manualshive.com logo in svg

VMware VSHIELD APP 1.0.0 UPDATE 1 - API, Admin Manual, Page: 69 / 144

Share
Download
VMware VSHIELD APP 1.0.0 UPDATE 1 - API Admin Manual Download Page 69

VMware, Inc.

69

 

13

vShield App provides firewall protection through access policy enforcement. The App Firewall tab represents 
the vShield App firewall access control list. 

This chapter includes the following topics:

“Using App Firewall”

 on page 69

“Create an App Firewall Rule”

 on page 71

“Create a Layer 2/Layer 3 App Firewall Rule”

 on page 73

“Creating and Protecting Security Groups”

 on page 73

“Validating Active Sessions against the Current App Firewall Rules”

 on page 74

“Revert to a Previous App Firewall Configuration”

 on page 75

“Delete an App Firewall Rule”

 on page 75

“Using SpoofGuard”

 on page 75

Using App Firewall

The App Firewall service is a centralized, hierarchical firewall for ESX hosts. App Firewall enables you to 
create rules that allow or deny access to and from your virtual machines. Each installed vShield App enforces 
the App Firewall rules.

You can manage App Firewall rules at the datacenter, cluster, and port group levels to provide a consistent set 
of rules across multiple vShield App instances under these containers. As membership in these containers can 
change dynamically, App Firewall maintains the state of existing sessions without requiring reconfiguration 
of firewall rules. In this way, App Firewall effectively has a continuous footprint on each ESX host under the 
managed containers.

Securing Containers and Designing Security Groups

When creating App Firewall rules, you can create rules based on traffic to or from a specific container that 
encompasses all of the resources within that container. For example, you can create a rule to deny any traffic 
from inside of a cluster that targets a specific destination outside of the cluster. You can create a rule to deny 
any incoming traffic that is not tagged with a VLAN ID. When you specify a container as the source or 
destination, all IP addresses within that container are included in the rule.

App Firewall Management

13

N

OTE

   

App Firewall rules apply to vShield App instances, but not vShield Edge or vShield Endpoint instances. 

The Zones Firewall tab becomes the App Firewall tab when the vShield App license is activated.

Summary of Contents for VSHIELD APP 1.0.0 UPDATE 1 - API

Page 1: ...date 1 vShield App 1 0 0 Update 1 vShield Endpoint 1 0 0 Update 1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new...

Page 2: ...bout this documentation submit your feedback to docfeedback vmware com Copyright 2010 VMware Inc All rights reserved This product is protected by U S and international copyright and intellectual prope...

Page 3: ...Server 19 Register the vShield Manager as a vSphere Client Plug in 20 Identify DNS Services 20 Set the vShield Manager Date and Time 21 Identify a Proxy Server 21 Download a Technical Support Log fro...

Page 4: ...Events 40 Syslog Format 40 View the Audit Log 41 9 Uninstalling vShield Components 43 Uninstall a vShield App or vShield Zones 43 Uninstall a vShield Edge from a Port Group 44 Uninstall Port Group Iso...

Page 5: ...n Application Port Pair Mapping 67 Hide the Port Mappings Table 67 13 App Firewall Management 69 Using App Firewall 69 Securing Containers and Designing Security Groups 69 Default Rules 70 Layer 4 Rul...

Page 6: ...hield OVA File Cannot Be Installed in vSphere Client 131 Cannot Log In to CLI After the vShield Manager Virtual Machine Starts 132 Cannot Log In to the vShield Manager User Interface 132 Troubleshooti...

Page 7: ...amiliar to you For definitions of terms as they are used in VMware technical documentation go to http www vmware com support pubs Document Feedback VMware welcomes your suggestions for improving our d...

Page 8: ...on labs case study examples and course materials designed to be used as on the job reference tools Courses are available onsite in the classroom and live online For onsite pilot programs and implemen...

Page 9: ...VMware Inc 9 vShield Manager and vShield Zones...

Page 10: ...vShield Administration Guide 10 VMware Inc...

Page 11: ...n be configured through a web based user interface a vSphere Client plug in a command line interface CLI and REST API To run vShield you need one vShield Manager virtual machine and at least one vShie...

Page 12: ...eate access control policies regardless of network topology A vShield App monitors all traffic in and out of an ESX host including between virtual machines in the same port group vShield App includes...

Page 13: ...the current ESX host undergoes a reboot or maintenance mode routine Each vShield Edge should move with its secured port group to maintain security settings and services vShield App and Port Group Iso...

Page 14: ...vShield Administration Guide 14 VMware Inc...

Page 15: ...ser window and type the IP address assigned to the vShield Manager The vShield Manager user interface opens in an SSH session 2 Accept the security certificate The vShield Manager login screen appears...

Page 16: ...and Secured Port Groups The Hosts Clusters view displays the datacenters clusters resource pools and ESX hosts in your inventory The Networks view displays the VLAN networks and port groups in your i...

Page 17: ...s that can be configured based on the selected inventory resource and the output of vShield operation Each resource offers multiple tabs each tab presenting information or configuration forms correspo...

Page 18: ...vShield Administration Guide 18 VMware Inc...

Page 19: ...vShield Manager is installed as a virtual machine log in to the vShield Manager user interface to connect to your vCenter Server This enables the vShield Manager to display your VMware Infrastructure...

Page 20: ...from the vShield Manager inventory panel 4 Click the Configuration tab The vCenter screen appears 5 Under vSphere Plug in click Register Registration might take a few minutes 6 Log in to the vSphere...

Page 21: ...figure the vShield Manager to use the proxy server The vShield Manager supports application level HTTP HTTPS proxies such as CacheFlow and Microsoft ISA Server To identify a proxy server 1 Click Setti...

Page 22: ...software running on your vShield components The Update Status tab appears See View the Current System Software on page 35 Add an SSL Certificate to Identify the vShield Manager Web Service You can ge...

Page 23: ...figuration tab 3 Click SSL Certificate 4 Under Import Signed Certificate click Browse at Certificate File to find the file 5 Select the type of certificate file from the Certificate File drop down lis...

Page 24: ...vShield Administration Guide 24 VMware Inc...

Page 25: ...ones Firewall rules at the datacenter cluster and port group levels to provide a consistent set of rules across multiple vShield Zones instances under these containers As membership in these container...

Page 26: ...s Container level precedence refers to recognizing the datacenter level as being higher in priority than the cluster level When a rule is configured at the datacenter level the rule is inherited by al...

Page 27: ...addresses in the Source and Destination fields and port numbers in the Source Port and Destination Port fields 7 Optional Select the new row and click Up to move the row up in priority 8 Optional Sel...

Page 28: ...ort and Destination Port fields 7 Optional Select the new row and click Up to move the row up in priority 8 Optional Select the Log check box to log all sessions matching this rule 9 Click Commit to s...

Page 29: ...ive sessions against the current firewall rules 1 Update and commit the Zones Firewall rule set at the appropriate container level 2 Open a console session on a vShield Zones instance issue the valida...

Page 30: ...s Firewall Rule You can delete any App Firewall rule you have created You cannot delete the any rules in the Default Rules section of the table To delete an App Firewall rule 1 Click an existing row i...

Page 31: ...page 33 Managing User Rights Within the vShield Manager user interface a user s rights define the actions the user is allowed to perform on a given resource Rights determine the user s authorized acti...

Page 32: ...Full Name for identification purposes 6 Optional Type an Email Address 7 Type a Password for login 8 Re type the password in the Retype Password field 9 Click OK After account creation you configure...

Page 33: ...your changes Delete a User Account You can delete any created user account You cannot delete the admin account Audit records for deleted users are maintained in the database and can be referenced in a...

Page 34: ...vShield Administration Guide 34 VMware Inc...

Page 35: ...e available as offline updates When an update is made available you can download the update to your PC and then upload the update by using the vShield Manager user interface When the update is uploade...

Page 36: ...upgraded when the status of the last vShield App is displayed as Finished 7 After the vShield Manager reboots click the Update Status tab 8 Click Reboot Manager if prompted 9 Click Finish Install to c...

Page 37: ...ation tab 3 Click Backups 4 Optional Select the Exclude System Events check box if you do not want to back up system event tables 5 Optional Select the Exclude Audit Logs check box if you do not want...

Page 38: ...ype the User Name required to login to the backup system 11 Type the Password associated with the user name for the backup system 12 In the Backup Directory field type the absolute path where backups...

Page 39: ...he System Event Report The vShield Manager aggregates system events into a report that can be filtered by vShield App and event severity To view the System Event report 1 Click Settings Reports from t...

Page 40: ...log follow command Run show log follow command Run show log follow command Syslog NA See Syslog Format on page 40 e1000 mgmt e1000_watchdog_task NIC Link is Up Down 100 Mbps Full Duplex For scripting...

Page 41: ...anager users The vShield Manager retains audit log data for one year after which time the data is discarded To view the Audit Log 1 Click Settings Reports from the vShield Manager inventory panel 2 Cl...

Page 42: ...vShield Administration Guide 42 VMware Inc...

Page 43: ...t 2 Select the ESX host from the inventory tree 3 Click the vShield tab 4 Click Uninstall for the vShield App or vShield Zones service The instance is uninstalled Uninstalling vShield Components 9 NOT...

Page 44: ...bled Port Group Isolation you must migrate or power off the virtual machines on the ESX host from which you want to uninstall a vShield Edge Uninstalling Port Group Isolation places the ESX host in ma...

Page 45: ...d for 40007 SVM with moid not registered 40015 vmId is malformatted or of incorrect length Uninstall the vShield Endpoint Module from the vSphere Client Uninstalling an vShield Endpoint module puts th...

Page 46: ...vShield Administration Guide 46 VMware Inc...

Page 47: ...VMware Inc 47 vShield Edge and Port Group Isolation...

Page 48: ...vShield Administration Guide 48 VMware Inc...

Page 49: ...cify a Remote Syslog Server on page 50 Managing the vShield Edge Firewall on page 50 Manage NAT Rules on page 51 Manage DHCP Service on page 52 Manage VPN Service on page 53 Manage Load Balancer Servi...

Page 50: ...e a vShield Edge Firewall Rule vShield Edge firewall rules police traffic based on the following criteria You can add destination and source port ranges to a rule for dynamic services such as FTP and...

Page 51: ...issue the validate sessions command from the CLI of a vShield Edge instance to purge sessions that are in violation of current policy To validate active sessions against the current firewall rules 1...

Page 52: ...nal interface on the vShield Edge as the default gateway address for all clients and the broadcast and subnet mask values of the internal interface for the container network To add a DHCP IP pool 1 In...

Page 53: ...ed Port Group At this time vShield Edge supports pre shared key mode IP unicast traffic and no dynamic routing protocol between the vShield Edge and remote VPN routers Behind each remote VPN router yo...

Page 54: ...er Site Configuration click Create Site 6 Type a name to identify the site in Site Name 7 Type the IP address of the site in Remote EndPoint 8 Type the Shared Secret 9 Type an MTU threshold 10 Click A...

Page 55: ...nventory Networking 2 Select an internal port group that is protected by a vShield Edge 3 Click the vShield Edge tab 4 Click the Load Balancer link 5 Click Add Rule above the External IP Addresses tab...

Page 56: ...select a service and click Start to start the service Select a service and click Stop to stop a running service 6 If a service has been started but is not responding click Refresh Status to send a syn...

Page 57: ...VMware Inc 57 vShield App and vShield Endpoint...

Page 58: ...vShield Administration Guide 58 VMware Inc...

Page 59: ...s and make the rules easier to track You can monitor the health of vShield App instances by using the vShield Manager user interface and by sending vShield App system events to a syslog server This ch...

Page 60: ...the health of a vShield App Details include system statistics status of interfaces software version and environmental variables To view the health of a vShield App 1 Log in to the vShield Manager user...

Page 61: ...art 6 Click OK in the pop up window to confirm reboot View Traffic Statistics by vShield App Interface You can view the traffic statistics for each vShield interface To view traffic statistics by vShi...

Page 62: ...vShield Administration Guide 62 VMware Inc...

Page 63: ...arts on page 64 Change the Date Range of the Flow Monitoring Charts on page 64 View the Flow Monitoring Report on page 64 Add an App Firewall Rule from the Flow Monitoring Report on page 65 Editing Po...

Page 64: ...a datacenter or cluster resource from the resource tree 3 Click the vShield App tab 4 Click Flow Monitoring The charts are updated to display the most current information for the last seven days This...

Page 65: ...allow or deny rule App Firewall rule creation from Flow Monitoring data is available at the datacenter and cluster levels only To add an App Firewall rule from the Flow Monitoring report 1 In the vSph...

Page 66: ...nown applications and protocols their respective ports and a description vShield recognizes common protocol and port mappings such as HTTP over port 80 Your organization might employ an application or...

Page 67: ...ing from the table When you delete a mapping any traffic to the application port pair is listed as Uncategorized in the Flow Monitoring statistics To delete an application port pair mapping 1 Go to In...

Page 68: ...vShield Administration Guide 68 VMware Inc...

Page 69: ...onsistent set of rules across multiple vShield App instances under these containers As membership in these containers can change dynamically App Firewall maintains the state of existing sessions witho...

Page 70: ...ble that matches the traffic parameters is enforced The rules are enforced in the following hierarchy 1 Data Center High Precedence Rules 2 Cluster Level Rules 3 Data Center Low Precedence Rules seen...

Page 71: ...d A new appears below the selected row 6 Double click each cell in the new row to select the appropriate information You can type IP addresses in the Source and Destination fields and port numbers in...

Page 72: ...e 9 Click Commit to save the rule To create a firewall rule at the port group level 1 In the vSphere Client go to Inventory Networking 2 Select a port group from the resource tree 3 Click the vShield...

Page 73: ...to log all sessions matching this rule 9 Click Commit Creating and Protecting Security Groups The Security Groups feature enables you to create custom containers to which you can assign resources such...

Page 74: ...By default a vShield Edge matches firewall rules against each new session After a session has been established any firewall rule changes do not affect active sessions The CLI command validate sessions...

Page 75: ...it Using SpoofGuard After synchronizing with the vCenter Server the vShield Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine Up to vShi...

Page 76: ...s assignments you must approve IP address assignments to allow traffic from those virtual machines to pass To approve an IP address 1 In the vShield Manager user interface go to the Hosts and Clusters...

Page 77: ...n the Approved IP Address pop up window 7 Click Apply 8 Click Publish Changes Delete an IP Address You can delete a MAC to IP address assignment from the SpoofGuard table to clean the table of a virtu...

Page 78: ...vShield Administration Guide 78 VMware Inc...

Page 79: ...sident thin agent To view vShield Endpoint status 1 In the vSphere Client go to Inventory Hosts and Clusters 2 Select a datacenter cluster or ESX host resource from the resource tree 3 Click the vShie...

Page 80: ...ents affecting the health status of the vShield Endpoint module Table 14 1 Warnings Marked Yellow Possible Cause Action SVM is registered but vShield Endpoint module does not see any virtual machines...

Page 81: ...nts Those virtual machines are not protected while this warning persists This is usually a transient alarm that does not require attention If it persists or turns to red look at the vCenter Server eve...

Page 82: ...SM_SVM_EVENT_DROPPED_EVENTS timestamp warning Health Status information has been lost 2006 VSM_SVM_EVENT_MISSING_REPORT timestamp error vShield Manager lost communication with SVM 2007 VSM_SVM_EVENT_R...

Page 83: ...esponding ESX host for example during power up or incoming vMotion 1001 VSM_VM_EVENT_DISCONNECTED VM configured for vShield Endpoint protection will generate this event when loaded on the correspondin...

Page 84: ...number Thin agent initialization failure Successfully found SCSI device to communicate with the security virtual machine SVM Failure to create filter device object or failure to attach to device stac...

Page 85: ...VMware Inc 85 Appendixes...

Page 86: ...vShield Administration Guide 86 VMware Inc...

Page 87: ...elect the vShield virtual machine from the inventory panel and click the Console tab You can log in to the CLI by using the default user name admin and password default You can also use SSH to access...

Page 88: ...commands move the pointer around on the command line Keystrokes Description CTRL A Moves the pointer to beginning of the line CTRL B or the left arrow key Moves the pointer back one character CTRL C...

Page 89: ...nt password and the Privileged mode password are managed separately The default Privileged mode password is the same for each CLI user account You should change the Privileged mode password to secure...

Page 90: ...ser account other than admin 5 Switch to Privileged mode 6 Switch to Configuration mode 7 Delete the admin user account manager config no user admin 8 Save the configuration 9 Run the exit command twi...

Page 91: ...age 102 Show Commands on page 107 Diagnostics and Troubleshooting Commands on page 123 User Administration Commands on page 126 Terminal Commands on page 128 Deprecated Commands on page 129 Administra...

Page 92: ...no before the command Syntax no shutdown CLI Mode Privileged Interface Configuration Example vShield shutdown or vShield config interface mgmt vShield config if shutdown vShield config if no shutdown...

Page 93: ...eld Related Commands disable end Ends the current CLI mode and switches to the previous mode Syntax end CLI Mode Basic Privileged Configuration and Interface Configuration Example vShield end vShield...

Page 94: ...eld configure terminal vShield config interface mgmt vShield config if or vShield config no interface mgmt Related Commands show interface quit Quits Interface Configuration mode and switches to Confi...

Page 95: ...s vShield App CLI Example manager clear vmwall rules Related Commands show vmwall log show vmwall rules cli ssh allow Enable or disable access to the CLI via SSH session Syntax no cli ssh allow CLI Mo...

Page 96: ...s not affected by this command Syntax database erase CLI Mode Privileged Usage Guidelines vShield Manager CLI Example manager database erase enable password Changes the Privileged mode password You sh...

Page 97: ...om an interface use no before the command Syntax no ip address A B C D M CLI Mode Interface Configuration Example vShield config interface mgmt vShield config if ip address 192 168 110 200 24 or vShie...

Page 98: ...0 0 0 0 0 192 168 1 1 Related Commands show ip route manager key Sets a shared key for authenticating communication between a vShield App and the vShield Manager You can set a shared key on any vShie...

Page 99: ...use no before the command Syntax no ntp server HOSTNAME A B C D CLI Mode Configuration Usage Guidelines vShield App CLI Example vShield configure terminal vShield config ntp server 10 1 1 113 or vShi...

Page 100: ...stances Press ENTER to accept a default value Syntax setup CLI Mode Basic Usage Guidelines The Manager key option is applicable to vShield App setup only Example manager config setup Default settings...

Page 101: ...send system events You can also identify one or more syslog servers by using the vShield Manager user interface See Send vShield App System Events to a Syslog Server on page 59 To disable syslog expor...

Page 102: ...mands debug copy Copies one or all packet trace or tcpdump files and exports them to a remote server You must enable the debug packet capture command before you can copy and export files Syntax debug...

Page 103: ...debug packet capture segment 0 host_10 10 11 11_port_8 Related Commands debug copy debug packet display interface debug packet display interface Displays all packets captured by a vShield App or vShie...

Page 104: ...all CLI Mode Privileged Usage Guidelines vShield App CLI Example vShield debug remove tcpdumps all Option Description mgmt u0 p0 The specific vShield App interface from which to capture packets EXPRE...

Page 105: ...Detection sysmgr high Related Commands show services debug service flow src Debugs messages for a service that is processing traffic between a specific source to destination pair You can run the show...

Page 106: ...dst 192 168 110 200 24 4567 Related Commands show services debug show files Shows the tcpdump files that have been saved Syntax debug show files CLI Mode Privileged Usage Guidelines vShield App CLI Ex...

Page 107: ...90 D5 36 C1 mgmt show arp Shows the contents of the ARP cache Syntax show arp CLI Mode Basic Privileged Example vShield show arp IP address HW type Flags HW address Mask Device 192 0 2 130 0x1 0x6 00...

Page 108: ...that are enabled You must enable a debug path by running the debug packet or one of the debug service commands Syntax show debug CLI Mode Basic Privileged Usage Guidelines vShield App CLI Example vSh...

Page 109: ...e hard disk drive capacity for a vShield virtual machine vShield App instances have one disk drive the vShield Manager has two disk drives Syntax show filesystem CLI Mode Basic Privileged Example vShi...

Page 110: ...07 3 Intel Corporation 82371AB EB MB PIIX4 ACPI 07 7 VMware Inc Virtual Machine Communication Interface 0f 0 VMware Inc Abstract SVGA II Adapter 10 0 BusLogic BT 946C BA80C30 MultiMaster 10 11 0 0000...

Page 111: ...rors 0 length 0 overrun 0 CRC 0 frame 0 fifo 0 missed 0 output packets 2754582 bytes 559149291 dropped 0 output errors 0 aborted 0 carrier 0 fifo 0 heartbeat 0 window 0 Related Commands interface show...

Page 112: ...s for a vShield Edge Syntax show kernel message CLI Mode Basic Privileged Usage Guidelines vShield Edge CLI Example vshieldEdge show kernel message Related Commands show kernel message last Option Des...

Page 113: ...ice node dev vcs12 Aug 7 17 32 37 vShield_118 udev 21429 removing device node dev vcsa12 Aug 7 17 32 37 vShield_118 udev 21432 creating device node dev vcs12 Aug 7 17 32 37 vShield_118 udev 21433 crea...

Page 114: ...delines vShield App CLI Example vShield show log events Related Commands show log show log last Shows last n lines of the log Syntax show log last NUM CLI Mode Basic Privileged Example vShield show lo...

Page 115: ...Db Applications SEM Info Nov 15 2005 02 46 23 PM RefreshDb Compiler version pairs found Related Commands show manager log last show manager log last Shows the last n number of events in the vShield Ma...

Page 116: ...ocess list monitor CLI Mode Basic Privileged Usage Guidelines vShield Edge CLI Example vShieldEdge show process list show route Shows the current routes configured on a vShield Edge Syntax show route...

Page 117: ...CLI Mode Basic Privileged Usage Guidelines vShield Edge CLI Example vShieldEdge show service dhcp show service statistics Shows the current status of all services on a vShield Edge Details include the...

Page 118: ...MSRPC Dynamic Port Detection Reverse 62 2050001_SAFLOW SUNRPC Dynamic Port Detection Reverse 63 2050001_SAFLOW ORACLE Dynamic Port Detection 64 2050001_SAFLOW Generic Single Session Inverse Attached 6...

Page 119: ...0 0 0 0 0 7060 0 0 0 0 LISTEN V_Listen tcp 0 0 192 168 110 229 46132 0 0 0 0 LISTEN Related Commands show session manager counters show slots Shows the software images on the slots of a vShield virtu...

Page 120: ...yntax show syslog CLI Mode Basic Privileged Example vShield show syslog var log messages emerg dev tty1 Related Commands syslog show system events Shows the latest vShield Edge system events which hav...

Page 121: ...of memory utilization Syntax show system memory CLI Mode Basic Privileged Example vShield show system mem MemTotal 2072204 kB MemFree 1667248 kB Buffers 83120 kB show system network_connections Shows...

Page 122: ...ple vShield show system uptime 0 day s 8 hour s 50 minute s 26 second s show version Shows the software version currently running on the virtual machine Syntax show version CLI Mode Basic Privileged E...

Page 123: ...iagnostics to a specific location via Secure Copy Protocol SCP You can also export system diagnostics for a vShield virtual machine from the vShield Manager user interface See Download a Technical Sup...

Page 124: ...of a virtual machine protected by a vShield Edge Syntax ping interface addr SOURCE_HOSTNAME A B C D DEST_HOSTNAME A B C D CLI Mode Basic Privileged Usage Guidelines vShield Edge only This command is...

Page 125: ...sh Opens an SSH connection to a remote system Syntax ssh HOSTNAME A B C D CLI Mode Basic Privileged Example vShield ssh server123 telnet Opens a telnet session to a remote system Syntax telnet HOSTNAM...

Page 126: ...16 67 118 10 16 67 118 1 120 ms 1 054 ms 1 273 ms validate sessions Validates the existing sessions against the current set of firewall rules Syntax validate sessions CLI Mode Privileged Usage Guideli...

Page 127: ...the vShield Manager is installed To stop the web service HTTP daemon on the vShield Manager use no before the command This command makes the vShield Manager unavailable to Web Console browser sessions...

Page 128: ...et CLI Mode Basic Privileged Configuration Example manager reset Related Commands terminal length terminal no length terminal length Sets the number of rows to display at a time in the CLI terminal Sy...

Page 129: ...table lists deprecated commands Table A 1 Deprecated Commands Command close support tunnel copy http URL slot 1 2 copy http URL temp copy scp URL slot 1 2 copy scp URL temp debug export snapshot debug...

Page 130: ...vShield Administration Guide 130 VMware Inc...

Page 131: ...ager Installation vShield OVA File Extracted to a PC Where vSphere Client Is Not Installed Problem I obtained the vShield OVA file and downloaded it to my PC If I do not have the vSphere Client on my...

Page 132: ...om the vShield Manager there is a break in connectivity between the two virtual machines The vShield management interface cannot talk to the vShield Manager management interface Make sure that the man...

Page 133: ...cause No Flow Data Displaying in Flow Monitoring Problem I have installed the vShield Manager and a vShield App When I opened the Flow Monitoring tab I did not see any data Solution This might be the...

Page 134: ...creates the following entities Creates a user named vslauser and sets a default password To see if the user was added vi etc passwd Adds the role vslauser and associates the user vslauser to the role...

Page 135: ...physical network for such unicasts There is also a chance of more than one vShield Manager Port Group Isolation vCenter installations on the same network In that case some of the host key MAC address...

Page 136: ...tries This will take care of things like VMs moving to different hosts or to make sure that the table does not grow too much in size with stale mac entries The used age seen bits represent the flags u...

Page 137: ...Sec service is running on the vShield Edge To verify using the CLI command show service ipsec IPSec service has to be started by issuing the start command If ipsec is running and any errors have occur...

Page 138: ...atrix available after 1 0 for version compatibility checking To retrieve version numbers for the various components do the following SVM strings libEPSec so grep BUILD_NUMBER provides the build number...

Page 139: ...vel Rules 26 70 command syntax 88 configuration mode of CLI 88 configure terminal 92 connecting to vCenter Server 19 copy running config startup config 95 Create User 32 D data on demand backups 37 re...

Page 140: ...s for vShield Endpoint 80 hostname 97 Hosts Clusters view 16 HTTP proxy 21 I installing updates 35 interface 94 interface mode of CLI 88 inventory panel 16 ip address 97 ip name server 97 ip route 98...

Page 141: ...w Report 64 show route 116 show running config 116 show service 117 show service statistics 117 show services 118 show session manager counters 118 show session manager sessions 119 show slots 119 sho...

Page 142: ...about 12 CLI configuration 60 forcing sync 60 notification based on events 40 restarting 61 sending events to syslog server 59 System Status 60 traffic stats 61 uninstall 43 vShield Edge about 12 add...

Page 143: ...43 Zones Firewall 25 vSphere Plug in 20 W web manager 127 write 101 write erase 102 write memory 102 Z Zones Firewall 25 adding L2 L3 rules 28 adding L4 rules 27 deleting rules 30 hierarchy of rules...

Page 144: ...vShield Administration Guide 144 VMware Inc...

Reviews:

No comments