVMversion ofLKM protocol,Host versionof LKMprotocol timestamp timestamp timestamp warning info info
3006
VSM_HOST_EVENT_VMS_DISCONNECTED
vShieldEndpointmodulehas disconnectedfromtheSVM
84
VMware, Inc.
1001
VSM_VM_EVENT_DISCONNECTED
VMware, Inc.
85
Audit Messages
Auditmessagesincludefatalerrorsandotherimportantauditmessagesandareloggedto vmware.log.The followingconditionsareloggedasAUDITmessages:
Generatedlogmessageshavethefollowingsubstringsnearthebeginningofeachlogmessage:vf-AUDIT, vf-ERROR,vf-WARN,vf-INFO,vf-DEBUG.
86
VMware, Inc.
Appendixes
VMware, Inc.
87
88
VMware, Inc.
VMware, Inc.
89
CLI Syntax
Runcommandsatthepromptasshown.Donottypethe(),<>,or[]symbols.
command A.B.C.D (option1 | option2) <0-512> [word]
90
VMware, Inc.
SwitchtoPrivilegedmode.
manager> enable password: manager#
VMware, Inc.
91
SwitchtoConfigurationmode.
manager# configure terminal
Addauseraccount.
manager(config)# user root password plaintext password
Savetheconfiguration.
manager(config)# write memory Building Configuration... Configuration saved. [OK]
ExittheCLI.
manager(config)# exit manager# exit
8 9
Savetheconfiguration. RuntheexitcommandtwicetologoutoftheCLI.
92
VMware, Inc.
8 9 10 11
Command Reference
ThecommandreferencedetailseachCLIcommand,includingsyntax,usage,andrelatedcommands.
AdministrativeCommandsonpage 93 CLIModeCommandsonpage 94 ConfigurationCommandsonpage 97 DebugCommandsonpage 104 ShowCommandsonpage 108 DiagnosticsandTroubleshootingCommandsonpage 125 UserAdministrationCommandsonpage 128 TerminalCommandsonpage 129 DeprecatedCommandsonpage 131
Administrative Commands
list
Listsallinmodecommands. Syntax
list
reboot
RebootsavShieldvirtualmachine.YoucanalsorebootavShieldAppfromthevShieldManageruser interface.SeeRestartavShieldApponpage 65. Syntax
reboot
VMware, Inc.
93
shutdown
In Privileged mode, the shutdown command powers off the virtual machine. In Interface Configuration mode, the shutdown command disables the interface. Toenableadisabledinterface,usenobeforethe command. Syntax
[no] shutdown
or
vShield(config)# interface mgmt vShield(config-if)# shutdown vShield(config-if)# no shutdown
disable
SwitchestoBasicmodefromPrivilegedmode. Syntax
disable
94
VMware, Inc.
enable
SwitchestoPrivilegedmodefromBasicmode. Syntax
enable
end
EndsthecurrentCLImodeandswitchestothepreviousmode. Syntax
end
exit
Exitsfromthecurrentmodeandswitchestothepreviousmode,orexitstheCLIsessionifrunfromPrivileged orBasicmode. Syntax
exit
VMware, Inc.
95
Example
vShield(config-if)# exit vShield(config)# exit vShield#
interface
SwitchestoInterfaceConfigurationmodeforthespecifiedinterface. Todeletetheconfigurationofaninterface,usenobeforethecommand. Syntax
[no] interface (mgmt | p0 | u0) Option mgmt p0 u0 Description ThemanagementportonavShieldvirtualmachine. vShieldAppp0interface. vShieldAppu0interface.
quit
QuitsInterfaceConfigurationmodeandswitchestoConfigurationmode,orquitstheCLIsessionifrunfrom PrivilegedorBasicmode. Syntax
quit
96
VMware, Inc.
Configuration Commands
clear vmwall rules
ResetsthefirewallrulesetonavShieldApptothedefaultruleset.Thisisatemporaryconditionthatcanbe usedtotroubleshootfirewallissues.Youcanrestorethefirewallrulesetbyperformingaforcesyncoperation forthevShieldAppfromthevShieldManager.Foremoreinformationonforcingsynchronization,seeForce avShieldApptoSynchronizewiththevShieldManageronpage 64. Syntax
clear vmwall rules
VMware, Inc.
97
Example
manager# copy running-config startup-config Building Configuration... Configuration saved. [OK]
database erase
ErasesthevShieldManagerdatabase,resettingthedatabasetofactorydefaults.Thiscommandclearsall configurationdatafromthevShieldManageruserinterface,includingvShieldAppconfigurations,eventdata, andsoforth.ThevShieldManagerCLIconfigurationisnotaffectedbythiscommand. Syntax
database erase
enable password
ChangesthePrivilegedmodepassword.YoushouldchangethePrivilegedmodepasswordforeachvShield virtualmachine.CLIuserpasswordsandthePrivilegedmodepasswordaremanagedseparately.The PrivilegedmodepasswordisthesameforeachCLIuseraccount. Syntax
enable password (hash | plaintext) password Option hash plaintext password Description MasksthepasswordbyusingtheMD5hash.YoucanviewandcopytheprovidedMD5hash byrunningtheshow running-config command. Keepsthepasswordunmasked. Passwordtouse.Thedefaultpasswordisdefault.
98
VMware, Inc.
hostname
ChangesthenameoftheCLIprompt.The default prompt name for the vShield Manager is manager, and
ip address
AssignsanIPaddresstoaninterface.OnthevShieldvirtualmachines,youcanassignanIPaddressestothe mgmtinterfaceonly. ToremoveanIPaddressfromaninterface,usenobeforethecommand. Syntax
[no] ip address A.B.C.D/M Option A.B.C.D M Description IPaddresstouse. Subnetmasktouse.
or
vShield(config)# interface mgmt vShield(config-if)# no ip address 192.168.110.200/24
ip name server
IdentifiesaDNSservertoprovideaddressresolutionservice.YoucanalsoidentifyoneormoreDNSservers byusingthevShieldManageruserinterface.SeeIdentifyDNSServicesonpage 22. ToremoveaDNSserver,usenobeforethecommand.
VMware, Inc.
99
Syntax
[no] ip name server A.B.C.D Option A.B.C.D Description IPaddresstouse.
or
vShield(config)# no ip name server 192.168.1.3
ip route
Addsastaticroute. TodeleteanIProute,usenobeforethecommand. Syntax
[no] ip route A.B.C.D/M W.X.Y.Z Option A.B.C.D M W.X.Y.Z Description IPaddresstouse. Subnetmasktouse. IPaddressofnetworkgateway.
or
vShield(config)# no ip route 0.0.0.0/0 192.168.1.1
manager key
SetsasharedkeyforauthenticatingcommunicationbetweenavShieldAppandthevShieldManager.Youcan setasharedkeyonanyvShieldApp.ThiskeymustbeenteredduringvShieldAppinstallation.Iftheshared keybetweenavShieldAppandthevShieldManagerisnotidentical,theservicecannotinstallandis inoperable. Syntax
manager key key Option key Description ThekeythatthevShieldAppandvShieldManagermustmatch.
100
VMware, Inc.
ntp server
IdentifiesaNetworkTimeProtocol(NTP)serverfortimesynchronizationservice.InitialNTPserver synchronizationmighttakeupto15minutes.FromthevShieldManageruserinterface,youcanconnecttoan NTPserverfortimesynchronization.SeeSetthevShieldManagerDateandTimeonpage 23. AllvShieldAppinstancesusetheNTPserverconfigurationofthevShieldManager.Youcanusethis commandtoconnectavShieldApptoanNTPservernotusedbythevShieldManager. ToremovetheNTPserver,usenobeforethecommand. Syntax
[no] ntp server (hostname | A.B.C.D) Option hostname A.B.C.D Description HostnameoftheNTPserver. IPaddressofNTPserver.
or
vShield# configure terminal vShield(config)# no ntp server
set clock
Setsthedateandtime.FromthevShieldManageruserinterface,youcanconnecttoanNTPserverfortime synchronization.AllvShieldAppinstancesusetheNTPserverconfigurationofthevShieldManager.You shouldusethiscommandifyoumeetoneofthefollowingconditions.
VMware, Inc.
101
Syntax
set clock HH:MM:SS MM DD YYYY Option HH:MM:SS MM DD YYYY Description Hours:minutes:seconds Month Day Year
setup
OpenstheCLIinitializationwizardforvShieldvirtualmachineinstallation.Youconfiguremultiplesettings byusingthiscommand.YourunthesetupcommandduringvShieldManagerinstallationandmanual installationofvShieldAppinstances.PressENTERtoacceptadefaultvalue. Syntax
setup
ssh
StartsorstopstheSSHserviceonavShieldvirtualappliance. Syntax
ssh (start | stop)
102
VMware, Inc.
CLI Mode Configuration Usage Guidelines StartingtheSSHserviceandenablingCLIaccessviaSSH(cli ssh allow)allowsusertoaccesstheCLIvia SSH. Example
manager(config)# ssh start manager(config)# cli ssh allow
or
manager(config)# no cli ssh allow manager(config)# ssh stop
syslog
IdentifiesasyslogservertowhichavShieldvirtualmachinecansendsystemevents.Youcanalsoidentifyone ormoresyslogserversbyusingthevShieldManageruserinterface.SeeSendvShieldAppSystemEventsto aSyslogServeronpage 63. Todisablesyslogexport,usenobeforethecommand. Syntax
[no] syslog (hostname | A.B.C.D) Option hostname A.B.C.D Description Hostnameofthesyslogserver. IPaddressofsyslogserver.
write
Writestherunningconfigurationtomemory.Thiscommandperformsthesameoperationasthewrite memorycommand. Syntax
write
VMware, Inc.
103
write erase
ResetstheCLIconfigurationtofactorydefaultsettings. Syntax
write erase
write memory
Writesthecurrentconfigurationtomemory.Thiscommandisidenticaltothewritecommand. Syntax
write memory
Debug Commands
debug copy
Copiesoneorallpackettraceortcpdumpfilesandexportsthemtoaremoteserver.Youmustenablethedebug packet capturecommandbeforeyoucancopyandexportfiles. Syntax
debug copy (scp|ftp) URL (packet-traces | tcpdumps) (filename | all) Option scp ftp URL packet-traces tcpdumps filename all Description UseSCPastransportprotocol. UseFTPastransportprotocol. AddaURLintheformatuserid@<ip_address>:<directory>.Forexample: admin@10.10.1.10:/tmp Copyandexportpackettraces. Copyandexportsystemtcpdumps. Identifyaspecificpackettraceortcpdumpfiletoexport. Copyandexportallpackettraceortcpdumpfiles.
104
VMware, Inc.
Related Commands debug packet capture debug remove debug show files
VMware, Inc.
105
Syntax vShieldApp
[no] debug packet display interface (mgmt | u0 | p0) [expression] Option mgmt | u0 | p0 expression Description ThespecificvShieldAppinterfacefromwhichtocapturepackets. Atcpdumpformattedstring.Youmustuseanunderscorebetweenwordsintheexpression.
vShieldEdge
[no] debug packet display interface (intif | extif) [expression] Option intif | extif expression Description ThespecificvShieldEdgeinterfacefromwhichtocapturepackets. Atcpdumpformattedstring.Youmustuseanunderscorebetweenwordsintheexpression.
debug remove
RemovesoneorallpackettraceortcpdumpfilesfromavShieldApp. Syntax
debug remove (packet-traces|tcpdumps) (filename|all) Option packet-traces tcpdumps filename all Description Removeoneorallpackettracefiles. Removeoneoralltcpdumpfiles. Identifyaspecificpackettraceortcpdumpfiletoexport. Removeallpackettraceortcpdumpfiles.
106
VMware, Inc.
debug service
Enablesloggingforaservice,notingthespecificenginefortheserviceandtheseverityofeventstolog.You canruntheshow servicescommandtoviewthelistofrunningservices. Todisableloggingforaspecificservice,usenobeforethecommand. Syntax
[no] debug service (ice|sysmgr|vdb|word) (low|medium|high) Option service ice sysmgr vdb word low medium high Description Nameoftheservice. vShieldAppprotocoldecodingengine. vShieldAppsystemmanager. Deprecated. Reservedfortechnicalsupport. Lowseverityevents. Mediumseverityevents. Highseverityevents.
VMware, Inc.
107
Option M P
Show Commands
show alerts
Showssystemalertsastheyrelatetotheprotocoldecodersornetworkevents.Ifnoalertshavebeenraised,no outputisreturned. Syntax
show alerts (vulnerability|decoder|events) Option vulnerability decoder events Description Deprecated. Alertsraisedbyprotocoldecodererrors. Alertsraisedbynetworkevents.
108
VMware, Inc.
show arp
ShowsthecontentsoftheARPcache. Syntax
show arp
show clock
Showsthecurrenttimeanddateofthevirtualmachine.IfyouuseanNTPserverfortimesynchronization,the timeisbasedonCoordinatedUniversalTime(UTC). Syntax
show clock
show configuration
ShowseitherthecurrentglobalconfigurationortheconfigurationforaspecifiedserviceonavShieldEdge. Syntax
show configuration (dhcp | firewall | ipsec | lb | nat | syslog | system) Option dhcp firewall Description ShowthecurrentDHCPconfiguration. Showthecurrentfirewallconfiguration.
VMware, Inc.
109
show debug
Showthedebugprocessesthatareenabled.Youmustenableadebugpathbyrunningthedebug packetor oneofthedebug servicecommands. Syntax
show debug
show ethernet
ShowsEthernetinformationforvirtualmachineinterfaces. Syntax
show ethernet
110
VMware, Inc.
Example
vShield# show ethernet Settings for mgmt: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full
show filesystem
ShowstheharddiskdrivecapacityforavShieldvirtualmachine.vShieldAppinstanceshaveonediskdrive; thevShieldManagerhastwodiskdrives. Syntax
show filesystem
VMware, Inc.
111
show hardware
ShowsthecomponentsofthevShieldvirtualmachine. Syntax
show hardware
show hostname
ShowsthecurrenthostnameforavShieldEdge. Syntax
show hostname
show interface
Showsthestatusandconfigurationforallinterfacesorasingleinterface.Youcanalsoviewinterfacestatistics foravShieldAppfromthevShieldManageruserinterface.SeeViewtheCurrentSystemStatusofavShield Apponpage 64. Syntax
show interface [mgmt | p0 | u0] Option mgmt p0 u0 Description Managementinterface vShieldAppP0interface vShieldAppportU0interface
112
VMware, Inc.
Example
manager# show interface mgmt Interface mgmt is up, line protocol is up index 1 metric 1 mtu 1500 <UP,BROADCAST,RUNNING,MULTICAST> HWaddr: 00:50:56:9e:7a:60 inet 10.115.216.63/22 broadcast 10.115.219.255 Auto-duplex (Full), Auto-speed (1000Mb/s) input packets 5492438, bytes 2147483647, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 2754582, bytes 559149291, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
show ip addr
ShowstheprotocoladdressesconfiguredonavShieldEdgeforalldevices. Syntax
show ip addr
show ip route
ShowstheIProutingtable. Syntax
show ip route [A.B.C.D/M] Option A.B.C.D M Description IPaddresstouse. Subnetmasktouse.
show iptables
ShowstheIProutingtable.
VMware, Inc.
113
Syntax
show iptables [filter | mangle | nat | raw] Option filter mangle nat raw Description Showthepacketfilteringtable. Showthemangletable.ThemangletableisresponsibleformodificationoftheTCPpacketQoS bitsbeforeroutingoccurs. ShowtheNATtable.NATfacilitatesthetransformationofthedestinationIPaddresstobe compatiblewiththefirewallsroutingtable. Showtherawtable.Therawtableisusedtosetamarkonpacketsthatshouldnotbehandled bytheconnectiontrackingsystem.
114
VMware, Inc.
show log
Showsthesystemlog. Syntax
show log [follow | reverse] Option follow reverse Description Updatethedisplayedlogevery5seconds. Showtheloginreversechronologicalorder.
Related Commands show log alerts show log events show log last
VMware, Inc.
115
116
VMware, Inc.
SEM Debug Nov 15, 2005 02:46:23 PM PropertyUtils Props Read:[] SEM Info Nov 15, 2005 02:46:23 PM RefreshDb UpdateVersionNumbers info does not e xist SEM Debug Nov 15, 2005 02:46:23 PM RefreshDb Applications: [] SEM Info Nov 15, 2005 02:46:23 PM RefreshDb Compiler version pairs found: []
show ntp
ShowstheIPaddressofthenetworktimeprotocol(NTP)server.YousettheNTPserverIPaddressbyusing thevShieldManageruserinterface. Syntax
show ntp
VMware, Inc.
117
show process
ShowsinformationrelatedtovShieldEdgeprocesses. Syntax
show process (list | monitor) Option list monitor Description ListallcurrentlyrunningprocessesonthevShieldEdge. Continuouslymonitorthelistofprocesses.
show route
ShowsthecurrentroutesconfiguredonavShieldEdge. Syntax
show route
show running-config
Showsthecurrentrunningconfiguration. Syntax
show running-config
118
VMware, Inc.
show service
ShowsthestatusofthespecifiedvShieldEdgeservice. Syntax
show service (dhcp | ipsec | lb) Option dhcp ipsec lb Description ShowthestatusoftheDHCPservice. ShowthestatusoftheVPNservice. ShowthestatusoftheLoadBalancerservice.
show services
ShowstheservicesprotectedbyavShieldApp. Syntax
show services
Example
vShield# show services nproxy_D_T_0001 is ACTIVE 56 - 2050001_SAFLOW-FTPD-Dynamic-Port-Detection 57 - 2050001_SAFLOW-MSRPC-Dynamic-Port-Detection 58 - 2050001_SAFLOW-ORACLE-Dynamic-Port-Detection-Reverse 59 - 2050001_SAFLOW-FTPD-Dynamic-Port-Detection-Reverse 60 - 2050001_SAFLOW-SUNRPC-Dynamic-Port-Detection 61 - 2050001_SAFLOW-MSRPC-Dynamic-Port-Detection-Reverse 62 - 2050001_SAFLOW-SUNRPC-Dynamic-Port-Detection-Reverse 63 - 2050001_SAFLOW-ORACLE-Dynamic-Port-Detection 64 - 2050001_SAFLOW-Generic-Single-Session-Inverse-Attached 65 - 2050001_SAFLOW-Generic-Single-Session-Forward-Attached
120
VMware, Inc.
Example
vShield# show session-manager sessions Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address tcp 0 0 0.0.0.0:2601 0.0.0.0:* tcp 0 0 0.0.0.0:7060 0.0.0.0:* V_Listen tcp 0 0 192.168.110.229:46132 0.0.0.0:*
show slots
ShowsthesoftwareimagesontheslotsofavShieldvirtualmachine.Bootindicatestheimagethatisusedto bootthevirtualmachine. Syntax
show slots
show stacktrace
Showsthestacktracesoffailedcomponents.Ifnocomponentshavefailed,nooutputisreturned. Syntax
show stacktrace
show startup-config
Showsthestartupconfiguration. Syntax
show startup-config
VMware, Inc.
121
show syslog
Showsthesyslogconfiguration. Syntax
show syslog
122
VMware, Inc.
Example
vShield# show system mem MemTotal: 2072204 kB MemFree: 1667248 kB Buffers: 83120 kB
VMware, Inc.
123
show version
Showsthesoftwareversioncurrentlyrunningonthevirtualmachine. Syntax
show version
Example
vShield# show vmwall rules Printing VMWall Rules and IP Lists...
link-detect
Enableslinkdetectionforaninterface.Linkdetectionchecksthestatusofaninterfaceasenabledordisabled. Linkdetectionisenabledbydefault. Todisablelinkdetectionforaninterface,usenobeforethecommand. Syntax
[no] link-detect
or
vShield(config-if)# no link-detect
ping
PingsadestinationbyitshostnameorIPaddress. Syntax
ping (hostname | A.B.C.D) Option hostname | A.B.C.D Description ThehostnameorIPaddressofthetargetsystem.
VMware, Inc.
125
ssh
OpensanSSHconnectiontoaremotesystem.
126
VMware, Inc.
Syntax
ssh (hostname | A.B.C.D) Option hostname | A.B.C.D Description ThehostnameorIPaddressofthetargetsystem.
telnet
Opensatelnetsessiontoaremotesystem. Syntax
telnet (hostname | A.B.C.D) [port] Option hostname|A.B.C.D port Description ThehostnameorIPaddressofthetargetsystem. Listeningportonremotesystem.
or
vShield# telnet server123 1221
traceroute
Tracestheroutetoadestination. Syntax
traceroute (hostname | A.B.C.D) Option hostname|A.B.C.D Description ThehostnameorIPaddressofthetargetsystem.
VMware, Inc.
127
validate sessions
Validatestheexistingsessionsagainstthecurrentsetoffirewallrules. Syntax
validate sessions
user
AddsaCLIuseraccount.Theuseradministhedefaultuseraccount.TheCLIadminaccountandpassword areseparatefromthevShieldManageruserinterfaceadminaccountandpassword. YoucannotchangethepasswordforaCLIuser.Youmustdeleteauseraccountandreaddittochangethe password.Ifyoumustchangeapassword,createanewuseraccounttopreventCLIlockout. IMPORTANTEachvShieldvirtualmachinehastwobuiltinCLIuseraccountsforsystemuse:nobodyand vs_comm.Donotdeleteormodifytheseaccounts.Iftheseaccountsaredeletedormodified,thevirtual machinewillnotwork. ToremoveaCLIuseraccount,usenobeforethecommand.
128
VMware, Inc.
Syntax
[no] user username password (hash | plaintext) password Option username hash plaintext password Description Loginnameoftheuser. MasksthepasswordbyusingtheMD5hash.YoucanviewandcopytheprovidedMD5hash byrunningtheshow running-config command. Keepsthepasswordunmasked. Passwordtouse.
or
vShield(config) no user newuser1
web-manager
StartstheWebserviceonthevShieldManager.TheWebserviceisstartedafterthevShieldManageris installed. Tostopthewebservice(HTTPdaemon)onthevShieldManager,usenobeforethecommand.Thiscommand makesthevShieldManagerunavailabletoWebConsolebrowsersessions. Syntax
[no] web-manager
CLI Mode Configuration Usage Guidelines vShieldManagerCLI.Youcanusethiscommandafteryouhaveruntheno web-manager commandtostop andthenrestarttheHTTPservicesofthevShieldManager. Example
manager(config)# no web-manager manager(config)# web-manager
Terminal Commands
clear vty
ClearsallotherVTYconnectionstotheCLI. Syntax
clear vty
VMware, Inc.
129
reset
Resetstheterminalsettingstoremovethecurrentscreenoutputandreturnacleanprompt. Syntax
reset
terminal length
SetsthenumberofrowstodisplayatatimeintheCLIterminal. Syntax
terminal length <0-512> Option 0512 Description Enterthenumberofrowstodisplay.Iflengthis0,nodisplaycontrolis performed.
terminal no length
Negatestheterminal length command. Syntax
terminal no length
130
VMware, Inc.
Deprecated Commands
ThevShieldCLIcontainscommandsthathavebeendeprecated.Thefollowingtablelistsdeprecated commands. Table A-1. Deprecated Commands
Command close support-tunnel copy http URL slot (1|2) copy http URL temp copy scp URL slot (1|2) copy scp URL temp debug export snapshot debug import snapshot debug snapshot list debug snapshot remove debug snapshot restore duplex auto duplex (half|full) speed (10|100|1000) ip policy-address linkwatch interval <5-60> mode policy-based-forwarding open support-tunnel set support key show raid show raid detail
VMware, Inc.
131
132
VMware, Inc.
Troubleshooting
ThissectionguidesyouthroughtroubleshootingcommonvShieldissues. Thisappendixcoversthefollowingtopics:
TroubleshootingvShieldManagerInstallationonpage 133 TroubleshootingOperationIssuesonpage 134 TroubleshootingOperationIssuesonpage 134 TroubleshootingPortGroupIsolationIssuesonpage 135 TroubleshootingvShieldEdgeIssuesonpage 138 TroubleshootingvShieldEndpointIssuesonpage 139
Solution
YoumusthavethevSphereClienttoinstallvShield.
Solution
IfavShieldOVAfilecannotbeinstalled,anerrorwindowinthevSphereClientnotesthelinewherethefailure occurred.SendthiserrorinformationwiththevSphereClientbuildinformationtoVMwaretechnicalsupport.
VMware, Inc.
133
Cannot Log In to CLI After the vShield Manager Virtual Machine Starts
Problem
IcannotlogintothevShieldManagerCLIafterIinstalledtheOVF.
Solution
WaitafewminutesaftercompletingthevShieldManagerinstallationtologintothevShieldManagerCLI.In theConsoletabview,pressEntertocheckforacommandpromptifthescreenisblank.
Solution
ThevShieldManagerIPaddressisinasubnetthatisnotreachablebytheWebbrowser.TheIPaddressofthe vShieldManagermanagementinterfacemustbereachablebytheWebbrowsertousevShield.
Solution
IfyoucannotconfigurethevShieldAppfromthevShieldManager,thereisabreakinconnectivitybetween thetwovirtualmachines.ThevShieldmanagementinterfacecannottalktothevShieldManagermanagement interface.Makesurethatthemanagementinterfacesareinthesamesubnet.IfVLANsareused,makesure thatthemanagementinterfacesareinthesameVLAN. AnotherreasoncouldbethatthevShieldApporvShieldManagervirtualmachineispoweredoff.
Solution
Thismightbetheresultofoneofthefollowingconditions.
TakeasnapshotorcreateaTARoftheaffectedvShieldAppbyusingthevSphereClient.Sendthisinformation toVMwaretechnicalsupport.
134
VMware, Inc.
Appendix B Troubleshooting
Solution
Checktheorderingandscopeoftherule.Thisincludesthecontainerlevelatwhichtheruleisbeingenforced. IssuesmightoccurwhenanIPaddressbasedruleisconfiguredunderthewrongcontainer. Checkwheretheaffectedvirtualmachineresides.IsthevirtualmachinebehindavShieldApp?Ifnot,then thereisnoagenttoenforcetherule.Selectthevirtualmachineintheresourcetree.TheAppFirewalltabfor thisvirtualmachinedisplaysalloftherulesthataffectthisvirtualmachine. PlaceanyunprotectedvirtualmachinesontoavShieldprotectedswitchorprotectthevSwitchthattheVMis onbyinstallingavShield. EnableloggingfortheAppFirewallruleinquestion.ThismightslownetworktrafficthroughthevShieldApp. VerifyvShieldAppconnectivity.CheckforthevShieldAppbeingoutofsyncontheSystemStatuspage.Ifout ofsync,clickForceSync.Ifitisstillnotinsync,gototheSystemEventlogtodeterminethecause.
2 3
VMware, Inc.
135
4 5
6 7
8 9
Ifalloftheaboveiscorrect,theESXhostissetupproperlyforPortGroupIsolation.
AddsanentrytotheserviceslistonESXtoexposeVSHDservices.Youcanverifythisentrybyopening thefile/etc/vmware/hostd/proxy.xmlandsearchingforwordvsh.
Theremovalscriptremovesalloftheoperationscreatedbytheinstallationscript.
136
VMware, Inc.
Appendix B Troubleshooting
To troubleshoot if broadcast packets are being received but unicast packets are being dropped 1 Run/opt/vmware/vslad/fence-util setSwitchMode 1onallESXhostsinquestion.Thiscommand instructsthevshdmoduletobroadcastallfencedpackets. Ifafterrunningthecommandonallhoststhingsstartworking,mostofthetimes,thismeansthattheissue lieswithmirrorvirtualmachinesbecausemirrorvirtualmachinesarerequiredtobeconfiguredcorrectly fortheunicastpacketdeliverytowork. Formoreonfence-util,seeDetailsofthefenceutilUtilityonpage 137. 2 3 OneachESXhost,checkthemirrorvirtualmachinesNICstomakesurethatatleastoneNICisconnected tothevSwitchtowhichthesevirtualmachinesareconnected. ConfirmthatthefilterentriesforthisNICinthemirrorvirtualmachinesVMXfilesarecorrect.Allofthe entriesforthatvSwitchshouldhavethesameLanId?value. Afterfixingtheproblem,resetthemodeto0byrunning/opt/vmware/vslad/fence-util setSwitchMode 0. 4 ConfirmthatthepacketsarereachingtheotherESXhost.Ifthemirrorvirtualmachinesare misconfigured,packetsaredroppedatthedestinationESXhost,notbythesourcehost. Ifstillthingsarenotworking,thiswouldmostlikelymeanthattheunicastswitchingisbroken somewhereonthephysicalboxesinthenetwork.Thisisrarebecauseifbroadcastpacketsarereaching, thatmeansphysicalconnectivityispresentbetweenthevirtualmachinescommunicatingwitheachother. Ifbroadcastisworkingandunicastisnotworkingevenafterputtingallvshdmodulesinbroadcastmode usingfenceutils,thenproblemsmaybepresentinthephysicalnetworkforsuchunicasts. ThereisalsoachanceofmorethanonevShieldManager,PortGroupIsolation,vCenterinstallationson thesamenetwork.Inthatcase,someofthehostkeyMACaddressesmaygetduplicatedwithinthesame physicalnetwork.Becauseofthis,thebroadcasttrafficmayworkfine,buttheunicasttrafficmayreach thewronghostsbecausethephysicalswitchesonthenetworkmaylearnaboutsameMACfromtwo differentplaces. To troubleshoot if no packets are being received and broadcasts are being dropped 1 2 3 4 ConfirmthatthetwoESXhostsarepresentonacommonphysicalnetworkandonthesameVLAN. Inthecaseoflegacyswitches,confirmthatthesameportgroupisconnectedtothesamenamedvswitch onalltheESXhostsinquestion. ConfirmthattheNICconnectedtothesevSwitchesconnecttothesamephysicalnetwork. Run/opt/vmware/vslad/fence-util infocommandmultipletimesonallESXhoststoseeifany droppedpacketcountersareincremented. ThismodulealsoshowsdroppedpacketnumbersforunfencedpacketsenteringintofencedvNICs.This wouldmeanthatalltheotherbroadcastsonthenetworkaredroppedwhentheyreachthefencedvNIC. LookforFenced From VMandFenced To VM counters. 5 IsolatethepointwherepacketsaregettingdroppedbyrunningcapturesontheESXinterfaceatbothends. IncaseswherepacketsarecomingoutofsourceESXbutarenotreachingthedestinationESX,thereare rarechancesthatsomeintelligentdeviceinbetweenmaybedroppingthesepacketsbecauseofan unknownethtypeinthepackets.
VMware, Inc.
137
Port Id isthefirstcolumninallothertables(ActivePorts,SwitchState,andPortstats).Thisisaunique identifierassignedbythevshdmoduleforeachfenceenabledport.ThisIDisinternalandhasnoexternal meaning.ItisthedvfilternameforthatporttypecastedtoUint64.TheportIDisusefultoqueryvaluesfora specificportusingthefenceutilportInfo <portId>commandwhichoutputsdetailsofonlyoneport. Active Portsshowsalltheports/vNICswherefencingisactive.ThisincludesthemirrorvNICs.Yourfirst hosthasfiveportsenabledforfencing,twoofwhicharemirrorvNICs.ThemirrorvNICscanbeidentifiedby aspecialfenceIDoffffffe.TheOPIcolumnindicatesthefenceID.Inyoursetup,thefirsthosthasonefence withID000001.ThenextcolumnindicatesLanId?configuredforthatport.Thisisanindicationofwhich vSwitchtheportsmightbeconnectedto.Intheoutputbelow,yourfirsthosthastwovSwitches(legacy+ dvswitches).OnehasbeenassignedLanId?1andtheotheronehasLanId?2.Thus,youseetwomirrorvirtual machinevNICs(oneforeachvSwitch)withdifferentLanIds?inactiveports. Switch Stateshowsthelearningtableoftheinternalunicastlearninginfencemodule.InnerMACmeans theMACofdestinationVM,theouterMACmeansthehostkeyMACofthehostonwhichthisVMispresent. ThelearningbuildsthistablebylookingatpacketsandittriestolearnwhichVMisonwhichhost.Thisway, whenoneVMonthathosttriestoreachanothervirtualmachine,thistableislookedup.Ifthedestination VMsmacisseenintheinnerMACcolumn,thentheOuterMac?isusedasthedestinationhostkeymactobe putintheOuterMACheaderaddedbythefencemodule.Ifanentryisnotfoundhere,suchapacketwillbe broadcast(outerMACheadersdestinationMACwillbesettobroadcast.).Likeanyotherlearningsystem,this onealsohasmechanismstotimeout/modifylearntentries.ThiswilltakecareofthingslikeVMsmovingto differenthostsortomakesurethatthetabledoesnotgrowtoomuchinsizewithstalemacentries.The used/age/seenbitsrepresenttheflagsusedbyfencemoduletotrackfrequencyoftheseMACentries.The learningisdoneonaperportlevel,henceyouwouldseethesameinnerMACouterMACpairsondifferent ports.ThistablealsoshowssamehostkeymacinouterMACsectionsbecauseevenforVMsonthesamehost, thesamecodeisusedwhereapacketisencapsulatedandsentfromsourceportanddecapsulatedonthe destinationport.ThereisnooptimizationforsamehostVMs.ThusforVMsonthesamehost,theouterMAC willbehostkeyMACofthesamehost. Port Statisticsshowspacketstatsonaperportbasis.Oneportperrow.ThefromandTovmstatsindicate packetstoandfromvm.Thesubcategoriesindicatethespecificsaboutthepacket.Thedetailsofeachcounter areinthefollowingstructure.Letmeknowifyouneedanymoreinfoonthis.
Appendix B Troubleshooting
BothareDWORDbitmasksthatcanbeanycombinationofthefollowingvalues:
log_dest WINDBLOG VMWARE_LOG log_level AUDIT ERROR WARN INFO DEBUG 0x1 0x2 0x1 0x2 0x4 0x8 0x10
VMware, Inc.
139
140
VMware, Inc.
Index
A
accessing online help 18 adding a user 34 admin user account 34 alarms for vShield Endpoint 82 App Firewall 73 about L4 and L2/L3 rules 74 adding L2/L3 rules 77 adding L4 rules 75 adding rules from Flow Monitoring 69 Default Rules 74 deleting rules 79 hierarchy of rules 74 planning rule enforcement 74 Revert to Snapshot 79 validate sessions 78 Audit Logs 43, 77, 78 audit messages for vShield Endpoint 86
D
data on-demand backups 39 restoring a backup 40 scheduling backups 40 Data Center High Precedence Rules 28, 74 Data Center Low Precedence Rules 28, 74 database erase 98 date 23 date range for Flow Monitoring 68 debug copy 104 debug packet capture 105 debug packet display interface 105 debug remove 106 debug service 107 debug service flow src 107 debug show files 108 Default Policy 52 Default Rules 28, 74 default web-manager password 128 deleting a port mapping 71 deleting a user 35 DHCP 54 disable 94 DNS 22 downloads, firewall logs 65
B
backing up the vShield Manager 24 Backup Configuration 64 Backups 24 on-demand 39 restoring 40 scheduling 40 basic mode of CLI 89 block sessions 31, 53, 78
C
clear vmwall rules 97 clear vty 129 CLI backing up configuration 64 configuration mode 90 help 91 interface mode 90 logging in 89 modes 89 privileged mode 89 syntax 90 Cluster Level Rules 28, 74 command syntax 90 configuration mode of CLI 90 configure terminal 94 connecting to vCenter Server 21
E
Edit Port Mappings 70 add a mapping 70 deleting 71 Hide Port Mappings 71 editing a user account 34 enable 95 enable password 98 end 95 events sending to syslog 63 syslog format 42 vShield App 42 vShield Manager 42 events for vShield Endpoint 83
VMware, Inc.
141
L
L2/L3 rules about 74 adding 30, 77 L4 rules about 74 adding 29, 75 link-detect 125 list 93 Load Balancer 58 login CLI 89 vShield Manager 17 logs audit 43, 77, 78 firewall 65 technical support 23
F
firewall about 27 add vShield Edge firewall rule 52 adding L2/L3 rules 77 adding L4 rules 29, 75 adding rules from Flow Monitoring 69 adding Zones Firewall L2/L3 rules 30 App Firewall, about 73 deleting rules 32, 79 logs 65 planning rule enforcement 28, 74 Revert to Snapshot 79 validate sessions 31, 53, 78 flow analysis date range 68 Flow Monitoring adding a App Firewall rule 69 date range 68 show report 68 Force Sync 64
M
manager key 100
N
NAT 53 Networks view 18 NTP 23 ntp server 101
G
GUI logging in 17 online help 18
O
online help 18
H
help CLI 91 GUI 18 Hide Port Mappings 71 hierarchy of App Firewall rules 74 hierarchy of Zones Firewall rules 28 history of updates 38 host alarms for vShield Endpoint 82 hostname 99 Hosts & Clusters view 18 HTTP proxy 23
P
password 34 ping 125 ping interface addr 126 plug-in 22 Port Group Isolation, uninstall 46 port mappings 70 add 70 deleting 71 hiding 71 privileged mode of CLI 89 proxy service 23
I
installing, updates 37 interface 96 interface mode of CLI 90 inventory panel 18 ip address 99 ip name server 99 ip route 100
Q
quit 96
R
reboot 93 reports audit log 43, 77, 78 system events 41 reset 130 restarting a vShield App 65
142
VMware, Inc.
Index
restoring backups 40 Revert to Snapshot 79 roles and rights about 33 assigning to a user 34 rules adding L2/L3 rules to App Firewall 77 adding L2/L3 rules to Zones Firewall 30 adding L4 rules to App Firewall 75 adding L4 rules to Zones Firewall 29 deleting App Firewall rules 79 deleting Zones Firewall rules 32
S
scheduling backups 40 Secure Port Group Rules 28, 74 Secured Port Groups view 18 security groups about 73 add 77 assign resources 78 serial number of vShield Manager 24 services DNS 22 NTP 23 proxy 23 set clock 101 setup 102 show alerts 108 show arp 109 show clock 109 show configuration 109 show debug 110 show ethernet 110 show filesystem 111 show gateway rules 111 show hardware 112 show hostname 112 show interface 112 show ip addr 113 show ip route 113 show kernel message 114 show kernel message last 114 show log 115 show log alerts 115 show log events 115 show log last 116 Show Logs 65 show manager log 116 show manager log last 117 show ntp 117 show process 118 Show Report 68
VMware, Inc.
show route 118 show running-config 118 show service 119 show service statistics 119 show services 119 show session-manager counters 120 show session-manager sessions 120 show slots 121 show stacktrace 121 show startup-config 121 show syslog 122 show system events 122 show system load 122 show system memory 123 show system network_connections 123 show system storage 123 show system uptime 124 show tech support 126 show version 124 show vmwall log 124 show vmwall rules 124 shutdown 94 ssh 126 SSL certificate 24 start or stop vShield Edge services 59 status of update 37 of vShield Manager 24 vShield App 64 vShield Edge 51 vShield Endpoint 81 SVM alarms for vShield Endpoint 82 sync with vCenter 21 syncing a vShield App 64 syntax for CLI commands 90 syslog CLI 103 vShield Edge 52 syslog format 42 Syslog Server 63 System Events 41 System Status 64 Force Sync 64 Restart 65 show firewall Logs 65 traffic stats 65 system time 23
T
technical support log 23 telnet 127 terminal length 130 terminal no length 130
143
time 23 traceroute 127 traffic analysis date range 68 traffic stats for a vShield App 65
U
uninstall Port Group Isolation 46 vShield App 45 vShield Edge 46 vShield Endpoint module 47 vShield Zones 45 unregister a vShield Endpoint SVM 47 Update History 38 Update Status 37 Update User 34 Updates installing 37 Update History 38 Update Status 37 user 128 user interface, logging in 17 Users adding 34 admin account 34 assigning a role and rights 34 changing a password 34 deleting 35 editing 34 roles and rights 33
V
validate sessions 128 views Hosts & Clusters 18 Networks 18 Secured Port Groups 18 VM alarms for vShield Endpoint 83 VPN 56 vShield vShield App 14 vShield Edge 14 vShield Endpoint 15 vShield Manager 13 vShield App about 14 CLI configuration 64 firewall logs 65 forcing sync 64 notification based on events 42 restarting 65 sending events to syslog server 63 System Status 64
144
traffic stats 65 uninstall 45 vShield Edge about 14 add firewall rule 52 add NAT rules 53 DHCP 54 firewall Default Policy 52 validate sessions 53 Load Balancer 58 start or stop services 59 status 51 syslog 52 uninstall 46 VPN 56 vShield Endpoint about 15 alarms 82 audit messages 86 events 83 host alarms 82 status 81 SVM alarms 82 uninstall 47 unregister SVM 47 VM alarms 83 vShield Manager about 13 accessing online help 18 Backups 24 date and time 23 DNS 22 inventory panel 18 logging in 17 notification based on events 42 NTP 23 on-demand backups 39 proxy service 23 restoring a backup 40 scheduling a backup 40 serial number 24 SSL Certificate 24 status 24 Support 23 sync with vCenter Server 21 system events 41 user interface panels 18 vSphere Plug-in 22
VMware, Inc.
Index
W
web-manager 129 write 103 write erase 104 write memory 104
Z
Zones Firewall 27 adding L2/L3 rules 30 adding L4 rules 29 deleting rules 32 hierarchy of rules 28 planning rule enforcement 28 validate sessions 31
VMware, Inc.
145
146
VMware, Inc.