VMware, Inc.
75
Chapter 13 App Firewall Management
Revert to a Previous App Firewall Configuration
The vShield Manager saves a snapshot of App Firewall settings each time you commit a new rule. Clicking
Commit
causes the vShield Manager to save the previous configuration with a timestamp before adding the
new rule. These snapshots are available from the
Revert to Snapshot
drop-down list.
To revert to a previous App Firewall configuration
1
In the vSphere Client, go to
Inventory > Hosts and Clusters
.
2
Select a datacenter or cluster resource from the inventory panel.
3
Click the
vShield App
tab.
4
Click
App Firewall
.
5
From the
Revert to Snapshot
drop-down list, select a snapshot.
Snapshots are presented in the order of timestamps, with the most recent snapshot listed at the top.
6
View snapshot configuration details.
7
Do one of the following:
To return to the current configuration, select the
-
option from the
Revert to Snapshot
drop-down list.
Click
Commit
to overwrite the current configuration with the snapshot configuration.
Delete an App Firewall Rule
You can delete any App Firewall rule you have created. You cannot delete the any rules in the Default Rules
section of the table.
To delete an App Firewall rule
1
Click an existing row in the App Firewall table.
2
Click
Delete
.
3
Click
Commit
.
Using SpoofGuard
After synchronizing with the vCenter Server, the vShield Manager collects the IP addresses of all vCenter
guest virtual machines from VMware Tools on each virtual machine. Up to vShield 4.1, vShield trusted the IP
address provided by VMware Tools on a virtual machine. However, if a virtual machine has been
compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.
SpoofGuard allows you to authorize the IP addresses reported by VMware Tools, and alter them if necessary
to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the
VMX files and vSphere SDK. Operating separately from the App Firewall rules, you can use SpoofGuard to
block traffic determined to be spoofed.
When enabled, you can use SpoofGuard to monitor and manage the IP addresses reported by your virtual
machines in one of the following modes.
Automatically Trust IP Assignments On Their First Use
: This mode allows all traffic from your virtual
machines to pass while building a table of MAC-to-IP address assignments. You can review this table at
your convenience and make IP address changes.
Manually Inspect and Approve All IP Assignments Before Use
: This mode blocks all traffic until you
approve each MAC-to-IP address assignment.
N
OTE
SpoofGuard inherently allows DHCP requests regardless of enabled mode. However, if in manual
inspection mode, traffic does not pass until the DHCP-assigned IP address has been approved.
Содержание VSHIELD APP 1.0.0 UPDATE 1 - API
Страница 9: ...VMware Inc 9 vShield Manager and vShield Zones...
Страница 10: ...vShield Administration Guide 10 VMware Inc...
Страница 14: ...vShield Administration Guide 14 VMware Inc...
Страница 18: ...vShield Administration Guide 18 VMware Inc...
Страница 24: ...vShield Administration Guide 24 VMware Inc...
Страница 34: ...vShield Administration Guide 34 VMware Inc...
Страница 42: ...vShield Administration Guide 42 VMware Inc...
Страница 46: ...vShield Administration Guide 46 VMware Inc...
Страница 47: ...VMware Inc 47 vShield Edge and Port Group Isolation...
Страница 48: ...vShield Administration Guide 48 VMware Inc...
Страница 57: ...VMware Inc 57 vShield App and vShield Endpoint...
Страница 58: ...vShield Administration Guide 58 VMware Inc...
Страница 62: ...vShield Administration Guide 62 VMware Inc...
Страница 68: ...vShield Administration Guide 68 VMware Inc...
Страница 78: ...vShield Administration Guide 78 VMware Inc...
Страница 85: ...VMware Inc 85 Appendixes...
Страница 86: ...vShield Administration Guide 86 VMware Inc...
Страница 130: ...vShield Administration Guide 130 VMware Inc...
Страница 144: ...vShield Administration Guide 144 VMware Inc...