vShield Administration Guide vShield Manager 5.1 vShield App 5.1 vShield Edge 5.1 vShield Endpoint 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vShield Administration Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2010 – 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents vShield Administration Guide 7 1 Overview of vShield 9 About vShield Components 9 Migration of vShield Components 11 About VMware Tools on vShield Components 11 Ports Required for vShield Communication 11 2 vShield Manager User Interface Basics 13 Log in to the vShield Manager User Interface 13 About the vShield Manager User Interface 14 3 Management System Settings 17 Edit DNS Servers 17 Edit the vShield Manager Date and Time 18 Edit Lookup Service Details 18 Edit vCenter Server 18 Specify
vShield Administration Guide Restore a Backup 40 7 System Events and Audit Logs 43 View the System Event Report 43 vShield Manager Virtual Appliance Events 43 vShield App Events 44 About the Syslog Format 45 View the Audit Log 45 8 VXLAN Virtual Wires Management 47 Preparing your Network for VXLAN Virtual Wires 48 Create a VXLAN Virtual Wire 49 Connect Virtual Machines to a VXLAN Virtual Wire 51 Test VXLAN Virtual Wire Connectivity 52 Viewing Flow Monitoring Data for a VXLAN Virtual Wire 53 Working wit
Contents Delete a Service 149 Edit a Service Profile 149 Delete a Service Profile 150 11 vShield App Management 151 Sending vShield App System Events to a Syslog Server 151 Viewing the Current System Status of a vShield App 152 Restart a vShield App 152 Forcing a vShield App to Synchronize with the vShield Manager Viewing Traffic Statistics by vShield App Interface 153 Download Technical Support Logs for vShield App 153 Configuring Fail Safe Mode for vShield App Firewall 153 Excluding Virtual Machines fr
vShield Administration Guide Index 229 6 VMware, Inc.
vShield Administration Guide ® The vShield Administration Guide describes how to install, configure, monitor, and maintain the VMware vShield™ system by using the vShield Manager user interface, and the vSphere Client plug-in. The information includes step-by-step configuration instructions, and suggested best practices. Intended Audience This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
vShield Administration Guide 8 VMware, Inc.
Overview of vShield 1 ® VMware vShield is a suite of security virtual appliances built for VMware vCenter Server and VMware ESX integration. vShield is a critical security component for protecting virtualized datacenters from attacks and helping you achieve your compliance-mandated goals. This guide assumes you have administrator access to the entire vShield system. The viewable resources in the vShield Manager user interface can differ based on the assigned role and rights of a user, and licensing.
vShield Administration Guide vShield Edge vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port ® group, vDS port group, or Cisco Nexus 1000V. The vShield Edge connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Chapter 1 Overview of vShield You should install vShield App instances on all ESX hosts within a cluster so that VMware vMotion™ operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a vShield App virtual appliance cannot be moved by using vMotion. The Flow Monitoring feature displays allowed and blocked network flows at the application protocol level. You can use this information to audit network traffic and troubleshoot operational issues.
vShield Administration Guide 12 n 80/TCP to 443/TCP for using the vShield Manager user interface and initiating connection to the vSphere SDK n 22/TCP for troubleshooting the CLI VMware, Inc.
vShield Manager User Interface Basics 2 The vShield Manager user interface offers configuration and data viewing options specific to vShield use. By utilizing the VMware Infrastructure SDK, the vShield Manager displays your vSphere Client inventory panel for a complete view of your vCenter environment. NOTE You can register the vShield Manager as a vSphere Client plug-in. This allows you to configure vShield components from within the vSphere Client.
vShield Administration Guide About the vShield Manager User Interface The vShield Manager user interface is divided into two panels: the inventory panel and the configuration panel. You select a view and a resource from the inventory panel to open the available details and configuration options in the configuration panel. When clicked, each inventory object has a specific set of tabs that appear in the configuration panel.
Chapter 2 vShield Manager User Interface Basics Refreshing the Inventory Panel To refresh the list of resources in the inventory panel, click . The refresh action requests the latest resource information from the vCenter Server. By default, the vShield Manager requests resource information from the vCenter Server every five minutes. Searching the Inventory Panel To search the inventory panel for a specific resource, type a string in the field atop the vShield Manager inventory panel and click .
vShield Administration Guide 16 VMware, Inc.
Management System Settings 3 You can edit the vCenter Server, DNS and NTP server, and Lookup server that you specified during initial login. The vShield Manager requires communication with your vCenter Server and services such as DNS and NTP to provide details on your VMware Infrastructure inventory.
vShield Administration Guide Edit the vShield Manager Date and Time You can change the NTP server specified during initial login. Procedure 1 Click Settings & Reports from the vShield Manager inventory panel. 2 Click the Configuration tab. 3 Ensure that you are in the General tab. 4 Click Edit next to NTP Server. 5 Make the appropriate changes. 6 Click OK. 7 Reboot the vShield Manager. Edit Lookup Service Details You can change the Lookup Service details specified during initial login.
Chapter 3 Management System Settings What to do next You can install and configure vShield components from the vSphere Client. Specify Syslog Server If you specify a syslog server, vShield Manager sends all audit logs and system events from vShield Manager to the syslog server. Procedure 1 Click Settings & Reports from the vShield Manager inventory panel. 2 Click the Configuration tab. 3 Ensure that you are in the General tab. 4 Click Edit next to Syslog Server.
vShield Administration Guide Add an SSL Certificate to Identify the vShield Manager Web Service You can generate a certificate signing request, get it signed by a CA, and import the signed SSL certificate into vShield Manager to authenticate the identity of the vShield Manager web service and encrypt information sent to the vShield Manager web server.
Chapter 3 Management System Settings Add a Cisco Switch to vShield Manager You can add a Cisco switch to vShield Manager and manage its implementation. Prerequisites The N1K switch must have been installed on vCenter Server. Procedure 1 Click Settings & Reports from the vShield Manager inventory panel. 2 Ensure that you are in the Configuration tab. 3 Click the Networking tab. 4 Click Add Switch Provider. 5 Type a name for the switch.
vShield Administration Guide 3 Select Add > Service. 4 Type a Name to identify the service. 5 Type a Description for the service. 6 Select a Protocol to which you want to add a non-standard port. 7 Type the port number(s) in Ports. 8 (Optional) When creating a service at the global or datacenter scope, select Enable inheritance to allow visibility at underlying scopes to make this service available to underlying scopes. 9 Click OK. The service appears in the Services table.
Chapter 3 Management System Settings Edit a Service or Service Group You can edit services and service groups. A service or service group can be edited at the scope it was defined at. For example, if a service was defined at the global scope, it cannot be edited at the vShield Edge scope. Procedure 1 Do one of the following. Option Description To edit a service at the global scope a b c a In the vSphere Client, go to Inventory > Hosts & Clusters.
vShield Administration Guide Option To delete a service at the port group scope To delete a service at the vShield Edge scope Description a In the vSphere Client, go to Inventory > Networking. b c Select a network from the inventory panel. Click the vShield tab. a In the vSphere Client, go to Inventory > Hosts & Clusters. b c d e f Select a datacenter resource from the inventory panel. Click the Network Virtualization tab. Click the Edges tab. Double-click a vShield Edge instance.
Chapter 3 Management System Settings 3 Click the Add ( ) icon and select IP Addresses. The Add IP Addresses window opens. 4 Type a name for the address group. 5 (Optional) Type a description for the address group. 6 Type the IP addresses to be included in the group. 7 (Optional) When creating an IP address group at the global or datacenter scope, select Enable inheritance to allow visibility at underlying scopes to make this IP address group available to underlying scopes. 8 Click OK.
vShield Administration Guide Delete an IP Address Group An IP address group can be deleted at the scope it was defined at. For example, if an IP address group was defined at the global scope, it cannot be deleted at the vShield Edge scope. Procedure 1 Do one of the following.
Chapter 3 Management System Settings 2 Click the Add ( ) icon and select MAC Addresses. The Add MAC Addresses window opens. 3 Type a name for the address group. 4 (Optional) Type a description for the address group. 5 Type the MAC addresses to be included in the group. 6 Select Enable inheritance to allow visibility at underlying scopes if you want the MAC address group to propagate down to objects in the selected datacenter. 7 Click OK.
vShield Administration Guide Delete a MAC Address Group A MAC address group can be deleted at the scope it was defined at. For example, if a MAC address group was defined at the global scope, it cannot be deleted at the vShield Edge scope. Procedure 1 Do one of the following.
Chapter 3 Management System Settings 2 Click Add and select Security Group. The Add Security Group window opens with the selected datacenter displayed as the Scope. 3 Type a name and description for the security group. 4 Click in the field next to the Add button and select the resource you want to include in the security group. 5 In Members, select one or more resource to add to the security group. When you add a resource to a security group, all associated resources are automatically added.
vShield Administration Guide 2 30 Select the group that you want to delete and click the Delete ( ) icon. VMware, Inc.
User Management 4 Security operations are often managed by multiple individuals. Management of the overall system is delegated to different personnel according to some logical categorization. However, permission to carry out tasks is limited only to users with appropriate rights to specific resources. From the Users section, you can delegate such resource management to users by granting applicable rights.
vShield Administration Guide 2 Click the Configuration tab. 3 Ensure that you are in the General tab. 4 Click Edit next to Lookup Service. 5 Type the name or IP address of the host that has the lookup service. 6 Change the port number if required. The Lookup Service URL is displayed based on the specified host and port. 7 Type the SSO user name and password. This enables vShield Manager to register itself with the Security Token Service server. 8 Click OK.
Chapter 4 User Management Managing the Default User Account The vShield Manager user interface includes a local user account, which has access rights to all resources. You cannot edit the rights of or delete this user. The default user name is admin and the default password is default. Change the password for this account upon initial login to the vShield Manager. See “Edit a User Account,” on page 35.
vShield Administration Guide 5 Type the vCenter User name for the user. NOTE If the vCenter user is from a domain (such as a SSO user), then you must enter a fully qualified windows domain path. This will allow the default vShield Manager user (admin) as well as the SSO default user (admin) to login to vShield Manager. This user name is for login to the vShield Manager user interface, and cannot be used to access the vShield App or vShield Manager CLIs. 6 Click Next.
Chapter 4 User Management User option Value Name Joseph Belongs to group G1, G2 Role assigned None Joseph belongs to groups G1 and G2 and inherits a combination of the rights and permissions of the Auditor and Security Administrator roles.
vShield Administration Guide 2 Click the Users tab. 3 Select the user you want to change the role for 4 Click Change Role. 5 Make changes as necessary. 6 Click Finish to save your changes. Disable or Enable a User Account You can disable a user account to prevent that user from logging in to the vShield Manager. You cannot disable the admin user. Procedure 1 Click Settings & Reports from the vShield Manager inventory panel. 2 Click the Users tab. 3 Select a user account.
Updating System Software 5 vShield software requires periodic updates to maintain system performance. Using the Updates tab options, you can install and track system updates. n View the Current System Software on page 37 You can view the current installed versions of vShield component software or verify if an update is in progress. n Upload an Update on page 37 vShield updates are available as offline updates.
vShield Administration Guide 6 Click Update Status and then click Install. 7 Click Confirm Install to confirm update installation. There are two tables on this screen. During installation, you can view the top table for the description, start time, success state, and process state of the current update. View the bottom table for the update status of each vShield App. All vShield App instances have been upgraded when the status of the last vShield App is displayed as Finished.
Backing Up vShield Manager Data 6 You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup. You can, however, exclude system and audit log events. Backups are saved to a remote location that must be accessible by the vShield Manager. Backups can be executed according to a schedule or on demand.
vShield Administration Guide 13 From the Transfer Protocol drop-down menu, select either SFTP or FTP. 14 Click Backup. Once complete, the backup appears in a table below this forms. 15 Click Save Settings to save the configuration. Schedule a Backup of vShield Manager Data You can only schedule the parameters for one type of backup at any given time. You cannot schedule a configuration-only backup and a complete data backup to run simultaneously.
Chapter 6 Backing Up vShield Manager Data 2 Click the Configuration tab. 3 Click Backups. 4 Click View Backups to view all available backups saved to the backup server. 5 Select the check box for the backup to restore. 6 Click Restore. 7 Click OK to confirm. VMware, Inc.
vShield Administration Guide 42 VMware, Inc.
7 System Events and Audit Logs System events are events that are related to vShield operation. They are raised to detail every operational event, such as a vShield App reboot or a break in communication between a vShield App and the vShield Manager. Events might relate to basic operation (Informational) or to a critical error (Critical).
vShield Administration Guide Table 7-2. vShield Manager Virtual Appliance Events CPU Memory Storage Local CLI Run show process monitor command. Run show system memory command. Run show filesystem command. GUI NA NA NA vShield App Events The following events are specific to vShield App virtual appliances. Table 7-3. vShield App Events Power Off Power On Interface Down Interface Up Local CLI Run show log follow command. Run show log follow command. Run show log follow command.
Chapter 7 System Events and Audit Logs About the Syslog Format Is this the same for SPOCK? The system event message logged in the syslog has the following structure. syslog header (timestamp + hostname + sysmgr/) Timestamp (from the service) Name/value pairs Name and value separated by delimiter '::' (double colons) Each name/value pair separated by delimiter ';;' (double semi-colons) The fields and types of the system event contain the following information.
vShield Administration Guide 46 VMware, Inc.
VXLAN Virtual Wires Management 8 In large cloud deployments, applications within virtual networks may need to be logically isolated. For example, a three-tier application can have multiple virtual machines requiring logically isolated networks between the virtual machines. Traditional network isolation techniques such as VLAN (4096 LAN segments through a 12-bit VLAN identifier) may not provide enough segments for such deployments.
vShield Administration Guide n “Viewing Flow Monitoring Data for a VXLAN Virtual Wire,” on page 53 n “Working with Firewall Rules for VXLAN Virtual Wires,” on page 53 n “Prevent Spoofing on a VXLAN Virtual Wire,” on page 54 n “Editing Network Scopes,” on page 54 n “Edit a VXLAN Virtual Wire,” on page 55 n “Sample Scenario for Creating VXLAN Virtual Wires,” on page 56 Preparing your Network for VXLAN Virtual Wires You must prepare your network for VXLAN virtual wires by specifying a transport VL
Chapter 8 VXLAN Virtual Wires Management 7 For each selected cluster, type the VLAN used for VXLAN transport. For information on retrieving the VLAN ID of the VXLAN VLAN, see the vSphere Networking documentation. 8 Click Next. 9 In Specify Transport Attributes, type the Maximum Transmission Units (MTU) for each virtual distributed switch. MTU is the maximum amount of data that can be transmitted in one packet before it is divided into smaller packets.
vShield Administration Guide 5 Click the Add ( ) icon. The Add Network Scope dialog box opens. 6 Type a name for the network scope. 7 Type a description for the network scope. 8 Select the clusters you want to add to the network scope. 9 Click OK. Add a VXLAN Virtual Wire After you prepare the VXLAN fabric, you can add a VXLAN virtual wire.
Chapter 8 VXLAN Virtual Wires Management 6 Click the More Actions ( ) icon and select Connect to Edge. 7 Select the vShield Edge to which you want to connect the VXLAN virtual wire. 8 Click Select. 9 In the Redirect to Selected Edge dialog box, click Continue. 10 In the Edit Edge Interface dialog box, type a name for the vShield Edge interface. 11 Select Internal or Uplink to indicate whether this is an internal or uplink interface.
vShield Administration Guide 6 Click the Virtual Machines tab. 7 Click the Add ( 8 In the Connect VNics to this Network dialog box, type the name of the virtual machine in the Search field and click ) icon. . All VNics for the virtual machine are displayed. 9 Select the VNics that you want to connect. 10 Click Next. 11 Review the VNics you selected. 12 Click Finish.
Chapter 8 VXLAN Virtual Wires Management Perform Broadcast Test You can perform a broadcast test to resolve MAC addresses. A single host sends a broadcast message to all other devices on the same network segment. 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Networks tab. 5 In the Name column, click the virtual wire that you want to test. 6 Click the Hosts tab.
vShield Administration Guide Prevent Spoofing on a VXLAN Virtual Wire After synchronizing with the vCenter Server, vShield Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine. vShield does not trust all IP address provided by VMware Tools on a virtual machine. If a virtual machine has been compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.
Chapter 8 VXLAN Virtual Wires Management 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Network Scope tab. All network scope for the selected datacenter are displayed. 5 In the Name column, click a network scope. 6 In Scope Details, click Expand. The Add Clusters to a Network Scope (Expand) dialog box opens. 7 Select the clusters you want to add to the network scope. 8 Click OK.
vShield Administration Guide Sample Scenario for Creating VXLAN Virtual Wires This scenario presents a situation where company ACME Enterprise has several ESX hosts on two clusters in a datacenter, ACME_Datacenter. The Engineering (on port group PG-Engineering) and Finance departments (on port group PG-Finance) are on Cluster1. The Marketing department (PG-Marketing) is on Cluster2. Both clusters are managed by a single vCenter Server 5.1. Figure 8-2.
Chapter 8 VXLAN Virtual Wires Management Figure 8-3. ACME Enterprise implements a VXLAN virtual wire Cluster 2 Cluster 1 Virtual wire stretches across multiple VLANs/subnets VM VM VM VM Engineering PG VM VM VM VM VM VM Marketing PG Finance PG vDS1 VM VM Engineering PG vDS2 Physical Switch Physical Switch Engineering: VXLAN5000:10.10.1.0/24 Finance: VXLAN5001:10.20.1.0/24 Marketing: VXLAN5002:10.30.1.
vShield Administration Guide John Admin Associates Cluster with Distributed Switches John Admin must map each cluster that is to participate in a virtualized network to a vDS. When he maps a cluster to a switch, each host in that cluster is enabled for VXLAN virtual wires. Prerequisites 1 John Admin gets a segment ID pool (4097 - 5010) from ACME's vShield manager admin and a multi cast address range (224.0.0.0 to 239.255.255.255 ) from ACME's network administrator.
Chapter 8 VXLAN Virtual Wires Management John Admin Assigns Segment ID Pool and Multicast Address Range to vShield Manager John Admin must specify the segment ID pool he received to isolate Company ABC's network traffic and the multicast address range to help in spreading traffic across the network to avoid overloading a single multicast address. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select ABC_Datacenter from the inventory panel.
vShield Administration Guide 2 John Admin has added a network scope. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select ABC_Datacenter from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Networks tab. 5 Click the Add icon. 6 In Name, type ACME virtual wire. 7 In Description, type Virtual wire for extending ACME Engineering network to Cluster2. 8 In Network Scope, select ACME Scope. 9 Review the Scope Details. 10 Click OK.
vShield Edge Management 9 vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port ® group, vDS port group, or Cisco Nexus 1000V. The vShield Edge connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
vShield Administration Guide View the Status of a vShield Edge The status page displays graphs for the traffic flowing through the interfaces of the selected vShield Edge and connection statistics for the firewall and load balancer services. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click the vShield Edge instance to check the status for.
Chapter 9 vShield Edge Management 6 Click the Settings link. 7 In Edge Appliances, click the Add ( 8 In the Add Edge Appliance dialog box, select the cluster or resource pool and datastore for the appliance. 9 (Optional) Select the host on which the appliance is to be added. 10 (Optional) Select the vCenter folder within which the appliance is to be added. 11 Click Add. ) icon. Change an Appliance You can change a vShield Edge appliance.
vShield Administration Guide Working with Interfaces You install a vShield Edge on a datacenter and can add up to ten internal or uplink interfaces. A vShield Edge must have at least one internal interface before it can be deployed. Add an Interface You can add up to ten internal and uplink interfaces to a vShield Edge instance. You must add at least one internal interface for HA to work. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters.
Chapter 9 vShield Edge Management 17 In Options, select the required options. Option Description Enable Proxy ARP Supports overlapping network forwarding between different interfaces. Send ICMP Redirect Conveys routing information to hosts. 18 Type the fence parameters and click Add. 19 Repeat Step 8 through Step 18 to add additional interfaces. Change Interface Settings You can change the port group or virtual wire to which an interface is connected, and update the IP address of the interface.
vShield Administration Guide Enable an Interface An interface must be enabled for vShield Edge to isolate the virtual machines within that interface (port group or VXLAN virtual wire). Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the Configure tab.
Chapter 9 vShield Edge Management Working with Certificates vShield Edge supports self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA. Configure a CA Signed Certificate You can generate a CSR and get it signed by a CA. If you generate a CSR at the global level, it is available to all vShield Edges in your inventory. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters.
vShield Administration Guide Add a CA Certificate By adding a CA certificate, you can become an interim CA for your company. You then have the authority for signing your own certificates. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the Configure tab. 7 Click the Certificates link.
Chapter 9 vShield Edge Management e Select the encryption algorithm for communication between the hosts. Note that SSL VPN-Plus only supports RSA certificates. VMware recommends RSA for backward compatibility. f Edit the default key size if required. g Type a description for the certificate. h Click OK. The CSR is generated and displayed in the Certificates list. 9 10 Verify that the certificate you generated is selected. Click the Self Sign Certificate ( ) icon.
vShield Administration Guide 9 Copy and paste the list. 10 (Optional) Type a description. 11 Click OK. Managing the vShield Edge Firewall vShield Edge provides firewall protection for incoming and outgoing sessions. The default firewall policy blocks all incoming traffic and allows all outgoing traffic. In addition to the default firewall policy, you can configure a set of rules to allow or block traffic sessions to and from specific sources and destinations.
Chapter 9 vShield Edge Management 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the Firewall tab. 7 Do one of the following. Option Description To add a rule at a specific place in the firewall table a b Select a rule. a b Select a rule. c d Select a rule. To add a rule by copying a rule To add a rule anywhere in the firewall table In the No. column, click and select Add Above or Add Below.
vShield Administration Guide 10 Point to the Source cell of the new rule and click a . Select VnicGroup or IPAddresses. VnicGroup displays vShield Edge (vse), internal (represents all internal interfaces), external (represents all uplink interfaces), and all internal and external interfaces for the vShield Edge. IPAddresses displays all IP address groups. b Select one or more interface or IP address group. If you select vse, the rule applies to traffic generated by the vShield Edge.
Chapter 9 vShield Edge Management 14 e To apply the rule to the translated IP address and services for a NAT rule, select Translated IP for Match on. f Click Enable Rule Direction and select Incoming or Outgoing. VMware does not recommend specifying the direction for firewall rules. g Click OK. Click Publish Changes to push the new rule to the vShield Edge instance. What to do next n Disable a rule by clicking next to the rule number in the No. column.
vShield Administration Guide Change a vShield Edge Firewall Rule You can change user-defined firewall rules. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click the vShield Edge for which you want to change a rule. 6 Click the Firewall tab. 7 Select the rule to change. NOTE You cannot change an auto-generated rule or the default rule.
Chapter 9 vShield Edge Management 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click the vShield Edge for which you want to delete a rule. 6 Click the Firewall tab. 7 Select the rule to delete. NOTE You cannot delete an auto-generated rule or the default rule. 8 ) icon. Click the Delete ( Managing NAT Rules vShield Edge provides network address translation (NAT) service to assign a public address to a computer or group of computers in a private network.
vShield Administration Guide 10 Type the translated (public) source IP address in one of the following formats. Format Example IP address 192.168.10.1 IP address range 192.168.10.1-192.168.10.10 IP address/subnet 192.168.10.1/24 any 11 Select Enabled to enable the rule. 12 Click Enable logging to log the address translation. 13 Click Add to save the rule. 14 Click Publish Changes.
Chapter 9 vShield Edge Management 12 Type the translated IP address in one of the following formats. Format Example IP address 192.168.10.1 IP address range 192.168.10.1-192.168.10.10 IP address/subnet 192.168.10.1/24 any 13 Type the translated port or port range. Format Example Port number 80 Port range 80-85 any 14 Select Enabled to enable the rule. 15 Select Enable logging to log the address translation. 16 Click Add to save the rule.
vShield Administration Guide 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge. 6 Click the Configure tab. 7 Click the Static Routing tab 8 Click the Add ( 9 Select the interface on which you want to add a static route. 10 Type the Network in CIDR notation. 11 Type the IP address of the Next Hop. 12 For MTU, edit the maximum transmission value for the data packets if required. ) icon.
Chapter 9 vShield Edge Management 8 9 Configure the pool. Option Action Auto Configure DNS Select to use the DNS service configuration for the DHCP binding. Lease never expires Select to bind the address to the MAC address of the virtual machine forever. If you select this, Lease Time is disabled. Start IP Type the starting IP address for the pool. End IP Type the ending IP address for the pool. Domain Name Type the domain name of the DNS server. This is optional.
vShield Administration Guide Option Action Host Name Type the host name of the DHCP client virtual machine. IP Address Type the address to which to bind the MAC address of the selected virtual machine. Domain Name Type the domain name of the DNS server. Primary Name Server If you did not select Auto Configure DNS, type the Primary Nameserver for the DNS service. You must enter the IP address of a DNS server for hostname-to-IP address resolution.
Chapter 9 vShield Edge Management Configuring IPSec VPN Service You can set up a vShield Edge tunnel between a local subnet and a peer subnet. 1 Configure IPSec VPN Parameters on page 81 You must configure at least one external IP address on the vShield Edge to provide IPSec VPN service. 2 Enable IPSec VPN Service on page 82 You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet.
vShield Administration Guide 17 Type the shared key in if anonymous sites are to connect to the VPN service. 18 Click Display Shared Key to display the key on the peer site. 19 In Diffie-Hellman (DH) Group, select the cryptography scheme that will allow the peer site and the vShield Edge to establish a shared secret over an insecure communications channel. 20 Edit the default MTU if required. 21 Select whether to enable or disable the Perfect Forward Secrecy (PFS) threshold.
Chapter 9 vShield Edge Management 9 Click the Edit ( ) icon. The Edit IPSec VPN dialog box opens. 10 Make the appropriate edits. 11 Click OK. Delete IPSec Service You can delete an IPSec service. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab.
vShield Administration Guide 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Ensure that you are in the IPSec VPN tab. 8 Select the IPSec service that you want to disable. 9 Click the Disable ( ) icon. The selected service is disabled.
Chapter 9 vShield Edge Management n Diffie-Hellman (DH) key exchange is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. VSE supports DH group 2 (1024 bits) and group 5 (1536 bits). IKE Phase 1 and Phase 2 IKE is a standard method used to arrange secure, authenticated communications.
vShield Administration Guide n 3 vShield Edge to Cisco n 4 DH key and nonce vShield Edge to Cisco (Encrypted) n 6 DH key and nonce Cisco to vShield Edge n 5 If the Cisco device does not accept any of the parameters the vShield Edge sent in step one, the Cisco device sends the message with flag NO_PROPOSAL_CHOSEN and terminates the negotiation.
Chapter 9 vShield Edge Management Configure vShield Edge VPN Parameters Example You must configure at least one external IP address on the vShield Edge to provide IPSec VPN service. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Double-click a vShield Edge instance. 5 Click the VPN tab. 6 Ensure that you are in the IPSec VPN tab. 7 Click the Add ( ) icon.
vShield Administration Guide 22 Click OK. vShield Edge creates a tunnel from the local subnet to the peer subnet. What to do next Enable the IPSec VPN service. Enable IPSec VPN Service Example You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Edge tab. 4 Double-click a vShield Edge gateway.
Chapter 9 vShield Edge Management 3 Match Each Peer with Its Pre-Shared Secret Router# config term Router(config)# crypto isakmp key vshield address 10.115.199.103 Router(config-isakmp)# exit 4 Define the IPSEC Transform Router# config term Router(config)# crypto ipsec transform-set myset esp-3des esp-sha-hmac Router(config-isakmp)# exit 5 Create the IPSEC Access List Router# config term Enter configuration commands, one per line. End with CNTL/Z. Router(config)# access-list 101 permit ip 172.16.0.
vShield Administration Guide enable password cisco ! no aaa new-model ! resource policy ! ip subnet-zero ! ip cef !no ip dhcp use vrf connected ! ! no ip ips deny-action ips-interface ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key vshield address 10.115.199.103 ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map MYVPN 1 ipsec-isakmp set peer 10.115.199.
Chapter 9 vShield Edge Management login line vty 5 15 password cisco login ! scheduler allocate 20000 1000 ! end Using a Cisco ASA 5510 Use the following output to configure a Cisco ASA 5510. ciscoasa# show running-config output : Saved : ASA Version 8.2(1)18 ! hostname ciscoasa enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif untrusted security-level 100 ip address 10.24.120.90 255.255.252.
vShield Administration Guide 172.16.0.0 255.255.0.0 access-list 101 extended permit icmp any any pager lines 24 mtu untrusted 1500 mtu trusted 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any untrusted icmp permit any trusted no asdm history enable arp timeout 14400 access-group 101 in interface untrusted access-group 101 out interface untrusted access-group 101 in interface trusted access-group 101 out interface trusted route untrusted 10.115.0.0 255.255.0.0 10.24.123.
Chapter 9 vShield Edge Management ! ! prompt hostname context Cryptochecksum:29c3cc49460831ff6c070671098085a9 : end Configuring a WatchGuard Firebox X500 You can configure your WatchGuard Firebox X500 as a remote gateway. NOTE Refer to your WatchGuard Firebox documentation for exact steps. Procedure 1 In Firebox System Manager, select Tools > Policy Manager > . 2 In Policy Manager, select Network > Configuration. 3 Configure the interfaces and click OK.
vShield Administration Guide IKE Peer: 10.20.129.80 Type : L2L Role : Rekey : no State : Encrypt : 3des Hash : Auth : preshared Lifetime: Lifetime Remaining: 28379 responder MM_ACTIVE SHA 28800 Phase 1 Policy Not Matching The following lists Phase 1 Policy Not Matching Error logs. vShield Edge vShield Edge hangs in STATE_MAIN_I1 state. Look in /var/log/messages for information showing that, the peer sent back an IKE message with "NO_PROPOSAL_CHOSEN" set.
Chapter 9 vShield Edge Management All SA proposals found unacceptable Aug 26 18:17:27 [IKEv1]: IP = 10.20.129.80, Error processing payload: Payload ID: 1 Aug 26 18:17:27 [IKEv1 DEBUG]: IP = 10.20.129.80, IKE MM Responder FSM error history (struct &0xd8355a60) , : MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM Aug 26 18:17:27 [IKEv1 DEBUG]: IP = 10.20.129.
vShield Administration Guide . . . Aug 26 16:03:49 [IKEv1]: Group = 10.20.129.80, IP = 10.20.129.80, Session is being torn down. Reason: Phase 2 Mismatch PFS Mismatch The following lists PFS Mismatch Error logs vShield Edge PFS is negotiated as part of Phase 2. If PFS does not match, the behavior is similar to the failure case described in “Phase 2 Not Matching,” on page 95.
Chapter 9 vShield Edge Management Aug 26 19:00:26 [IKEv1]: Group = 10.20.129.80, IP = 10.20.129.80, Session is being torn down. Reason: Phase 2 Mismatch PSK not Matching The following lists PSK Not Matching Error logs vShield Edge PSK is negotiated in the last round of Phase 1. If PSK negotiation fails, vShield Edge state is STATE_MAIN_I4. The peer sends a message containing INVALID_ID_INFORMATION.
vShield Administration Guide Dst: Cisco_80:70:f5 (00:13:c4:80:70:f5) Internet Protocol, Src: 10.20.129.80 (10.20.129.80), Dst: 10.20.131.62 (10.20.131.62) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol Initiator cookie: 92585D2D797E9C52 Responder cookie: 0000000000000000 Next payload: Security Association (1) Version: 1.
Chapter 9 vShield Edge Management No. 9204 Time 768.395550 Source 10.20.131.62 Destination 10.20.129.80 Protocol Info ISAKMP Identity Protection (Main Mode) Frame 9204 (146 bytes on wire, 146 bytes captured) Ethernet II, Src: Cisco_80:70:f5 (00:13:c4:80:70:f5), Dst: Vmware_9d:2c:dd (00:50:56:9d:2c:dd) Internet Protocol, Src: 10.20.131.62 (10.20.131.62), Dst: 10.20.129.80 (10.20.129.
vShield Administration Guide Internet Protocol, Src: 10.20.129.80 (10.20.129.80), Dst: 10.20.131.62 (10.20.131.62) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol Initiator cookie: 92585D2D797E9C52 Responder cookie: 34704CFC8C8DBD09 Next payload: Key Exchange (4) Version: 1.
Chapter 9 vShield Edge Management Vendor ID: draft-beaulieu-ike-xauth-02.txt Vendor ID: C1B7EBE18C8CBD099E89695E2CB16A4A Next payload: Vendor ID (13) Payload length: 20 Vendor ID: C1B7EBE18C8CBD099E89695E2CB16A4A Vendor ID: CISCO-CONCENTRATOR Next payload: NONE (0) Payload length: 20 Vendor ID: CISCO-CONCENTRATOR No. 9207 Time 768.404990 Source 10.20.129.80 Destination 10.20.131.
vShield Administration Guide Ethernet II, Src: Vmware_9d:2c:dd (00:50:56:9d:2c:dd), Dst: Cisco_80:70:f5 (00:13:c4:80:70:f5) Internet Protocol, Src: 10.20.129.80 (10.20.129.80), Dst: 10.20.131.62 (10.20.131.62) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol Initiator cookie: 92585D2D797E9C52 Responder cookie: 34704CFC8C8DBD09 Next payload: Hash (8) Version: 1.
Chapter 9 vShield Edge Management SSL VPN-Plus Overview With SSL VPN-Plus, remote users can connect securely to private networks behind a vShield Edge gateway. Remote users can access servers and applications in the private networks.
vShield Administration Guide 7 Enable the SSL VPN-Plus Service on page 112 After configuring the SSL VPN-Plus service, enable the service for remote users to begin accessing private networks. Add an IP Pool The remote user is assigned a virtual IP address from the IP pool that you add. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link.
Chapter 9 vShield Edge Management 8 In the Configure panel, click Private Networks. 9 Click the Add ( ) icon The Add Private Network dialog box opens. 10 Type the private network IP address. 11 Type the netmask of the private network. 12 (Optional) Type a description for the network. 13 Specify whether you want to send private network and internet traffic over the SSL VPN-Plus enabled vShield Edge or directly to the private server by bypassing the vShield Edge.
vShield Administration Guide 11 In Gateway, type the IP address or FQDN of the public interface of vShield Edge. This IP address or FQDN is binded to the SSL client. When the client is installed, this IP address or FQDN is displayed on the SSL client. 12 Type the port number that you specified in the server settings for SSL VPN-Plus. See “Add SSL VPN-Plus Server Settings,” on page 112.
Chapter 9 vShield Edge Management 8 In the Configure panel, click Users. 9 Click the Add ( ) icon. The Add User dialog box opens. 10 Type the user ID. 11 Type the password. 12 Retype the password. 13 (Optional) Type the first name of the user. 14 (Optional) Type the last name of the user. 15 (Optional) Type a description for the user. 16 In Password Details, select Password never expires to always keep the same password for the user. 17 Click OK.
vShield Administration Guide 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Authentication. 9 Click the Add ( ) icon The Add Server dialog box opens. 10 In Type, select AD. 11 Type the IP address of the external server. 12 Type the port number for the AD server. 13 Select Enable SSL to enable the SSL service on the specified server.
Chapter 9 vShield Edge Management 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Authentication. 9 Click the Add ( ) icon The Add Server dialog box opens. 10 In Type, select LDAP. 11 Type the IP address of the external server. 12 Type the port number for the LDAP server. 13 Select Enable SSL to enable the SSL service on the specified server. 14 Type the timeout period in seconds.
vShield Administration Guide 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Authentication. 9 Click the Add ( ) icon The Add Server dialog box opens. 10 In Type, select RADIUS. 11 Type the IP address of the RSA Radius server. 12 Type the port number for the RADIUS server. 13 Type the timeout period in seconds. 14 Select Enabled or Disabled to indicate whether the server is enabled.
Chapter 9 vShield Edge Management 14 In the Advanced section, type the IP address of the vShield Edge interface through which the RSA server is accessible. 15 Select Use this server for secondary authentication if you want to use this server as the second level of authentication. Select Terminate Session if authentication fails if required. 16 Click OK. Add Local Authentication Server You can add a local authentication server to bound to the SSL gateway.
vShield Administration Guide Add SSL VPN-Plus Server Settings You must add SSL VPN server settings to enable SSL on a vShield Edge interface. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the Edges tab. 7 Click the VPN tab. 8 Click the SSL VPN-Plus tab.
Chapter 9 vShield Edge Management What to do next The Dashboard displays the status of the service, number of active SSL VPN sessions, and session statistics and data flow details. Configure Web Access SSL VPN-Plus In web access mode, a remote user can access private networks without downloading an SSL client. Procedure 1 Create a Web Resource on page 113 You can add a web access server that the remote user can connect to via a web browser.
vShield Administration Guide What to do next Add a local user or authentication for an external user. Add a User Add a remote user to the local database. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Users.
Chapter 9 vShield Edge Management n Add RSA-ACE Authentication Server on page 117 You can add an RSA-ACE authentication server to bound to the SSL gateway. All users in the bounded authenticated server will be authenticated. n Add Local Authentication Server on page 118 You can add a local authentication server to bound to the SSL gateway. All users in the bounded authenticated server will be authenticated.
vShield Administration Guide 21 In Search Filter, type the filter values by which you want to limit the search. The search filter format is attribute operator value. 22 Select Use this server for secondary authentication if you want to use this AD server as the second level of authentication. 23 Click OK. Add LDAP Authentication Server You can add an AD authentication server to bound to the SSL gateway. All users in the bounded authenticated server will be authenticated.
Chapter 9 vShield Edge Management 20 In Search Filter, type the filter values by which you want to limit the search. The search filter format is attribute operator value. 21 Select Use this server for secondary authentication if you want to use this LDAP server as the second level of authentication. 22 Click OK. Add RADIUS Authentication Server You can add an RADIUS authentication server to bound to the SSL gateway. All users in the bounded authenticated server will be authenticated.
vShield Administration Guide 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Authentication. 9 Click the Add ( ) icon The Add Server dialog box opens. 10 In Type, select RSA-ACE. 11 (Optional) Type the timeout period in seconds for the RSA server. 12 In Configuration File, browser to and select the sdconf.
Chapter 9 vShield Edge Management 12 To define an account lockout policy, select Enable next to Account Lockout Policy. a In Retry Count, type the number of times a remote user can try to access his or her account after entering an incorrect password. b In Retry Duration, type the time period in which the remote user's account gets locked on unsuccessful login attempts.
vShield Administration Guide Enable the SSL VPN-Plus Service After configuring the SSL VPN-Plus service, enable the service for remote users to begin accessing private networks. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 icon.
Chapter 9 vShield Edge Management 15 (Optional) In the Advanced panel, type the DNS name. 16 (Optional) Type the secondary DNS name. 17 Type the connection-specific DNS suffix for domain based host name resolution. 18 Type the WINS server address. 19 Click OK. Edit an IP Pool You can edit an IP pool. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link.
vShield Administration Guide Enable an IP Pool You can enable an IP pool if you want an IP address from that pool to be assigned to the remote user. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Edge tab. 4 Double-click a vShield Edge gateway. 5 Click the VPN tab. 6 Click the SSL VPN-Plus tab. 7 In the Configure panel, click IP Pool.
Chapter 9 vShield Edge Management 7 In the Configure panel, click IP Pool. 8 Select the IP pool that you want to change the order for. 9 Click the Move Up ( ) or Move Down ( ) icon. Working with Private Networks You can add, edit, or delete a private network that a remote user can access. Add private network Add the network that you want the remote user to be able to access. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters.
vShield Administration Guide n Add a corresponding firewall rule to allow the private network traffic. Delete a Private Network You can delete a private network Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges tab. 5 Double-click a vShield Edge gateway. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Private Networks.
Chapter 9 vShield Edge Management 4 Double-click a vShield Edge gateway. 5 Click the VPN tab. 6 Click the SSL VPN-Plus tab. 7 In the Configure panel, click Private Networks. 8 Click the network that you want to disable. 9 Click the Disable ( ) icon. The selected network is disabled. Change the Sequence of a Private Network SSL VPN-Plus allows remote users to access private networks in the sequence in which they are displayed on the Private Networks panel.
vShield Administration Guide 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Installation Package. 9 Click the Add ( ) icon. The Add Installation Package dialog box opens. 10 Type a profile name for the installation package. 11 In Gateway, type the IP address or FQDN of the public interface of vShield Edge. This IP address or FQDN is binded to the SSL client.
Chapter 9 vShield Edge Management Edit an Installation Package You can edit an installation package. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Installation Package.
vShield Administration Guide Add a User Add a remote user to the local database. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Users. 9 Click the Add ( ) icon. The Add User dialog box opens. 10 Type the user ID.
Chapter 9 vShield Edge Management 10 Make the required edits. 11 Click OK. Delete a User You can delete a user. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 In the Configure panel, click Users. 9 Select the user that you want to delete.
vShield Administration Guide Edit Client Configuration You can change the way the SSL VPN client tunnel responds when the remote user logs in to SSL VPN. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 Click Client Configuration.
Chapter 9 vShield Edge Management 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 Click Login/Logoff Scripts. 9 Click the Add ( ) icon. The Add Login-Logoff script dialog box opens. 10 In Script, click Browse and select the script you want to bind to the vShield Edge gateway. 11 Select the Type of script. Option Description Login Performs the script action when remote user logs in to SSL VPN. Logoff Performs the script action when remote user logs out of SSL VPN.
vShield Administration Guide 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 Click Login/Logoff Scripts. 9 Select a script. 10 Click the Delete ( ) icon. Enable a Script You must enable a script for it to work. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters.
Chapter 9 vShield Edge Management Refresh Scripts After you add or delete a script, you can refresh the Login/Logoff Scripts page. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 Click Login/Logoff Scripts. 9 Select a script.
vShield Administration Guide SSL VPN-Plus Logs SSL VPN-Plus gateway logs are sent to the syslog server configured on the vShield Edge appliance. SSL VPNPlus client logs are stored in the following directory on the remote user's computer: %PROGRAMFILES%/VMWARE/SSL VPN Client/. Edit General Settings You can edit the default VPN settings. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel.
Chapter 9 vShield Edge Management 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the VPN tab. 7 Click the SSL VPN-Plus tab. 8 Click Portal Customization. The Change Web Portal Design dialog box opens. 9 Type the portal title. 10 Type the remote user's company name. 11 In Logo, click Change and select the image file for the remote user's logo.
vShield Administration Guide 3 Select and Configure Services for the Pool on page 136 You can select and configure the services to be supported by this pool. 4 Define Health Check Parameters on page 137 A health check checks that all servers in the server pool are alive and answering queries. 5 Add Servers on page 137 Add backend servers to the pool. 6 Review Settings and Add Pool on page 138 Before you add the server pool, review the settings you entered.
Chapter 9 vShield Edge Management Option Description ROUND_ROBIN Each server is used in turn according to the weight assigned to it. This is the smoothest and fairest algorithm when the server's processing time remains equally distributed. URI The left part of the URI (before the question mark) is hashed and divided by the total weight of the running servers. The result designates which server will receive the request.
vShield Administration Guide 4 Change the default port and monitor port for the server if required. 5 Click Add. 6 Repeat Step 1steps through Step 5 to add additional servers. 7 Click Next. Review Settings and Add Pool Before you add the server pool, review the settings you entered. Procedure 1 In the Ready to Complete page of the Add Pool wizard, review the settings for the server pool. 2 Click Previous to modify the settings. 3 Click Finish to accept the settings and add the pool.
Chapter 9 vShield Edge Management 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the Load Balancer tab. 7 Ensure that you are in the Pool tab. 8 Select the pool to edit. 9 10 Click the Edit ( ) icon. Make the appropriate changes and click Finish. Delete a Server Pool You can delete a server pool. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters.
vShield Administration Guide Delete a Virtual Server You can delete a virtual server. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Double-click a vShield Edge instance. 6 Click the Load Balancer tab. 7 Click Virtual Servers tab. 8 Select the virtual server to delete. 9 Click the Delete ( ) icon.
Chapter 9 vShield Edge Management vSphere High Availability vShield Edge HA is compatible with vSphere HA. If the host on which a vShield Edge instance is running dies, the vShield Edge is restarted on the standby host thereby ensuring the vShield Edge HA pair is still available to take another failover. If vSphere HA is not leveraged, the active-standby vShield Edge HA pair will survive one fail-over.
vShield Administration Guide 11 Click Enable Logging to log DNS traffic. Generated logs are sent to the syslog server. 12 Select the log level. 13 Click Ok. Configure Remote Syslog Servers You can configure one or two remote syslog servers. vShield Edge events and logs related to firewall events that flow from vShield Edge appliances are sent to the syslog servers. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel.
Chapter 9 vShield Edge Management n An x-large vShield Edge instance requires 8 GB memory and 256 MB disk space. An x-large vShield Edge instance is recommended for an environment where the Load Balancer service is being used on millions of concurrent sessions. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Select a compact vShield Edge instance.
vShield Administration Guide 6 Click the More Actions ( ) icon and select Force Sync. Redeploy vShield Edge If vShield services do not work as expected after a force sync, you can redeploy the vShield Edge instance. Procedure 1 In the vSphere Client, select Inventory > Hosts & Clusters. 2 Select a datacenter resource from the inventory panel. 3 Click the Network Virtualization tab. 4 Click the Edges link. 5 Select a vShield Edge instance.
Service Insertion Management 10 VMware partners can integrate NetX services with their VMware virtual environment. After you design the services that you want to offer, you can implement your service virtual machine and create vendor templates which contain the settings and configuration parameters for the levels of an offered service or different services that you provide.
vShield Administration Guide 3 Create Service Profiles on page 147 Service consumers can create a service profile to represent a combined setting of the configuration required by the virtualization infrastructure to run the service and the provider specific configuration for the service. Examples of provider specific configuration include network-region-awareness, quality of service, etc. You can also edit provider specific attributes of the service.
Chapter 10 Service Insertion Management 4 Click the Add ( ) icon. The Service Wizard opens. 5 Type a name for the service. 6 Select a category for the service you are adding. 7 Select the service manager for the service. 8 Type a description for the service. 9 Click Next. 10 To add a service configuration or other vendor information, click the Add ( ) icon. The Create Vendor Template dialog box opens. 11 Type the ID and name of the vendor template. 12 Type a description for the template.
vShield Administration Guide Deploy Service You can deploy a service on a virtual wire. Procedure 1 Select a datacenter resource from the vShield Manager inventory panel. 2 Click the Network Virtualization tab. 3 Click the Virtual Wires tab. 4 In the Name column, click the virtual wire on which you want to deploy a service. 5 In the Available Services panel, click Enable Services.
Chapter 10 Service Insertion Management Delete a Service Manager You can delete a service manager. Procedure 1 Click Settings & Reports from the vShield Manager inventory panel. 2 Click Service Insertion. 3 Ensure that you are in the Managers tab. 4 Click the service manager that you want to delete. 5 Click the Delete icon ( ). Edit a Service You can edit a service if required. Procedure 1 Click Settings & Reports from the vShield Manager inventory panel.
vShield Administration Guide 4 Click the service for which you want to create a profile. 5 Click the Service Profiles tab. 6 Click the profile that you want to edit. 7 Click Edit. The Edit Service Profile dialog box opens. 8 Make the required edits. 9 Click OK. Delete a Service Profile You can delete a service profile. Procedure 150 1 Click Settings & Reports from the vShield Manager inventory panel. 2 Click Service Insertion. 3 Ensure that you are in the Services tab.
vShield App Management 11 vShield App is a hypervisor-based firewall that protects applications in the virtual datacenter from networkbased attacks. Organizations gain visibility and control over network communications between virtual machines. You can create access control policies based on logical constructs such as VMware vCenter™ containers and vShield security groups—not just physical constructs such as IP addresses.
vShield Administration Guide 6 From the Log Level drop-down menu, select the event level at and above which to send vShield App events to the syslog server. For example, if you select Emergency, then only emergency-level events are sent to the syslog server. If you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server. You send vShield App events to up to three syslog instances. 7 Click Save to save the new settings.
Chapter 11 vShield App Management Viewing Traffic Statistics by vShield App Interface You can view the traffic statistics for each vShield interface. Procedure 1 In the vSphere Client, go to Inventory > Hosts and Clusters. 2 Select a host from the resource tree. 3 Click the vShield tab. 4 In the Service Virtual Machines area, expand the vShield App SVM. The Management Port Interface panel displays the traffic statistics for the vShield App.
vShield Administration Guide Excluding virtual machines from vShield App protection is useful for instances where vCenter Server resides in the same cluster where vShield App is being utilized. After enabling this feature, no traffic from excluded virtual machines will go through the vShield App appliance. NOTE vCenter Server can be moved to a cluster that is protected by vShield App, but it must already exist in the exclusion list to avoid any connection issues to vCenter Server.
vShield App Flow Monitoring 12 Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic on your virtual network that passed through a vShield App. The Flow Monitoring output defines which machines are exchanging data and over which application. This data includes the number of sessions, packets, and bytes transmitted per session. Session details include sources, destinations, direction of sessions, applications, and ports being used.
vShield Administration Guide 2 Click Flow Monitoring. The charts update to display the most current information for the last twenty four hours. This might take several seconds. The bar on the top of the page shows the percentage of allowed traffic in green, blocked traffic in red, and traffic blocked by SpoofGuard in orange. Traffic statistics are displayed in three tabs: n Top Flows displays the total incoming and outgoing traffic per service over the specified time period.
Chapter 12 vShield App Flow Monitoring 3 Click the Details tab. Details about all traffic for the selected service is displayed. Click Load More Records to display additional flows. The Allowed Flows tab displays the allowed traffic sessions and the Blocked Flows tab displays the blocked traffic. You can search on service names. 4 Click an item in the table to display the rules that allowed or blocked that traffic flow.
vShield Administration Guide Add or Edit App Firewall Rule from the Flow Monitoring Report By drilling down into the traffic data, you can evaluate the use of your resources and send session information to App Firewall to create a new allow or block rule at any level. Procedure 1 2 In the vSphere Client, select a datacenter, virtual machine, port group, network adapter, or virtual wire. Option Action Select a datacenter or virtual machine a b c Go to Inventory > Hosts and Clusters.
Chapter 12 vShield App Flow Monitoring n 2 Change the name, action, or comments for the rule. 3 Click OK. To add a rule: 1 Click Add Rule in the Actions column. 2 Complete the form to add a rule. You cannot add a protocol, IP address, or MAC address as the source or destination for a firewall rule. If the source or destination for the rule is an IP or MAC address, you must create an IPSet or MACSet for that address.
vShield Administration Guide 160 VMware, Inc.
vShield App Firewall Management 13 vShield App provides firewall protection through access policy enforcement. The App Firewall tab represents the vShield App firewall access control list. This chapter includes the following topics: n “Using App Firewall,” on page 161 n “Working with Firewall Rules,” on page 163 n “Using SpoofGuard,” on page 168 Using App Firewall The App Firewall service is a centralized firewall for ESX hosts.
vShield Administration Guide About Services and Service Groups A service is a protocol-port combination and a service group is a combination of two or more services. You can define firewall rules for services and service groups For information on creating applications, see “Working with Services and Service Groups,” on page 21.
Chapter 13 vShield App Firewall Management Planning App Firewall Rule Enforcement Using App Firewall, you can configure allow and block rules based on your network policy. The following examples represent two common firewall policies: Allow all traffic by default You keep the default allow all rules and add block rules based on Flow Monitoring data or manual App Firewall rule configuration. In this scenario, if a session does not match any of the block rules, vShield App allows the traffic to pass.
vShield Administration Guide 2 Click the App Firewall tab. For a virtual wire, ensure that you are in the Firewall tab. 3 Ensure that you are in the General tab to add an L3 rule. click the Ethernet tab to add an L2 rule. 4 Do one of the following. n n To add a rule at a specific place in the firewall table, follow the steps below. a Select a rule. b In the No. column, click To add a rule by copying a rule, follow the steps below. a b u and select Add Above or Add Below. Select a rule.
Chapter 13 vShield App Firewall Management 7 Point to the Source cell of the new rule and click a . In View, select a container from which the communication originated. Objects for the selected container are displayed. b Select one or more objects and click . You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see “Grouping Objects,” on page 24.
vShield Administration Guide n Display additional columns in the rule table by clicking Column Name Information Displayed Rule ID Unique system generated ID for each rule Log Traffic for this rule is being logged or not Stats Comments n Clicking and selecting the appropriate columns. shows the traffic affected by this rule (number of sessions, traffic packets, and size) Comments for the rule Search for rules by typing text in the Search field.
Chapter 13 vShield App Firewall Management Revert to a Previous Firewall Configuration The vShield Manager saves the App firewall settings each time you publish a new rule. Clicking Publish Changes causes the vShield Manager to save the previous configuration with a timestamp before adding the new rule. These configurations are available from the History drop-down list. vShield Manager saves the previous ten configurations. Procedure 1 Do one of the following.
vShield Administration Guide Procedure 1 Do one of the following. Firewall Rule Level Method Datacenter a b c d In the vSphere client, Go to Inventory > Hosts and Clusters. Select a datacenter. Click the vShield tab. Click the App Firewall tab. Virtual wire a d e Go to Inventory > Hosts and Clusters and select the Network Virtualization tab. Click the Networks tab. In the Name column, click the virtual wire for which you want to add a rule. Click the Security tab.
Chapter 13 vShield App Firewall Management SpoofGuard Screen Options The SpoofGuard interface contains the following options. Table 13-1.
vShield Administration Guide 5 6 For Operation Mode, select one of the following: Option Description Automatically Trust IP Assignments on Their First Use Select this option to trust all IP assignments upon initial registration with the vShield Manager. Manually Inspect and Approve All IP Assignments Before Use Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.
Chapter 13 vShield App Firewall Management Procedure 1 In the vSphere Client, select a datacenter, virtual wire, or port group with an independent namespace. Firewall Rule Level Method Datacenter a b c Go to Inventory > Hosts and Clusters. Select a datacenter. Click the vShield tab. Virtual wire a d Go to Inventory > Hosts and Clusters and select the Network Virtualization tab. Click the Networks tab. In the Name column, click the virtual wire for which you want to add a rule.
vShield Administration Guide 5 172 Click Publish Now. VMware, Inc.
vShield Endpoint Events and Alarms 14 vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) doesn't go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host.
vShield Administration Guide 4 Click Endpoint. The vShield Endpoint Health and Alarms page displays the health of the objects under the datacenter, cluster, or ESX host you selected, and the active alarms. Health status changes are reflected within a minute of the actual occurrence of the event that triggered the change. vShield Endpoint Alarms Alarms signal the vCenter Server administrator about vShield Endpoint events that require attention.
Chapter 14 vShield Endpoint Events and Alarms The following table lists vShield Endpoint events reported by the SVM and the vShield Manager (VSM). Table 14-3. vShield Endpoint Events Description Severity VC Arguments vShield Endpoint solution SolutionName enabled. Supporting version versionNumber of the VFile protocol. info timestamp ESX module enabled. info timestamp ESX module uninstalled. info timestamp The vShield Manager has lost connection with the ESX module.
vShield Administration Guide 176 VMware, Inc.
vShield Data Security Management 15 vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive data is adequately protected and assess compliance with regulations around the world.
vShield Administration Guide Defining a Data Security Policy To detect sensitive data in your environment, you must create a data security policy. You must be a Security Administrator to create policies. To define a policy, you must specify the following: 1 Regulations A regulation is a data privacy law for protecting PCI (Payment Card Industry), PHI (Protected Health Information) and PII (Personally Identifiable Information) information.
Chapter 15 vShield Data Security Management 8 Certain regulations require additional information for vShield Data Security to recognize sensitive data. If you selected a regulation that monitors Group Insurance Numbers, Patient Identification Numbers, Medical Record Numbers, Health Plan Beneficiary Numbers, US Bank Account Numbers, Custom Accounts, or Student identification numbers, specify a regular expression pattern for identifying that data. NOTE Check the accuracy of the regular expression.
vShield Administration Guide 2 Click Edit. 3 You can either monitor all files on the virtual machines in your inventory, or select the restrictions you want to apply. Option Description Monitor all files on the guest virtual machines vShield Data Security scans all files. Monitor only the files that match the following conditions Select the following options as appropriate. n Size indicates that vShield Data Security should only scan files less than the specified size.
Chapter 15 vShield Data Security Management Procedure 1 In the vSphere Client, go to Inventory > Hosts and Clusters. 2 Click the vShield tab and click Data Security. 3 Click Start. NOTE If a virtual machine is powered off, it will not be scanned till it is powered on. If a scan is in progress, the available options are Pause and Stop. All virtual machines in your datacenter are scanned once during a scan. If the policy is edited and published while a scan is running, the scan restarts.
vShield Administration Guide Table 15-1. Information displayed in the Reports tab (Continued) Section Information Displayed Violation Information Top regulations that have been violated and the virtual machines on which the most violations have been reported. Scan History Start and end time of each scan, the number of virtual machines scanned, and the number of violations detected. You can click Download Complete Report in the Action column to download the complete report for any scan.
Chapter 15 vShield Data Security Management ABA Routing Numbers A routing transit number (RTN) or ABA number is a nine digit bank code, used in the United States, which appears on items such as checks that identifies which financial institution it is drawn upon. This code is also used by the Automated Clearing House to process direct deposits and other automated transfers. This system is named after the American Bankers Association, which designed it in 1910.
vShield Administration Guide Medicare is administered by Medicare Australia (known as the Health Insurance Commission until late 2005) which also has the responsibility for supplying Medicare cards and numbers. Almost every eligible person has a card: in June 2002 there were 20.4 million Medicare card-holders, and the Australian population was less than 20 million at the time (card-holders includes overseas Australians who still have a card).
Chapter 15 vShield Data Security Management This law has been amended to include medical information and health information; it is now referred to as California AB-1298, which is provided as an expanded regulation in the SDK. If California AB-1298 is enabled, you do not need to also use this regulation as the same information is detected as part of AB-1298.
vShield Administration Guide n US Drivers License Number n US Social Security Number Connecticut SB-650 Connecticut SB-650 is a state data privacy law which protects personally identifiable information. Connecticut SB-650 was signed into law June 8, 2005 and became effective January 1, 2006. The law applies to any person, business or agency that conducts business in Connecticut and owns or licenses unencrypted computerized data that includes personally identifiable information.
Chapter 15 vShield Data Security Management n Student Records Florida HB-481 Florida HB-481 is a state data privacy law which protects personally identifiable information. Florida HB-481 was signed into law June 14, 2005 and became effective July 1, 2005.
vShield Administration Guide Germany BIC Numbers Policy A Bank Identifier Code (BIC) uniquely identifies a particular bank and is used in France and worldwide for the exchange of money and messages between banks. The policy identifies documents and transmissions that contain BIC codes, also known as SWIFT codes, issued by the Society for Worldwide Interbank Financial Telecommunication (SWIFT). The policy looks for a match to the content blade Germany BIC Number.
Chapter 15 vShield Data Security Management HIPAA (Healthcare Insurance Portability and Accountability Act) Policy The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the Congress of the United States of America.
vShield Administration Guide Indiana HB-1101 Policy Indiana HB-1101 is a state data privacy law which protects personally identifiable information. Indiana HB-1101 was signed into law April 26, 2005 and became effective July 1, 2006.
Chapter 15 vShield Data Security Management Louisiana SB-205 Policy Louisiana SB-205 is a state data privacy law which protects personally identifiable information. Louisiana SB-205 was signed into law July 12, 2005 and became effective January 1, 2006.
vShield Administration Guide Minnesota HF-2121 Minnesota HF-2121 is a state data privacy law which protects personally identifiable information. Minnesota HF-2121 was signed into law June 2, 2005 and became effective January 1, 2006. The law applies to any person or business that conducts business in Minnesota and owns or licenses data that includes personally identifiable information.
Chapter 15 vShield Data Security Management New Hampshire HB-1660 New Hampshire HB-1660 is a state data privacy law which protects personally identifiable information. New Hampshire HB-1660 was signed into law June 2, 2006 and became effective January 1, 2007.
vShield Administration Guide New Zealand Inland Revenue Department Numbers The policy identifies documents and transmissions that contain New Zealand Inland Revenue Department (IRD) numbers issued by the Inland Revenue Department to every taxpayer and organization. The number must be provided by an individual to the Inland Revenue, employers, banks or other financial institutions, KiwiSaver scheme providers, StudyLink and tax agents.
Chapter 15 vShield Data Security Management n US Social Security Number Patient Identification Numbers The personally identifiable information (PII) commonly held by hospitals and healthcare-related organizations and businesses in the United States of America. This policy should be customized to define the patient identification number format.
vShield Administration Guide UK Driving Licence Numbers A UK driving license number is an identification number on a UK driving license and identifies the owner of said number for the purposes of driving and driving offences. The policy looks for a match to the content blade UK Driving License Number.
Chapter 15 vShield Data Security Management Utah SB-69 Utah SB-69 is a state data privacy law which protects personally identifiable information. Utah SB-69 was signed into law March 20, 2006 and became effective January 1, 2007. The law applies to any who owns or license computerized data that includes personally identifiable information concerning a Utah resident.
vShield Administration Guide n Personally identifiable information (e.g. name, address, phone number) Words and phrases related to banking are implemented in order to increase precision. A routing number is 9digits and may pass for many different data types, for example, a valid US Social Security number, Canadian Social Insurance number or international telephone number. Since routing numbers themselves are not sensitive, personally identifiable information is necessary for a violation to occur.
Chapter 15 vShield Data Security Management American Express Content Blade The content blade looks for a combination of the following pieces of information.
vShield Administration Guide n One Medicare card number plus Medicare or patient identification terms (e.g. patient identifier, patient number) n One Medicare card number plus two of either a name, expiration date or expiration terms Australia Tax File Number Content Blade The content blade looks for matches to both pieces of information in high proximity to each other. n Australia Tax File Number (refer to entity description) n Tax file number words and phrases (e.g.
Chapter 15 vShield Data Security Management Credit Card Track Data Content Blade Track data is the information encoded and stored on two tracks located within the magnetic stripe on the back of a credit card (debit card, gift card, etc). There are three tracks on the magstripe (magnetic strip on the back of a credit card). Each track is .110-inch wide.
vShield Administration Guide France BIC Number Content Blade The content blade scans for French BIC numbers by requiring matches for both the following rules. n European BIC number format n French format of the BIC number France IBAN Number Content Blade The content blade requires the following to match for a French IBAN number in a close proximity.
Chapter 15 vShield Data Security Management n German IBAN number pattern THe German IBAN rule: "DE" country code followed by 22 digits. Germany National Identification Numbers Content Blade The content blade requires the following to match for a German National Identification number in a close proximity. n Either a German National Identification number or a machine-readable version of the number n Words or phrases for a German National Identification number (e.g.
vShield Administration Guide n DD is the day of the month of birth—in order to differentiate between genders, 40 is added to the day of birth for women (thus a woman born on May 3 has ...E43...) n ZZZZ is an area code specific to the municipality where the person was born—country-wide codes are used for foreign countries, a letter followed by three digits n X is a parity character as calculated by adding together characters in the even and odd positions, and dividing them by 26.
Chapter 15 vShield Data Security Management n A single match to the Index of Procedures dictionary with a patient or doctor identification word or phrase (e.g. patient ID, physician name) Italy Driving License Number Content Blade The content blade requires the following to match for an Italy driving license in a close proximity. n Italy driving license pattern n Words or phrases for a driving license (e.g.
vShield Administration Guide Kansas Drivers License Number Content Blade The content blade looks for matches to the Kansas driver’s license pattern and words and phrases such as driver’s license and license number and terms such as KS or Kansas. Driver's license pattern: 1 Alphabetic (K), 8 Numeric; or Social Security Number.
Chapter 15 vShield Data Security Management Maryland Drivers License Number Content Blade The content blade looks for matches to the Maryland driver’s license pattern and words and phrases such as driver’s license and license number and terms such as MD or Maryland.
vShield Administration Guide 3 A single match to the NDC Formulas dictionary with a patient or doctor identification word or phrase (e.g. patient ID, physician name) Nebraska Drivers License Number Content Blade The content blade looks for matches to the Nebraska driver’s license pattern and words and phrases such as driver’s license and license number and terms such as NE or Nebraska.
Chapter 15 vShield Data Security Management Netherlands Passport Number Content Blade The content blade requires the following to match for a Netherlands passport number in a close proximity. 1 Netherlands passport number (refer to entity description) 2 Words or phrases for a Netherlands passport number (e.g.
vShield Administration Guide New Zealand Health Practitioner Index Number Content Blade The content blade looks for matches to the New Zealand Health Practitioner Index entity and corroborative terms such as hpi-cpn or health practitioner index. New Zealand Inland Revenue Department Number The content blade looks for matches to the New Zealand Inland Revenue Department Number entity and words and phrases such as IRD Number or Inland Revenue Department Number.
Chapter 15 vShield Data Security Management Oklahoma License Number Content Blade The content blade looks for matches to the Oklahoma driver’s license pattern and words and phrases such as driver’s license and license number and terms such as OK or Oklahoma.
vShield Administration Guide 2 A single match to the Protected Health Information dictionary plus two of either a name, U.S. Address or U.S. Date 3 A single match to the Protected Health Information dictionary with a patient or doctor identification word or phrase (e.g.
Chapter 15 vShield Data Security Management SSN Unformatted Content Blade The content blade looks for unformatted patterns of the U.S. Social Security number (SSN). The content blade will match if an unformatted SSN is found within close proximity of a word or phrase for a Social Security number (e.g. Social Security, SSN).
vShield Administration Guide Sweden Passport Number Content Blade The content blade looks for matches to the Sweden Passport Number regular expression with the following possible combinations of supporting evidence.
Chapter 15 vShield Data Security Management LAAAADDDDDDLLDLLDD Some digits are limited in the values accepted. UK IBAN Number Content Blade The content blade requires the following to match for a UK IBAN number in a close proximity. 1 European IBAN number format 2 UK IBAN number pattern IBAN Rule: "GB" country code followed by 20 characters.
vShield Administration Guide Utah License Number Content Blade The content blade looks for matches to the Utah driver’s license pattern and words and phrases such as driver’s license and license number and terms such as UT or Utah. Driver's license pattern: 6 - 10 Numeric Virginia License Number Content Blade The content blade looks for matches to the Virginia driver’s license pattern and words and phrases such as driver’s license and license number and terms such as VA or Virginia.
Chapter 15 vShield Data Security Management Table 15-2. Archive Formats (Continued) Application Format Extensions ISO-9660 CD Disc Image Format ISO Java Archive JAR Legato EMailXtender Archive EMX MacBinary BIN Mac Disk copy Disk Image DMG Microsoft Backup File BKF Microsoft Cabinet Format 1.
vShield Administration Guide Table 15-5. Display Formats Application Format Extensions Adobe PDF 1.1 to 1.7 PDF Table 15-6. Mail Formats Application Format Extensions Domino XML Language DXL Legato Extender ONM Lotus Notes database 4, 5, 6.0, 6.5, 7.0, and 8.0 NSF Mailbox Thunderbird 1.0 and Eudora 6.
Chapter 15 vShield Data Security Management Table 15-9. Spreadsheet Formats (Continued) Application Format Extensions Data Interchange Format DIF Lotus 1-2-3 96, 97, R9, 9.8, 2, 3, 4, 5 123, WK4 Lotus 1-2-3 Charts 2, 3, 4, 5 123 Microsoft Excel Windows 2.2 through 2003 XLS, XLW, XLT, XLA Microsoft Excel Windows XML 2007 XLSX, XLTX, XLSM, XLTM, XLAM Microsoft Excel Charts 2, 3, 4, 5, 6, 7 XLS Microsoft Excel Macintosh 98, 2001, v.
vShield Administration Guide Table 15-11. Word Processing Formats (Continued) 220 Application Format Extensions Folio Flat File 3.1 FFF Founder Chinese E-paper Basic 3.2.1 CEB Fujitsu Oasys 7 OA2 Haansoft Hangul 97, 2002, 2005, 2007 HWP IBM DCA/RFT (Revisable Form Text) SC23-0758 -1 DC JustSystems Ichitaro 8 through 2009 JTD Lotus AMI Pro 2, 3 SAM Lotus AMI Professional Write Plus 2.1 AMI Lotus Word Pro 96, 97, R9 Lotus SmartMaster 96, 97 MWP Microsoft Word PC 4, 5, 5.
Troubleshooting 16 This section guides you through troubleshooting common vShield issues.
vShield Administration Guide Cannot Log In to the vShield Manager User Interface Problem When I try to log in to the vShield Manager user interface from my Web browser, I get a Page Not Found exception. Solution The vShield Manager IP address is in a subnet that is not reachable by the Web browser. The IP address of the vShield Manager management interface must be reachable by the Web browser to use vShield.
Chapter 16 Troubleshooting Firewall Block Rule Not Blocking Matching Traffic Problem I configured an App Firewall rule to block specific traffic. I used Flow Monitoring to view traffic, and the traffic I wanted to block is being allowed. Solution Check the ordering and scope of the rule. This includes the container level at which the rule is being enforced. Issues might occur when an IP address-based rule is configured under the wrong container. Check where the affected virtual machine resides.
vShield Administration Guide 3 Ensure that vmnic on virtual machine and vShield Edge is connected (vCenter > Virtual Machine > Edit Settings > Network Adapter > Connected/Connect at Power On check boxes). When both a vShield App and vShield Edge are installed on the same ESX host, disconnection of NICs can occur if a vShield App is installed after a vShield Edge. Load-Balancer Does Not Work Procedure 1 Verify that the Load balancer is running by running the CLI command: show service lb.
Chapter 16 Troubleshooting SSL VPN does Not Work Procedure 1 Ensure that SSL VPN and Load Balancer are not configured on the same host. 2 Verify that the SSL VPN service is enabled. 3 Verify that the server settings have been specified to enable SSL on a vShield Edge interface. 4 Ensure that the external authentication server is reachable. Troubleshoot vShield Endpoint Issues This section provides details on how to troubleshoot vShield Endpoint operational issues.
vShield Administration Guide n vShield Endpoint Module: Log in to the vShield Manager and select a host from the inventory. The Summary tab displays the vShield Endpoint build number. Check vShield Endpoint Health and Alarms The vShield Endpoint components should be able to communicate with the vShield Manager. Procedure 1 In the vSphere Client, go to Inventory > Hosts and Clusters. 2 Select a datacenter, cluster, or ESX host from the resource tree. 3 Click the vShield App tab. 4 Click Endpoint.
Chapter 16 Troubleshooting Table 16-2. Outcomes of Content Detection Positive Negative True Sensitive content correctly identified as sensitive. Non-sensitive content correctly identified as non-sensitive. False Non-sensitive content mistakenly identified as sensitive. Sensitive content mistakenly identified as non-sensitive. Recall gathers the fraction of the documents that are relevant to the content blade. n High recall casts a wide net, and gathers all potentially sensitive documents.
vShield Administration Guide 228 VMware, Inc.
Index A add, service 21 admin user account 33 alarms for vShield Endpoint 174 App Firewall about L4 and L2/L3 rules 162 adding L4 rules 163 adding rules from Flow Monitoring 158 change order of rule 167 Default Rules 162 deleting rules 166 hierarchy of rules 162 planning rule enforcement 163 revert to previous rule 167 appliance add 62 delete 63 edit 63 Audit Logs 28, 45 audit messages for vShield Endpoint 175 B Backups on-demand 39 restoring 40 scheduling 40 C Cluster Level Rules 162 content blades ABA
vShield Administration Guide Iowa Drivers License Number Content Blade 204 Italy Driving License Number Content Blade 205 Italy IBAN Number Content Blade 205 Italy National Identification Numbers Content Blade 203 ITIN Unformatted Content Blade 205 Kansas Drivers License Number Content Blade 206 Kentucky Drivers License Number Content Blade 206 Louisiana Drivers License Number Content Blade 206 Maine Drivers License Number Content Blade 206 Manitoba Drivers Licence Content Blade 206 Maryland Drivers Licens
Index Wisconsin License Number Content Blade 216 Wyoming License Number Content Blade 216 D data on-demand backups 39 restoring a backup 40 scheduling backups 40 Data Center High Precedence Rules 162 Data Center Low Precedence Rules 162 Data Security,policy,regulations 178 Data Security,user roles 177 date 18 date range for Flow Monitoring 159 Default Rules 162 delete service manager 149 service profile 150 delete service 149 deleting a user 36 DNS 17 E editing a user account 35 events sending to syslog
vShield Administration Guide Colorado HB-1119 185 Connecticut SB-650 186 Credit Card Numbers 186 Custom Account Numbers 186 EU Debit Card Numbers 186 FERPA (Family Educational Rights and Privacy Act) 186 Florida HB-481 187 France IBAN Numbers Policy 187 France National Identification Numbers Policy 187 Georgia SB-230 Policy 187 Germany BIC Numbers Policy 188 Germany Driving License Numbers Policy 188 Germany IBAN Numbers Policy 188 Germany National Identification Numbers Policy 188 Germany VAT Numbers Poli
Index SSL VPN-plus, authentication, add 107, 114 SSL VPN-Plus add installation package 105, 125 add IP pool 104, 120 add private network 104, 123 add user 106, 114, 128 enable 112, 120 installation package add 105, 125 delete 127 IP pool add 104, 120 delete 121 disable 122 edit 121, 122 private network change order of 125 delete 124 users add 106, 114, 128 change password 129 delete 129 edit 128 SSL VPN,overview 103 static route add 77 set default gateway 77 status of update 37 vShield App 152 vShield Edge
vShield Administration Guide scan 180 supported file formats 216 user roles 177 vShield Edge about 9 add appliance 62 add CA certificate 68 add DHCP binding 79 add DHCP IP pool 78 add NAT rules 75 certificate revocation list 69 certificates 67 client certificates 69 configure CA signed certificate 67 configure self signed certificate 68 configure settings 62 delete appliance 63 DHCP 78 DNS servers 141 edit appliance 63 firewall rules add 70 change priority 74 delete 74 edit 74 manage 70 force sync 143 HA 1
