VMware, Inc.
133
Appendix B Troubleshooting
Firewall Block Rule Not Blocking Matching Traffic
Problem
I configured an App Firewall rule to block specific traffic. I used Flow Monitoring to view traffic, and the traffic
I wanted to block is being allowed.
Solution
Check the ordering and scope of the rule. This includes the container level at which the rule is being enforced.
Issues might occur when an IP address-based rule is configured under the wrong container.
Check where the affected virtual machine resides. Is the virtual machine behind a vShield App? If not, then
there is no agent to enforce the rule. Select the virtual machine in the resource tree. The App Firewall tab for
this virtual machine displays all of the rules that affect this virtual machine.
Place any unprotected virtual machines onto a vShield-protected switch or protect the vSwitch that the virtual
machine is on by installing a vShield.
Enable logging for the App Firewall rule in question. This might slow network traffic through the vShield App.
Verify vShield App connectivity. Check for the vShield App being out of sync on the System Status page. If out
of sync, click
Force Sync
. If it is still not in sync, go to the System Event log to determine the cause.
No Flow Data Displaying in Flow Monitoring
Problem
I have installed the vShield Manager and a vShield App. When I opened the Flow Monitoring tab, I did not
see any data.
Solution
This might be the result of one or more of the following conditions.
You did not allow enough time for the vShield App to monitor traffic sessions. Allow a few minutes after
vShield App installation to collect traffic data. You can request data collection by clicking
Get Latest
on
the Flow Monitoring tab.
Traffic is destined to virtual machines that are not protected by a vShield App. Make sure your virtual
machines are protected by a vShield App. Virtual machines must be in the same port group as the
vShield App protected (p0) port.
There is no traffic to the virtual machines protected by a vShield App.
Check the system status of each vShield App for out-of-sync issues.
Troubleshooting Port Group Isolation Issues
Validate Installation of Port Group Isolation
To validate installation of Port Group Isolation
1
Make sure that the same port group and virtual machines are not also configured for vCloud Service
Director network isolation or LabManager cross-host fencing. Double encapsulation mode is not
supported currently.
2
Verify that the Port Group Isolation bundle is installed:
esxupdate query
3
Verify that vshd is running.
ESXi:
ps | grep vsh
. The results might contain more than one instance, which is ok.
ESX Classic:
ps –eaf | grep vshd
Summary of Contents for VSHIELD APP 1.0.0 UPDATE 1 - API
Page 9: ...VMware Inc 9 vShield Manager and vShield Zones...
Page 10: ...vShield Administration Guide 10 VMware Inc...
Page 14: ...vShield Administration Guide 14 VMware Inc...
Page 18: ...vShield Administration Guide 18 VMware Inc...
Page 24: ...vShield Administration Guide 24 VMware Inc...
Page 34: ...vShield Administration Guide 34 VMware Inc...
Page 42: ...vShield Administration Guide 42 VMware Inc...
Page 46: ...vShield Administration Guide 46 VMware Inc...
Page 47: ...VMware Inc 47 vShield Edge and Port Group Isolation...
Page 48: ...vShield Administration Guide 48 VMware Inc...
Page 57: ...VMware Inc 57 vShield App and vShield Endpoint...
Page 58: ...vShield Administration Guide 58 VMware Inc...
Page 62: ...vShield Administration Guide 62 VMware Inc...
Page 68: ...vShield Administration Guide 68 VMware Inc...
Page 78: ...vShield Administration Guide 78 VMware Inc...
Page 85: ...VMware Inc 85 Appendixes...
Page 86: ...vShield Administration Guide 86 VMware Inc...