User manual VMWARE VSHIELD ENDPOINT SECURITY 1.0 ADMIN GUIDE

[. . . ] vShield Administration Guide vShield Manager 4. 1 vShield Edge 1. 0 vShield App 1. 0 vShield Endpoint Security 1. 0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www. vmware. com/support/pubs. EN-000374-00 vShield Administration Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www. vmware. com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware. com Copyright © 2010 VMware, Inc. VMware products are covered by one or more patents listed at http://www. vmware. com/go/patents. [. . . ] This chapter includes the following topics: "Using App Firewall" on page 73 "Create an App Firewall Rule" on page 75 "Create a Layer 2/Layer 3 App Firewall Rule" on page 77 "Creating and Protecting Security Groups" on page 77 "Validating Active Sessions against the Current App Firewall Rules" on page 78 "Revert to a Previous App Firewall Configuration" on page 79 "Delete an App Firewall Rule" on page 79 Using App Firewall The App Firewall service is a centralized, hierarchical firewall for ESX hosts. App Firewall enables you to create rules that allow or deny access to and from your virtual machines. You can manage App Firewall rules at the datacenter, cluster, and port group levels to provide a consistent set of rules across multiple vShield App instances under these containers. As membership in these containers can change dynamically, App Firewall maintains the state of existing sessions without requiring reconfiguration of firewall rules. In this way, App Firewall effectively has a continuous footprint on each ESX host under the managed containers. Securing Containers and Designing Security Groups When creating App Firewall rules, you can create rules based on traffic to or from a specific container that encompasses all of the resources within that container. For example, you can create a rule to deny any traffic from inside of a cluster that targets a specific destination outside of the cluster. You can create a rule to deny any incoming traffic that is not tagged with a VLAN ID. When you specify a container as the source or destination, all IP addresses within that container are included in the rule. A security group is a trust zone that you create and assign resources to for App Firewall protection. Security groups enables you to create a container by assigning resources arbitrarily, such as virtual machines and network adapters. After the security group is defined, you add the group as a container in the source or destination field of an App Firewall rule. See "Creating and Protecting Security Groups" on page 77. VMware, Inc. 73 vShield Administration Guide Default Rules By default, the App Firewall enforces a set of rules allowing traffic to pass through all vShield App instances. These rules appear in the Default Rules section of the App Firewall table. However, you can change the Action element of each rule from Allow to Deny. Layer 4 Rules and Layer 2/Layer 3 Rules The App Firewall tab offers two sets of configurable rules: L4 (Layer 4) rules and L2/L3 (Layer 2/Layer 3) rules. Layers refer to layers of the Open Systems Interconnection (OSI) Reference Model. Layer 4 rules govern TCP and UDP transport of Layer 7, or applicationspecific, traffic. Layer 2/Layer 3 rules monitor traffic from ICMP, ARP, and other Layer 2 and Layer 3 protocols. You can configure Layer 2/Layer 3 rules at the datacenter level only. By default, all Layer4 and Layer 2/Layer 3 traffic is allowed to pass. Hierarchy of App Firewall Rules Each vShield App enforces App Firewall rules in toptobottom ordering. A vShield App checks each traffic session against the top rule in the App Firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. [. . . ] Thus for VMs on the same host, the outer MAC will be hostkeyMAC of the same host. Troubleshooting vShield Edge Issues Virtual Machines Are Not Getting IP Addresses from the DHCP Server To determine why protected virtual machines are not being assigned IP addresses by a vShield Edge 1 2 3 Verify DHCP configuration was successful on the vShield Edge by running the CLI command: show configuration dhcp. Check whether DHCP service is running on the vShield Edge by running CLI command: show service dhcp Ensure that vmnic on virtual machine and vShield Edge is connected (vCenter > Virtual Machine > Edit Settings > Network Adapter > Connected/Connect at Power On check boxes). When both a vShield App and vShield Edge are installed on the same ESX host, disconnection of NICs can occur if a vShield App is installed after a vShield Edge. Load-Balancer Does Not Work To determine why the load balancer service on a vShield Edge is not working 1 Verify that the Load balancer is running by running the CLI command: show service lb. [. . . ]