vShield Quick Start Guide
vShield Manager 4.1 vShield Edge 1.0 vShield App 1.0 vShield Endpoint 1.0
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-000375-00

You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
Copyright 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

VMware, Inc.

Contents

AboutThisBook

1 IntroductiontovShield 7
vShieldComponentsataGlance 7 vShieldManager 7 vShieldZones 7 vShieldEdge 8 StandardvShieldEdgeServices(IncludingCloudDirector) 8 AdvancedvShieldEdgeServices 8 vShieldApp 9 vShieldEndpoint 9 DeploymentScenarios 10 ProtectingtheDMZ 10 IsolatingandProtectingInternalNetworks 10 ProtectingVirtualMachinesinaCluster 11 CommonDeploymentsofvShieldEdge 11 CommonDeploymentsofvShieldApp 11
2 PreparingforInstallation 13
SystemRequirements 13 Hardware 13 Software 13 ClientandUserAccess 14 DeploymentConsiderations 14 PreparingVirtualMachinesforvShieldProtection 14 HowAreMyVirtualMachinesGrouped? 14 AreMyVirtualMachinesStillProtectedifIvMotionThemtoAnotherESXHost? HowDoIIsolateaGroupofVirtualMachines? 15 vShieldManagerUptime 15 CommunicationBetweenvShieldComponents 15 HardeningYourvShieldVirtualMachines 15 vShieldManagerUserInterface 15 CommandLineInterface 15 RESTRequests 16
3 InstallingthevShieldManagerandvShieldZones 17
ObtainthevShieldManagerOVAFile 17 InstallthevShieldManagerVirtualAppliance 17 ConfiguretheNetworkSettingsofthevShieldManager 18 LogIntothevShieldManagerUserInterface 19 SynchronizethevShieldManagerwiththevCenterServer 19 RegisterthevShieldManagerPlugInwiththevSphereClient 20 ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount InstallvShieldZones 20 WheretoGoNext 21
4 InstallingvShieldEdge,vShieldApp,andvShieldEndpoint 23
RunningvShieldinEvaluationMode 23 PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpoint 23 InstallvShieldComponentLicenses 24 PrepareAllESXHosts 24 PrepareavNetworkforPortGroupIsolation 25 InstallavShieldEdge 25 InstallingvShieldEndpoint 27 vShieldEndpointInstallationWorkflow 27 InstalltheThinAgentontheGuestVirtualMachine 27 Prerequisites 27 WheretoGoNext 28

Index 29

About This Book
ThevShieldQuickStartGuideprovidesinformationaboutinstallingVMwarevShieldintoyourVMware VirtualInfrastructureenvironment.

Intended Audience

ThisbookisintendedforanyonewhowantstoinstalloruseVMwarevShield.Theinformationinthisbookis writtenforexperiencedWindowsorLinuxsystemadministratorswhoarefamiliarwithvirtualmachine technologyanddatacenteroperations.ThisbookalsoassumesfamiliaritywithVMwareVirtual Infrastructure,includingvCenterServer4.x,VMwareESX4.x,andthevSphereClient.
VMware Technical Publications Glossary
VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour feedbacktodocfeedback@vmware.com.

VMware Infrastructure Documentation
ThefollowingdocumentscomprisetheVMwarevShielddocumentationset:
vShieldAdministrationGuide vShieldQuickStartGuide vShieldAPIProgrammingGuide
YoushouldalsohaveaccesstothecombinedvCenterServerandESXdocumentationset.
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and registeryourproducts,gotohttp://www.vmware.com/support. Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon priority1issues.Gotohttp://www.vmware.com/support/phone_support.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto http://www.vmware.com/support/services.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.

Introduction to vShield

ThischapterintroducestheVMwarevShieldcomponentsyouinstall. Thechapterincludesthefollowingtopics:
vShieldComponentsataGlanceonpage 7 DeploymentScenariosonpage 10
vShield Components at a Glance
VMwarevShieldisasuiteofsecurityvirtualappliancesbuiltforVMwarevCenterServerintegration. vShieldisacriticalsecuritycomponentforprotectingvirtualizeddatacentersfromattacksandmisusehelping youachieveyourcompliancemandatedgoals. vShieldincludesvirtualappliancesandservicesessentialforprotectingvirtualmachines.vShieldcanbe configuredthroughawebbaseduserinterface,avSphereClientplugin,acommandlineinterface(CLI),and RESTAPI. vCenterServerincludesvShieldManagerandvShieldZones.ThefollowingvShieldpackageseachrequirea license:

vShieldEdgewithPortGroupIsolation vShieldApp vShieldEndpoint
OnevShieldManagermanagesmultiplevShieldZones,vShieldEdge,vShieldApp,andvShieldEndpoint instances.

vShield Manager

ThevShieldManageristhecentralizednetworkmanagementcomponentofvShield,andisinstalledasa virtualapplianceonanyESXhostinyourvCenterServerenvironment.AvShieldManagercanrunona differentESXhostfromyourvShieldagents. UsingthevShieldManageruserinterfaceorvSphereClientplugin,administratorsinstall,configure,and maintainvShieldcomponents.ThevShieldManageruserinterfaceleveragestheVMwareInfrastructureSDK todisplayacopyofthevSphereClientinventorypanel,andincludestheHosts&ClustersandNetworks views.

vShield Zones

vShieldZonesprovidesfirewallprotectionfortrafficbetweenvirtualmachines.ForeachZonesFirewallrule, youcanspecifythesourceIP,destinationIP,sourceport,destinationport,andservice.

vShield Edge

vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport group,vDSportgroup,orCiscoNexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared (uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing. CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloud environmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).
Standard vShield Edge Services (Including Cloud Director)
Firewall:SupportedrulesincludeIP5tupleconfigurationwithIPandportrangesforstatefulinspection forTCP,UDP,andICMP. NetworkAddressTranslation:SeparatecontrolsforSourceandDestinationIPaddresses,aswellasTCP andUDPporttranslation. DynamicHostConfigurationProtocol(DHCP):ConfigurationofIPpools,gateways,DNSservers,and searchdomains.
Advanced vShield Edge Services
SitetoSiteVirtualPrivateNetwork(VPN):UsesstandardizedIPsecprotocolsettingstointeroperatewith allmajorfirewallvendors. LoadBalancing:SimpleanddynamicallyconfigurablevirtualIPaddressesandservergroups.
vShieldEdgesupportssyslogexportforallservicestoremoteservers. Figure 1-1. vShield Edge Installed to Secure a vDS Port Group
Chapter 1 Introduction to vShield

vShield App

vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicycreation. vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS, vMotion,DPM,andmaintenancemode. vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteroneveryvirtual networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetworkchangesor modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers, likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to reducethenumberoffirewallrulesandmaketheruleseasiertotrack. YoushouldinstallvShieldAppinstancesonallESXhostswithinaclustersothatVMwarevMotion operationsworkandvirtualmachinesremainprotectedastheymigratebetweenESXhosts.Bydefault,a vShieldAppvirtualappliancecannotbemovedbyusingvMotion. TheFlowMonitoringfeaturedisplaysallowedandblockednetworkflowsattheapplicationprotocollevel. Youcanusethisinformationtoauditnetworktrafficandtroubleshootoperational.

Unprotected Cluster

Protected Cluster
Common Deployments of vShield Edge
YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateastubnetwork,usingNATtoallow trafficinandoutofthenetwork.Ifyoudeployinternalstubnetworks,youcanusevShieldEdgetosecure communicationbetweennetworksbyusingLANtoLANencryptionviaVPNtunnels. vShieldEdgecanbedeployedasaselfserviceapplicationwithinVMwareCloudDirector.
Common Deployments of vShield App
YoucanusevShieldApptocreatesecurityzoneswithinavDC.YoucanimposefirewallpoliciesonvCenter containersorSecurityGroups,whicharecustomcontainersyoucancreatebyusingthevShieldManageruser interface.Containerbasedpoliciesenableyoutocreatemixedtrustzonesclusterswithoutrequiringan externalphysicalfirewall. InadeploymentthatdoesnotusevDCs,useavShieldAppwiththeSecurityGroupsfeaturetocreatetrust zonesandenforceaccesspolicies. ServiceProviderAdminscanusevShieldApptoimposebroadfirewallpoliciesacrossallguestvirtual machinesinaninternalnetwork.Forexample,youcanimposeafirewallpolicyonthesecondvNICofallguest virtualmachinesthatallowsthevirtualmachinestoconnecttoastorageserver,butblocksthevirtual machinesfromaddressinganyothervirtualmachines.
Preparing for Installation
ThischapterintroducestanoverviewoftheprerequisitesforsuccessfulvShieldinstallation. Thechapterincludesthefollowingtopics:
SystemRequirementsonpage 13 DeploymentConsiderationsonpage 14

System Requirements

BeforeinstallingvShieldinyourvCenterServerenvironment,consideryournetworkconfigurationand resources.YoucaninstallonevShieldManagerpervCenterServer,onevShieldAppperESXhost,andone vShieldEdgeperportgroup. ToinstallvShield,youmustmeetthefollowingrequirements:

Hardware

Table 22liststhehardwarerequirementsforthisversionofvShield. Table 2-1. Hardware Requirements
Component Memory DiskSpace Minimum 8GB
8GBforthevShieldManager 5GBpervShieldAppperESXhost 100MBpervShieldEdge

2gigabitNICsonanESXhost

Software
VMwarevCenterServer4.0Update1orlater NOTEvShieldEndpointrequiresvCenterServer4.1orlater. Table 22liststhevCenterversionsthatarecompatiblewiththisversionofvShield. Table 2-2. Supported vCenter Versions
vCenter Release 4.0Update1 4.1GA 4.1GAvSphereClient Build Number 208111
VMwareESX4.0Update1orlaterforeachserver NOTEvShieldEndpointrequiresESX4.1orlater. Table 23liststheESXandESXiversionsthatarecompatiblewiththisversionofvShield. Table 2-3. Supported ESX and ESXi Versions
ESX or ESXi Release 4.0Update1 4.1GA Build Number 208167 260247
VMarevCloudDirector1.0 Table 24liststhevCloudDirectorversionsthatarecompatiblewiththisversionofvShield. Table 2-4. Supported vCloud Director Versions
vCloud Director Release 1.0 Build Number 285979

Client and User Access

PCwiththeVMwarevSphereClient Permissionstoaddandpoweronvirtualmachines Accesstothedatastorewhereyoustorevirtualmachinefiles,andtheaccountpermissionstocopyfilesto thatdatastore EnablecookiesonyourWebbrowsertoaccessthevShieldManageruserinterface ConnecttothevShieldManagerusingoneofthefollowingsupportedWebbrowsers:
InternetExplorer6.xandlater MozillaFirefox1.xandlater Safari1.xor2.x
Deployment Considerations
ConsiderthefollowingrecommendationsandrestrictionsbeforeyoudeployvShieldcomponents.
Preparing Virtual Machines for vShield Protection
YoumustdeterminehowtoprotectyourvirtualmachineswithvShield.Considerthefollowingquestions:
How Are My Virtual Machines Grouped?
YoumightconsidermovingvirtualmachinestoportgroupsonavDSoradifferentESXhosttogroupvirtual machinesbyfunction,department,orotherorganizationalneedtoimprovesecurityandeaseconfigurationof accessrules.YoucaninstallvShieldEdgeattheperimeterofanyportgrouptoisolatevirtualmachinesfrom theexternalnetwork.YoucaninstallavShieldApponanESXhostandconfigurefirewallpoliciesper containerresourcetoenforcerulesbasedonthehierarchyofresources.
Are My Virtual Machines Still Protected if I vMotion Them to Another ESX Host?
Yes,ifyouinstallavShieldApponeachESXhostinacluster,youcanmigratemachinesbetweenhostswithout weakeningthesecurityposture.vShieldAppinstancescannotbemigratedtootherhosts,thuseachinstance maintainsstateforexistingsessions.
Chapter 2 Preparing for Installation
How Do I Isolate a Group of Virtual Machines?
YoucanusevShieldEdgewiththePortGroupIsolationfeatureorVLANstoisolatevirtualmachinesfromthe externalnetwork. InstallPortGroupIsolationoneachESXhostthatavDSspans. CreateaportgrouponthevDS. EnablePortGroupIsolationonthevDS. InstallavShieldEdgeontheportgroup. Movethevirtualmachinestotheportgroup. ConfigurevShieldEdgeNATrulesfortrafficinandoutoftheportgroup. NOTEYoucanalsouseVLANstoisolatevirtualmachinesprotectedbyavShieldEdge.Ifyouuse VLANs,theinternalportgroupconnectedtoavShieldEdgemusthaveaVLANtagthatisdifferentfrom theexternalportgroup.

vShield Manager Uptime

ThevShieldManagershouldberunonanESXhostthatisnotaffectedbydowntime,suchasfrequentreboots ormaintenancemodeoperations.YoucanuseHAorDRStoincreasetheresilienceofthevShieldManager.If theESXhostonwhichthevShieldManagerresidesisexpectedtorequiredowntime,vMotionthevShield ManagervirtualappliancetoanotherESXhost.Thus,morethanoneESXhostisrecommended.
Communication Between vShield Components
ThemanagementinterfacesofvShieldcomponentsshouldbeplacedinacommonnetwork,suchasthe vSpheremanagementnetwork.ThevShieldManagerrequiresconnectivitytothevCenterServer,aswellas allvShieldAppandvShieldEdgeinstances.vShieldcomponentscancommunicateoverroutedconnections aswellasdifferentLANs. NOTEThevShieldManagermustbeinthesamevCenterServerenvironmentasthevShieldcomponentsto bemanaged.YoucannotusethevShieldManageracrossdifferentvCenterServerenvironments.
Hardening Your vShield Virtual Machines
YoucanaccessthevShieldManagerandothervShieldcomponentsbyusingawebbaseduserinterface, commandlineinterface,andRESTAPI.vShieldincludesdefaultlogincredentialsforeachoftheseaccess options.AfterinstallationofeachvShieldvirtualmachine,youshouldhardenaccessbychangingthedefault logincredentials.
vShield Manager User Interface
YouaccessthevShieldManageruserinterfacebyopeningawebbrowserwindowandnavigatingtotheIP addressofthevShieldManagersmanagementport.Thedefaultuseraccount,admin,hasglobalaccesstothe vShieldManager.Afterinitiallogin,youshouldchangethedefaultpasswordoftheadminuseraccount.See ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20.

Command Line Interface

YoucanaccessthevShieldManager,vShieldApp,andvShieldEdgevirtualappliancesbyusingacommand lineinterfaceviavSphereClientconsolesession.Eachvirtualapplianceusesthesamedefaultusername (admin)andpassword(default)combinationasthevShieldManageruserinterface.EnteringEnabledmode alsousesthepassworddefault. FormoreonhardeningtheCLI,seethevShieldAdministrationGuide.

REST Requests

AllRESTAPIrequestsrequireauthenticationwiththevShieldManager.UsingBase64encoding,youidentify ausernamepasswordcombinationinthefollowingformat:username:password.YoumustuseavShield Manageruserinterfaceaccount(usernameandpassword)withprivilegedaccesstoperformrequests.For moreonauthenticatingRESTAPIrequests,seethevShieldAPIProgrammingGuide

Installing the vShield Manager and vShield Zones
VMwarevShieldprovidesfirewallprotection,trafficanalysis,andnetworkperimeterservicestoprotectyour vCenterServervirtualinfrastructure.vShieldvirtualapplianceinstallationhasbeenautomatedformost virtualdatacenters. ThevShieldManageristhecentralizedmanagementcomponentofvShield.YouusethevShieldManagerto monitorandpushconfigurationstovShieldApp,vShieldEndpoint,andvShieldEdgeinstances.ThevShield ManagerrunsasavirtualapplianceonanESXhost. VMwarevShieldisincludedwithVMwareESX4.0and4.1.ThebaseVMwarevShieldpackageincludesthe vShieldManagerandvShieldZones.YoucanconfigurethevShieldZonesfirewallrulesettomonitortraffic basedonIPaddresstoIPaddresscommunication. InstallingthevShieldManagerisamultistepprocess.Youmustperformallofthetasksthatfollowinsequence tocompletevShieldManagerinstallationsuccessfully. Thischapterincludesthefollowingtopics:
ObtainthevShieldManagerOVAFileonpage 17 InstallthevShieldManagerVirtualApplianceonpage 17 ConfiguretheNetworkSettingsofthevShieldManageronpage 18 LogIntothevShieldManagerUserInterfaceonpage 19 SynchronizethevShieldManagerwiththevCenterServeronpage 19 RegisterthevShieldManagerPlugInwiththevSphereClientonpage 20 ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20 InstallvShieldZonesonpage 20 WheretoGoNextonpage 21
Obtain the vShield Manager OVA File
ThevShieldManagervirtualmachineispackagedasanOpenVirtualizationAppliance(OVA)file,which allowsyoutousethevSphereClienttoimportthevShieldManagerintothedatastoreandvirtualmachine inventory.
Install the vShield Manager Virtual Appliance
YoucaninstallthevShieldManagervirtualmachineonanESXhostinaclusterconfiguredwithDRS.The targetESXhostmustbemanagedbythesamevCenterinstanceastheESXhostsonwhichyouwanttodeploy vShieldZonesorvShieldAppinstances.AsinglevShieldManagerservesasinglevCenterServer environment.
ThevShieldManagervirtualmachineinstallationincludesVMwareTools.Donotattempttoupgradeor installVMwareToolsonthevShieldManager. To install the vShield Manager LogintothevSphereClient. CreateaportgrouptohomethemanagementinterfaceofthevShieldManager. ThevShieldManagermanagementinterfacemustbereachablebyallfuturevShieldEdge,vShieldApp, andvShieldEndpointinstances. NOTEDonotplacethemanagementinterfaceofthevShieldManagerinsameportgroupastheService ConsoleandVMkernel. 5 GotoFile>DeployOVFTemplate. ClickDeployfromfileandclickBrowsetolocatethefolderonyourPCcontainingthevShieldManager OVAfile. Completethewizard. ThevShieldManagerisinstalledasavirtualmachineintoyourinventory. 6 PoweronthevShieldManagervirtualmachine.
Configure the Network Settings of the vShield Manager
Youmustusethecommandlineinterface(CLI)ofthevShieldManagertoconfigureanIPaddress,identifythe defaultgateway,andsetDNSsettings. YoucanspecifyuptotwoDNSserversthatthevShieldManagercanuseforIPaddressandhostname resolution.DNSisrequiredifanyESXhostinyourvCenterServerenvironmentwasaddedbyusingthe hostname(insteadofIPaddress). To configure the vShield Manager network settings by using the vShield Manager CLI 1 RightclickthevShieldManagervirtualmachineandclickOpenConsoletoopenthecommandline interface(CLI)ofthevShieldManager. Thebootingprocessmighttakeafewminutes. Afterthemanager loginpromptappears,logintotheCLIbyusingtheusernameadminandthe passworddefault. EnterEnabledmodebyusingthepassworddefault.

Register the vShield Manager Plug-In with the vSphere Client
ThevSpherePluginoptionletsyouregisterthevShieldManagerasavSphereClientplugin.Afterthe pluginisregistered,youcanconfiguremostvShieldoptionsfromthevSphereClient. To register the vShield Manager as a vSphere Client Plug-in ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickvSpherePlugin. ClickRegister. IfyouareloggedintothevSphereClient,logout. LogintothevSphereClient. SelectanESXhost. VerifythatthevShieldtabappearsasanoption.
Change the Password of the vShield Manager User Interface Default Account
YoucanchangethepasswordoftheadminaccounttohardenaccesstoyourvShieldManager. To change the admin account password LogintothevShieldManageruserinterface. ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. Selecttheadminaccount. ClickUpdateUser. Enteranewpassword. ConfirmthepasswordbytypingitasecondtimeintheRetypePasswordfield. ClickOKtosaveyourchanges.

Install vShield Zones

ThefollowinginformationisrequiredforvShieldZonesinstallationonanESXhost:
OneIPaddressforthemanagement(MGMT)portofeachvShieldZonesvirtualappliance.EachIP addressshouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedfor vCenterandESXhostmanagementinterfaces. LocalornetworkstoragetoplacethevShieldZonesdisk.
vShieldZonesvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMwareTools softwareonavShieldZonesvirtualappliance. 5 LogintothevSphereClient. SelectanESXhostfromtheinventorytree. ClickthevShieldtab. Acceptthesecuritycertificate. ClickInstallforthevShieldZonesservice.
Enterthefollowinginformation.
Field Datastore ManagementPortGroup IPAddress Netmask DefaultGateway Action SelectthedatastoreonwhichtostorethevShieldZonesvirtualmachine files. SelecttheportgrouptohostthevShieldZonesmanagementinterface.This portgroupmustbeabletoreachthevShieldManagersportgroup. TypetheIPaddresstoassigntothevShieldZonesmanagementinterface. TypetheIPsubnetmaskassociatedwiththeassignedIPaddress. TypetheIPaddressofthedefaultnetworkgateway.
ClickInstallatthetopoftheform. YoucanfollowthevShieldZonesinstallationstepsfromtheRecentTaskspaneofthevSphereClient screen.
Afterinstallationofallcomponentsiscomplete,gotothevShieldZones>ZonesFirewalltabatthe datacenter,cluster,orportgroupcontainerleveltoconfigurefirewallrules.EachvShieldZonesinstance inheritsglobalfirewallrulessetinthevShieldManager.Thedefaultfirewallrulesetallowsalltrafficto pass.Youmustconfigureblockingrulestoexplicitlydenytraffic.ToconfigureZonesFirewallrules,see thevShieldAdministrationGuide.
NOTEYoucanupgradevShieldZonestovShieldAppbyobtainingavShieldApplicense.vShieldApp enhancesvShieldZonesprotectionbyofferingFlowMonitoring,customcontainercreation(SecurityGroups), andcontainerbasedaccesspolicycreationandenforcement. YoudonothavetouninstallvShieldZonestoinstallvShieldApp.AllvShieldZonesinstancesbecomevShield Appinstances,theZonesFirewallbecomesAppFirewall,andtheadditionalvShieldAppfeaturesareenabled.

Where to Go Next

AftervShieldManagerinstallationiscomplete,youcanconfigurevShieldZonesfirewallsettingsandanalyze traffic.Formore,seethevShieldAdministrationGuide. Toenhanceyournetworksecurityposture,youcanobtainlicensesforvShieldApp,vShieldEndpoint,and vShieldEdge.Formore,seeChapter 4,InstallingvShieldEdge,vShieldApp,andvShieldEndpoint,on page 23.
Installing vShield Edge, vShield App, and vShield Endpoint
AfterthevShieldManagerandvShieldZonesareinstalled,youcanobtainlicensestoactivatevShieldApp, vShieldEndpoint,andvShieldEdgecomponents.ThevShieldManagerOVApackageincludesthedrivers andfilesrequiredtoinstalltheseaddoncomponents. Thischapterincludesthefollowingtopics:
RunningvShieldinEvaluationModeonpage 23 PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpointonpage 23 InstallingvShieldEndpointonpage 27 WheretoGoNextonpage 28
Running vShield in Evaluation Mode
BeforepurchasingandactivatinglicensesforvShieldEdge,vShieldApp,anvShieldEndpoint,youcaninstall andrunevaluationmodesofthesoftware.Whenruninevaluationmode,intendedfordemonstrationand evaluationpurposes,yourvShieldEdge,vShieldApp,andvShieldEndpointarecompletelyoperational immediatelyafterinstallation,donotrequireanylicensingconfiguration,andprovidefullfunctionalityfor60 daysfromthetimeyoufirstactivatethem. Whenruninevaluationmode,vShieldcomponentscansupportamaximumallowednumberofinstances. Afterthe60daytrialperiodexpires,unlessyouobtainlicensesforyoursoftware,youcannotusevShield.For example,youcannotpoweronvShieldApporvShieldEdgevirtualappliancesorprotectyourvirtual machines. TocontinueusingthevShieldAppandvShieldEdgefunctionalitywithoutinterruptionsortorestorethe featuresthatbecomeunavailableafterthe60daytrial,youneedtoobtainandinstalllicensefilesthatactivate thefeaturesappropriateforthevShieldcomponentyoupurchased.
Preparing Your Virtual Infrastructure for vShield App, vShield Edge, and vShield Endpoint
Priortoinstallation,theaddoncomponentsrequirepreparationofyourESXhostandvNetwork environments.YouinstallvShieldApp,vShieldEndpoint,andthePortGroupIsolationfeatureonESXhosts. YouinstallvShieldEdgeonaportgroup,vNetworkDistributedSwitch(vDS)portgroup,oraCiscoNexus 1000V. IfyouintendtousethePortGroupIsolationfeature,youshouldinstallPortGroupIsolationonallESXhosts inyourvCenterenvironmentbeforeyouinstallanyvShieldEdgevirtualmachines.IfyoudonotinstallPort GroupIsolationandattempttoenablethefeatureduringvShieldEdgeinstallation,PortGroupIsolationdoes notwork.SeePrepareAllESXHostsonpage 24.
Install vShield Component Licenses
YoumustinstalllicensesforvShieldEdge,vShieldApp,andvShieldEndpointbeforeinstallingthese components.YoucaninstalltheselicensesaftervShieldManagerinstallationiscompletebyusingthevSphere Client. 7 FromavSphereClienthostthatisconnectedtoavCenterServersystem,selectHome>Licensing. Forthereportview,selectAsset. RightclickavShieldassetandselectChangelicensekey. SelectAssignanewlicensekeyandclickEnterKey. Enterthelicensekey,enteranoptionallabelforthekey,andclickOK. ClickOK. RepeatthesestepsforeachvShieldcomponentforwhichyouhavealicense.

Prepare All ESX Hosts

YoushouldprepareallESXhostsinyourvCenterenvironmentforvShieldaddonfunctionality. ThefollowinginformationisrequiredforESXhostpreparation:
OneIPaddressforthemanagement(MGMT)portofeachvShieldAppvirtualappliance.EachIPaddress shouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedforvCenterand ESXhostmanagementinterfaces. LocalornetworkstoragetoplacethevShieldAppandPortGroupIsolationdisks.
vShieldvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMwareTools softwareonavShieldvirtualappliance. To prepare an ESX host for vShield add-on functionality 5 LogintothevSphereClient. SelectanESXhostfromtheinventorytree. ClickthevShieldtab. Acceptthesecuritycertificate. ClickInstallforthevShieldAppservice. Youwillbeabletoinstallallthreeservicesonthenextscreen. 6 UndervShieldApp,enterthefollowinginformation.
Field Datastore ManagementPortGroup IPAddress Netmask DefaultGateway Action SelectthedatastoreonwhichtostorethevShieldAppvirtualmachinefiles. SelecttheportgrouptohostthevShieldAppsmanagementinterface.This portgroupmustbeabletoreachthevShieldManagersportgroup. TypetheIPaddresstoassigntothevShieldAppsmanagementinterface. TypetheIPsubnetmaskassociatedwiththeassignedIPaddress. TypetheIPaddressofthedefaultnetworkgateway.
SelectthevShieldEdgePortGroupIsolationHostPreparationcheckbox. SelecttheDatastoreonwhichtostorethePortGroupIsolationservicefiles. SelectthevShieldEndpointcheckbox.
Chapter 4 Installing vShield Edge, vShield App, and vShield Endpoint
ClickInstallatthetopoftheform. YoucanfollowthevShieldAppinstallationstepsfromtheRecentTaskspaneofthevSphereClientscreen.
11 Afterinstallationofallcomponentsiscomplete,dothefollowing:
vShieldApp:Atthispoint,vShieldAppinstallationiscomplete.GotothevShieldApp>App Firewalltabatthedatacenter,cluster,orportgroupcontainerleveltoconfigurefirewallrules.Each vShieldAppinheritsglobalfirewallrulessetinthevShieldManager.Thedefaultfirewallruleset allowsalltraffictopass.Youmustconfigureblockingrulestoexplicitlyblocktraffic.Toconfigure AppFirewallrules,seethevShieldAdministrationGuide. PortGroupIsolation:YoumustenablethePortGroupIsolationfeatureoneachvDS.After enablementiscomplete,installavShieldEdgeoneachvDSportgroup.SeePrepareavNetworkfor PortGroupIsolationonpage 25. vShieldEndpoint:Tocompleteinstallation,seeInstallingvShieldEndpointonpage 27.
Prepare a vNetwork for Port Group Isolation
PortGroupIsolationcreatesabarrierbetweenthevirtualmachinesprotectedbyavShieldEdgeandthe externalnetwork.WhenyouenablePortGroupIsolationandinstallavShieldEdgeonavDSportgroup,you isolateeachsecuredvDSportgroupfromtheexternalnetwork.WhenPortGroupIsolationisenabled,traffic isnotallowedaccesstothevirtualmachinesinthesecuredportgroupunlessNATrulesorVLANtagsare configured. NOTEPortGroupIsolationisanoptionalfeaturethatisnotrequiredforvShieldEdgeoperation.PortGroup IsolationisavailableforvDSbasedvShieldEdgeinstallationsonly. TousePortGroupIsolation,youmustenablethisfeatureoneachvDSonwhichyouwillinstallavShieldEdge. 3 EnablePortGroupIsolationoneachvDS. InstallavShieldEdgeoneachvDSportgroupyouplantosecure. MovethevirtualmachinestosecuredvDSportgroups.

ClickInstall. Afterinstallationiscomplete,configureservicesandfirewallrulestoprotectthevirtualmachinesinthe securedportgroup.ToconfigureavShieldEdge,seethevShieldAdministrationGuide.
Installing vShield Endpoint
Theinstallationinstructionsthatfollowassumethatyouhavethefollowingsystem:
AdatacenterwithvCenterServer4.1installedandrunning,andESX4.1installedoneachESXhostinthe cluster. vShieldManager4.1installedandrunning. Antivirussolutionmanagementserverinstalledandrunning.
vShield Endpoint Installation Workflow
AfterpreparingtheESXhostforvShieldEndpointinstallationiscomplete,installvShieldEndpointinthese stages: Deployandconfigureasecurityvirtualmachine(SVM)toeachESXhostaccordingtotheinstructions fromtheantivirussolutionprovider. InstallthevShieldEndpointthinagentonallvirtualmachinestobeprotected.Forinstructions,see InstalltheThinAgentontheGuestVirtualMachineonpage 27.
Install the Thin Agent on the Guest Virtual Machine
Thethinagentmustbeinstalledoneachguestvirtualmachinetobeprotected.Virtualmachineswiththethin agentinstalledareautomaticallyprotectedwhenevertheyarestarteduponanESXhostthathasthesecurity solutioninstalled.Thatis,protectedvirtualmachinesretainthesecurityprotectionthroughshutdownsand restarts,andevenafteravMotionmovetoanotherESXhostwiththesecuritysolutioninstalled.

Prerequisites

MakesurethattheguestvirtualmachinehasasupportedversionofWindowsinstalled.Supported versionsoftheWindowsoperatingsystemforvShieldEndpoint1.0are:
WindowsVista(32bit) Windows7(32bit) WindowsXP(32bit) Windows2003(32/64bit) Windows2008(32/64bit)
Makesurethatthethinagentandthevirtualmachinearebotheither32or64bitversions.Youcannotmix thetwoversions. MakesuretheguestvirtualmachinehasaSCSIcontrollerinstalled. IMPORTANTWhenyoucreateanewvirtualmachine,thedefaultconfigurationdoesnotincludeaSCSI controller.YoumustspecificallyaddaSCSIcontrollertothevirtualmachine.Tofindinstructionsonhow toaddSCSIcontrollerstoavirtualmachine,seethevSphereClienthelp:vSphereClientHelp> ManagingVirtualMachineHardwareandDevices>AddingVirtualDevices>AddSCSIControllers CAUTIONBusLogicSCSIcontrollersarenotsupported.
To install the Thin Agent 1 TheinstallationpackageislocatedatthesameVMwarecustomersitewhereyoudownloadedvShield Manager. Thepackagenamehasthefollowingform:
32bit VMware-vShield-Endpoint-Driver-1.0.0-<buildnumber>.x86-32.msi

64bit VMware-vShield-Endpoint-Driver-1.0.0-<build number>.x86-64.msi.
ThisisastandardMicrosoftinstallerpackage. 4 Downloadandexecutetheinstallationpackageonthetargethost. Thethinagentmustbeinstalledoneveryguestvirtualmachinetobeprotected. Reboottheguestvirtualmachinetocompletetheinstallation. Ifyourunasilentinstallusingmsiexec,therebootwillhappenautomatically.
Afterinstallationiscomplete,seethevShieldAdministrationGuideforconfiguration,monitoring,and maintenance.
changing the GUI password 20 CLI configuring vShield Manager network settings 18 hardening 15 client requirements 14 cluster protection 11 communication between components 15 configuring vShield Manager network settings 18
isolating networks 10 isolating virtual machines 15
licensing evaluation mode 23 installation 24 logging in to the GUI 19
password change 20 plug-in 20 Port Group Isolation enabling 25 installation 24 isolating networks 10 preparing virtual machines for protection 14 protecting a cluster 11 protecting virtual machines 14
deployment cluster 11 DMZ 10 deployment considerations 14 deployment scenarios 10 DMZ 10
enabling Port Group Isolation 25 ESX host preparation 24 evaluating vShield components 23

REST 16

synchronizing with vCenter 19 system requirements 13
file system filter driver installation 27
guest driver installation 27 GUI, logging in 19
thin agent installation 27
vCenter, syncing from vShield Manager 19 virtual machine isolation 15 vMotion 14 vNetwork preparation 25 vShield component communication 15 deployment scenarios 10 evaluating components 23 hardening 15 preparing an ESX host 24 vShield App 9 vShield Edge 8 vShield Endpoint 9 vShield Manager 7 vShield Zones 7
hardening 15 CLI 15 REST 16 vShield Manager GUI 15
installation licenses 24 Port Group Isolation 24 vShield App 24 vShield Edge 25, 27 vShield Endpoint 24 vShield Endpoint thin agent 27 vShield Manager 17
vShield App about 9 common deployments 11 installation 24 licensing 24 vShield Edge about 8 common deployments 11 installation 25 isolating networks 10 licensing 24 vShield Endpoint about 9 installation 24, 27 installation steps 27 licensing 24 thin agent installation 27 vShield Manager about 7 changing the GUI password 20 installation 17 logging in to GUI 19 network settings 18 registering plug-in 20 syncing with vCenter 19 uptime 15 vShield Manager GUI 15 vShield Zones about 7 vShield Manager 7 vSphere Client plug-in 20

Chapter 3 Management System Settings
Set the vShield Manager Date and Time
Youcansetthedate,time,andtimezoneofthevShieldManager.YoucanalsospecifyaconnectiontoanNTP servertoestablishacommonnetworktime.Dateandtimevaluesareusedinthesystemtostampeventsas theyoccur. To set the date and time configuration of the vShield Manager 5 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickDate/Time. IntheDateandClockfield,typethedateandtimeintheformatYYYYMMDDHH:MM:SS. IntheNTPServerfield,typetheIPaddressofyourNTPserver. YoucantypethehostnameofyourNTPserverifyouhavesetupDNSservice. FromtheTimeZonedropdownmenu,selecttheappropriatetimezone. ClickSave.

Identify a Proxy Server

Ifyouuseaproxyserverfornetworkconnectivity,youcanconfigurethevShieldManagertousetheproxy server.ThevShieldManagersupportsapplicationlevelHTTP/HTTPSproxiessuchasCacheFlowand MicrosoftISAServer. To identify a proxy server ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickHTTPProxy. FromtheUseProxydropdownmenu,selectYes. (Optional)TypethehostnameoftheproxyserverintheProxyHostNamefield. TypetheIPaddressoftheproxyserverintheProxyIPAddressfield. TypetheconnectingportnumberonyourproxyserverintheProxyPortfield. TypetheUserNamerequiredtologintotheproxyserver. TypethePasswordassociatedwiththeusernameforproxyserverlogin. ClickSave.
Download a Technical Support Log from a Component
YoucanusetheSupportoptiontodownloadthesystemlogfromavShieldcomponenttoyourPC.A system logcanbeusedtotroubleshootoperationalissues. To download a vShield component system log 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickSupport.
UnderTechSupportLogDownload,clickInitiatenexttotheappropriatecomponent. Onceinitiated,thelogisgeneratedanduploadedtothevShieldManager.Thismighttakeseveral seconds.
Afterthelogisready,clicktheDownloadlinktodownloadthelogtoyourPC. Thelogiscompressedandhastheproprietaryfileextension.blsl.Youcanopenthelogusinga decompressionutilitybybrowsingforAllFilesinthedirectorywhereyousavedthefile.
Back Up vShield Manager Data
YoucanusetheBackupsoptiontobackupvShieldManagerdata.SeeChapter 7,BackingUpvShield ManagerData,onpage 39.
View vShield Manager System Status
TheStatustabdisplaysthestatusofvShieldManagersystemresourceutilization,andincludesthesoftware versiondetails,licensestatus,andserialnumber.Theserialnumbermustberegisteredwithtechnicalsupport forupdateandsupportpurposes. To view the system status of the vShield Manager ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickStatus. (Optional)ClickVersionStatustoreviewthecurrentversionofsystemsoftwarerunningonyourvShield components. TheUpdateStatustabappears.SeeViewtheCurrentSystemSoftwareonpage 37.

vShieldZones> enable Password: vShieldZones# validate sessions
Revert to a Previous Zones Firewall Configuration
ThevShieldManagersavesasnapshotofAppFirewallsettingseachtimeyoucommitanewrule.Clicking CommitcausesthevShieldManagertosavethepreviousconfigurationwithatimestampbeforeaddingthe newrule.ThesesnapshotsareavailablefromtheReverttoSnapshotdropdownmenu. To revert to a previous App Firewall configuration 5 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheinventorypanel. ClickthevShieldZonestab. ClickZonesFirewall. FromtheReverttoSnapshotdropdownlist,selectasnapshot. Snapshotsarepresentedintheorderoftimestamps,withthemostrecentsnapshotlistedatthetop. Viewsnapshotconfigurationdetails. Dooneofthefollowing:
Toreturntothecurrentconfiguration,selecttheoptionfromtheReverttoSnapshotdropdownlist. ClickCommittooverwritethecurrentconfigurationwiththesnapshotconfiguration.
Delete a Zones Firewall Rule
YoucandeleteanyAppFirewallruleyouhavecreated.YoucannotdeletetheanyrulesintheDefaultRules sectionofthetable. To delete an App Firewall rule 3 ClickanexistingrowintheZonesFirewalltable. ClickDelete. ClickCommit.

User Management

Securityoperationsareoftenmanagedbymultipleindividuals.Managementoftheoverallsystemis delegatedtodifferentpersonnelaccordingtosomelogicalcategorization.However,permissiontocarryout tasksislimitedonlytouserswithappropriaterightstospecificresources.FromtheUserssection,youcan delegatesuchresourcemanagementtousersbygrantingapplicablerights. UsermanagementinthevShieldManageruserinterfaceisseparatefromusermanagementintheCLIofany vShieldcomponent. Thischapterincludesthefollowingtopics:
ManagingUserRightsonpage 33 AddaUseronpage 34 AssignaRoleandRightstoaUseronpage 34 EditaUserAccountonpage 34 DeleteaUserAccountonpage 35

Managing User Rights

WithinthevShieldManageruserinterface,ausersrightsdefinetheactionstheuserisallowedtoperformon agivenresource.Rightsdeterminetheusersauthorizedactivitiesonthegivenresource,ensuringthatauser hasaccessonlytothefunctionsnecessarytocompleteapplicableoperations.Thisallowsdomaincontrolover specificresources,orsystemwidecontrolifyourrightencompassestheSystemresource. Thefollowingrulesareenforced:
Ausercanonlyhaveonerighttooneresource. Ausercannotaddtoorremoveassignedrightsandresources.
Table 5-1. vShield Manager User Rights
Right R CRUD Description Readonly ReadandWrite
Table 5-2. vShield Manager User Resources
Resource System Datacenter Cluster None Description AccesstoentirevShieldsystem Accesstoaspecifieddatacenterresource Accesstoaspecifiedclusterresource Accesstonoresources

Managing the Default User Account
ThevShieldManageruserinterfaceincludesonedefaultuseraccount,usernameadmin,whichhasrightsto allresources.Youcannotedittherightsofordeletethisuser.Thedefaultpasswordforadminisdefault. ChangethepasswordforthisaccountuponinitiallogintothevShieldManager.SeeEditaUserAccounton page 34.

Add a User

Basicuseraccountcreationrequiresassigningtheuseraloginnameandpassword. To create a new user account 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. ClickCreateUser. TheNewUserscreenopens. 4 TypeaUserName. ThisisusedforlogintothevShieldManageruserinterface.Thisusernameandassociatedpassword cannotbeusedtoaccessthevShieldApporvShieldManagerCLIs. 9 (Optional)TypetheusersFullNameforidentificationpurposes. (Optional)TypeanEmailAddress. TypeaPasswordforlogin. RetypethepasswordintheRetypePasswordfield. ClickOK. Afteraccountcreation,youconfigurerightandresourceassignmentseparately.
Assign a Role and Rights to a User
Aftercreatingauseraccount,youcanassigntheuseraroleandrightstosystemresources.Theroledefines theresource,andtherightdefinestheusersaccesstothatresource. To assign a role and right to a user ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. DoubleclicktheResourcecellfortheuser. Fromthedropdownmenuthatopens,selectanavailableresource. DoubleclicktheAccessRightcellfortheuser. Fromthedropdownmenuthatopens,selectanavailableaccessright.

Edit a User Account

Youcaneditauseraccounttochangethepassword. To edit an existing user account 3
ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. Clickacellinthetablerowthatidentifiestheuseraccount.
Chapter 5 User Management
ClickUpdateUser. Makechangesasnecessary. Ifyouarechangingthepassword,confirmthepasswordbytypingitasecondtimeintheRetype Passwordfield.
ClickOKtosaveyourchanges.

Delete a User Account

Youcandeleteanycreateduseraccount.Youcannotdeletetheadminaccount.Auditrecordsfordeletedusers aremaintainedinthedatabaseandcanbereferencedinanAuditLogreport. To delete a user account ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUserstab. Clickacellinthetablerowthatidentifiestheuseraccount. ClickDeleteUser.

Updating System Software

vShieldsoftwarerequiresperiodicupdatestomaintainsystemperformance.UsingtheUpdatestaboptions, youcaninstallandtracksystemupdates. Thischapterincludesthefollowingtopics:
ViewtheCurrentSystemSoftwareonpage 37 UploadanUpdateonpage 37 ReviewtheUpdateHistoryonpage 38
View the Current System Software
ThecurrentversionsofvShieldcomponentsoftwaredisplayundertheUpdateStatustab. To view the current system software 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUpdatestab. ClickUpdateStatus.

Upload an Update

vShieldupdatesareavailableasofflineupdates.Whenanupdateismadeavailable,youcandownloadthe updatetoyourPC,andthenuploadtheupdatebyusingthevShieldManageruserinterface. Whentheupdateisuploaded,thevShieldManagerisupdatedfirst,afterwhich,eachvShieldAppisupdated. IfarebootofeitherthevShieldManageroravShieldAppisrequired,theUpdateStatusscreenpromptsyou torebootthecomponent.IntheeventthatboththevShieldManagerandallvShieldAppinstancesmustbe rebooted,youmustrebootthevShieldManagerfirst,andthenrebooteachvShieldApp. To upload an update 5 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUpdatestab. ClickUploadSettings. ClickBrowsetolocatetheupdate. Afterlocatingthefile,clickUploadFile.
ClickConfirmInstalltoconfirmupdateinstallation. Therearetwotablesonthisscreen.Duringinstallation,youcanviewthetoptableforthedescription,start time,successstate,andprocessstateofthecurrentupdate.Viewthebottomtablefortheupdatestatusof eachvShieldApp.AllvShieldAppinstanceshavebeenupgradedwhenthestatusofthelastvShieldApp isdisplayedasFinished.
AfterthevShieldManagerreboots,clicktheUpdateStatustab. ClickRebootManagerifprompted. ClickFinishInstalltocompletethesystemupdate. ClickConfirm.
Review the Update History
TheUpdateHistorytabliststheupdatesthathavealreadybeeninstalled,includingtheinstallationdateand abriefdescriptionofeachupdate. To view a history of installed updates 3 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheUpdatestab. ClickUpdateHistory.
Backing Up vShield Manager Data
YoucanbackupandrestoreyourvShieldManagerdata,whichcanincludesystemconfiguration,events,and auditlogtables.Configurationtablesareincludedineverybackup.Youcan,however,excludesystemand auditlogevents.BackupsaresavedtoaremotelocationthatmustbeaccessiblebythevShieldManager. Backupscanbeexecutedaccordingtoascheduleorondemand. Thischapterincludesthefollowingtopics:
BackUpYourvShieldManagerDataonDemandonpage 39 ScheduleaBackupofvShieldManagerDataonpage 40 RestoreaBackuponpage 40
Back Up Your vShield Manager Data on Demand
YoucanbackupvShieldManagerdataatanytimebyperforminganondemandbackup. To back up the vShield Manager database 11 ClickSettings&ReportsfromthevShieldManagerinventorypanel. ClicktheConfigurationtab. ClickBackups. (Optional)SelecttheExcludeSystemEventscheckboxifyoudonotwanttobackupsystemeventtables. (Optional)SelecttheExcludeAuditLogscheckboxifyoudonotwanttobackupauditlogtables. TypetheHostIPAddressofthesystemwherethebackupwillbesaved. (Optional)TypetheHostNameofthebackupsystem. TypetheUserNamerequiredtologintothebackupsystem. TypethePasswordassociatedwiththeusernameforthebackupsystem. IntheBackupDirectoryfield,typetheabsolutepathwherebackupsaretobestored. TypeatextstringinFilenamePrefix. Thistextisprependedtothebackupfilenameforeasyrecognitiononthebackupsystem.Forexample,if youtypeppdb,theresultingbackupisnamedasppdbHH_MM_SS_DayDDMonYYYY. 12 FromtheTransferProtocoldropdownmenu,selecteitherSFTPorFTP. 13 ClickBackup. Oncecomplete,thebackupappearsinatablebelowthisform. 14 ClickSaveSettingstosavetheconfiguration.

To add a DHCP IP pool 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheDHCPlink. UnderIPPools,clickAddPool. Anewrowappearsinthetable. 6 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ThePrimaryNameServerandSecondaryNameServerfieldsrefertoDNSservice.YoumustentertheIP addressofaDNSserverforhostnametoIPaddressresolution. TheDomainNameandLeaseTimefieldsareoptional.Thedefaultleasetimeisoneday.
ClickCommittosavetherule. IfDHCPservicehasnotbeenenabled,enableDHCPservice. SeeStartorStopvShieldEdgeServicesonpage 59.
To add a DHCP static binding 5 InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheDHCPlink. UnderStaticBindings,clickAddBindings. Anewrowappearsinthetable. 6 Doubleclickeachcellintherowtoenterorselecttheappropriateinformation. ThePrimaryNameServerandSecondaryNameServerfieldsrefertoDNSservice.YoumustentertheIP addressofaDNSserverforhostnametoIPaddressresolution. TheDomainNameandLeaseTimefieldsareoptional.Thedefaultleasetimeisoneday. ClickCommittosavetherule. IfDHCPservicehasnotbeenenabled,enableDHCPservice. SeeStartorStopvShieldEdgeServicesonpage 59.

Manage VPN Service

vShieldEdgemodulessupportsitetositeIPSecVPNbetweenavShieldEdgeandremotesites. Figure 10-1. vShield Edge Providing VPN Access from a Remote Site to a Secured Port Group
Atthistime,vShieldEdgesupportspresharedkeymode,IPunicasttraffic,andnodynamicroutingprotocol betweenthevShieldEdgeandremoteVPNrouters.BehindeachremoteVPNrouter,youcanconfigure multiplesubnetstoconnecttotheinternalnetworkbehindavShieldEdgethroughIPSectunnels.These subnetsandtheinternalnetworkbehindavShieldEdgemusthavenonoverlappingaddressranges. YoucandeployavShieldEdgeagentbehindaNATdevice.Inthisdeployment,theNATdevicetranslatesthe VPNaddressofavShieldEdgeintoapubliclyaccessibleaddressfacingtheInternet.RemoteVPNroutersuse thispublicaddresstoaccessthevShieldEdge. RemoteVPNrouterscanbelocatedbehindaNATdeviceaswell.YoumustprovideboththeVPNnative addressandtheNATpublicaddresstosetupthetunnel. Onbothends,staticonetooneNATisrequiredfortheVPNaddress. To configure VPN on a vShield Edge InthevSphereClient,gotoInventory>Networking. SelectaninternalportgroupthatisprotectedbyavShieldEdge. ClickthevShieldEdgetab. ClicktheVPNlink. TypeanExternalIPAddressfortheVPNserviceonthevShieldEdge. TypetheNATedPublicIPthatrepresentstheExternalIPAddresstotheexternalnetwork. SelecttheLogcheckboxtologVPNactivity. ClickApply. Next,identifyapeersite.

View the Current System Status of a vShield App
TheSystemStatusoptionletsyouviewandinfluencethehealthofavShieldApp.Detailsincludesystem statistics,statusofinterfaces,softwareversion,andenvironmentalvariables. To view the health of a vShield App LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. FromtheSystemStatusscreen,youcanperformthefollowingactions:
ForceavShieldApptoSynchronizewiththevShieldManageronpage 64 RestartavShieldApponpage 65 ViewTrafficStatisticsbyvShieldAppInterfaceonpage 65 DownloadtheFirewallLogsofavShieldApponpage 65
Force a vShield App to Synchronize with the vShield Manager
TheForceSyncoptionforcesavShieldApptoresynchronizewiththevShieldManager.Thismightbe necessaryafterasoftwareupgrade. To force a vShield App to re-synchronize with the vShield Manager 5 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. ClickForceSync.
Chapter 11 vShield App Management

Restart a vShield App

YoucanrestartavShieldApptotroubleshootanoperationalissue. To restart a vShield App LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. ClickRestart. ClickOKinthepopupwindowtoconfirmreboot.
View Traffic Statistics by vShield App Interface
YoucanviewthetrafficstatisticsforeachvShieldinterface. To view traffic statistics by vShield port 5 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. ClickaninterfaceunderthePortcolumntoviewtrafficstatistics. Forexample,toviewthetrafficstatisticsforthevShieldAppmanagementinterface,clickmgmt.
Download the Firewall Logs of a vShield App
YoucandownloadalogofthefirewallactivityfromavShieldApp.Thefirewalllogdetailstheresultsofthe firewalloperationbasedonmatchingfirewallrulesagainsttraffic. To download and view the firewall log for a vShield App 5 LogintothevShieldManageruserinterface. SelectavShieldAppfromtheinventorypanel. ClicktheConfigurationtab. ClickSystemStatus. UnderAppFirewall,clickShowLogs. ThevShieldAppuploadsthelogtothevShieldManager. 6 TodownloadthelogfromthevShieldManagertoyourPC,clickDownloadAppFirewallLogs.

Flow Monitoring

FlowMonitoringisatrafficanalysistoolthatprovidesadetailedviewofthetrafficonyourvirtualnetwork thatpassedthroughavShieldApp.TheFlowMonitoringoutputdefineswhichmachinesareexchangingdata andoverwhichapplication.Thisdataincludesthenumberofsessions,packets,andbytestransmittedper session.Sessiondetailsincludesources,destinations,directionofsessions,applications,andportsbeingused. SessiondetailscanbeusedtocreateAppFirewallallowordenyrules. YoucanuseFlowMonitoringasaforensictooltodetectrogueservicesandexamineoutboundsessions. Thischapterincludesthefollowingtopics:

UsingFlowMonitoringonpage 67 ViewaSpecificApplicationintheFlowMonitoringChartsonpage 68 ChangetheDateRangeoftheFlowMonitoringChartsonpage 68 ViewtheFlowMonitoringReportonpage 68 AddanAppFirewallRulefromtheFlowMonitoringReportonpage 69 EditingPortMappingsonpage 70

Using Flow Monitoring

TheFlowMonitoringtabdisplaysthroughputstatisticsasreturnedbyavShieldApp.FlowMonitoring displaystrafficstatisticsinthreecharts:
Sessions/hr:Totalnumberofsessionsperhour ServerKBytes/hr:Numberofoutgoingkilobytesperhour Client/hr:Numberofincomingkilobytesperhour
FlowMonitoringorganizesstatisticsbytheapplicationprotocolsusedinclientservercommunications,with eachcolorinachartrepresentingadifferentapplicationprotocol.Thischartingmethodenablesyoutotrack yourserverresourcesperapplication. Trafficstatisticsdisplayallinspectedsessionswithinthetimespanspecified.Thelastsevendaysofdataare displayedbydefault.
View a Specific Application in the Flow Monitoring Charts
YoucanselectaspecificapplicationtoviewinthechartsbyclickingtheApplicationdropdownmenu. To view the data for a specific application in the Flow Monitoring charts 5 InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickFlowMonitoring. FromtheApplicationdropdownmenu,selecttheapplicationtoview. TheFlowMonitoringchartsarerefreshedtoshowdatacorrespondingtotheselectedapplication.
Change the Date Range of the Flow Monitoring Charts
YoucanchangethedaterangeoftheFlowMonitoringchartsforanhistoricalviewoftrafficdata. To change the date range of the Flow Monitoring chart InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenterorclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickFlowMonitoring. Thechartsareupdatedtodisplaythemostcurrentinformationforthelastsevendays.Thismighttake severalseconds. 5 IntheStartDatefield,typeanewdate. Thisdaterepresentsthedatefurthestinthepastonwhichtostartthequery. 6 TypeanewdateintheEndDatefield. Thisrepresentsthemostrecentdateonwhichtostopthequery. 7 ClickUpdateChart.
View the Flow Monitoring Report
TheFlowMonitoringreportpresentsthetrafficstatisticsintabularformat.Thereportsupportsdrillingdown intotrafficstatisticsbasedonthefollowinghierarchy: Selectthefirewallaction:AllowedorBlocked. SelectanL4orL2/L3protocol.
L4:TCPorUDP L2/L3:ICMP,OtherIPv4,orARP
IfanL2/L3protocolwasselected,selectanL2/L3protocolormessagetype. Selectthetrafficdirection:Incoming,Outgoing,orIntra(betweenvirtualmachines). Selecttheporttype:Categorized(standardizedports)orUncategorized(nonstandardizedports). Selectanapplicationprotocolorport.
Chapter 12 Flow Monitoring
SelectadestinationIPaddress. SourceasourceIPaddress. AtthesourceIPaddresslevel,youcancreateanAppFirewallrulebasedonthespecificsourceand destinationIPaddresses.

Using App Firewall

TheAppFirewallserviceisacentralized,hierarchicalfirewallforESXhosts.AppFirewallenablesyouto createrulesthatallowordenyaccesstoandfromyourvirtualmachines.EachinstalledvShieldAppenforces theAppFirewallrules. YoucanmanageAppFirewallrulesatthedatacenter,cluster,andportgrouplevelstoprovideaconsistentset ofrulesacrossmultiplevShieldAppinstancesunderthesecontainers.Asmembershipinthesecontainerscan changedynamically,AppFirewallmaintainsthestateofexistingsessionswithoutrequiringreconfiguration offirewallrules.Inthisway,AppFirewalleffectivelyhasacontinuousfootprintoneachESXhostunderthe managedcontainers.
Securing Containers and Designing Security Groups
WhencreatingAppFirewallrules,youcancreaterulesbasedontraffictoorfromaspecificcontainerthat encompassesalloftheresourceswithinthatcontainer.Forexample,youcancreatearuletodenyanytraffic frominsideofaclusterthattargetsaspecificdestinationoutsideofthecluster.Youcancreatearuletodeny anyincomingtrafficthatisnottaggedwithaVLANID.Whenyouspecifyacontainerasthesourceor destination,allIPaddresseswithinthatcontainerareincludedintherule. AsecuritygroupisatrustzonethatyoucreateandassignresourcestoforAppFirewallprotection.Security groupsarecontainers,likeavApporacluster.Securitygroupsenablesyoutocreateacontainerbyassigning resourcesarbitrarily,suchasvirtualmachinesandnetworkadapters.Afterthesecuritygroupisdefined,you addthegroupasacontainerinthesourceordestinationfieldofanAppFirewallrule.SeeCreatingand ProtectingSecurityGroupsonpage 77.

VMware, Inc. 73

Bydefault,theAppFirewallenforcesasetofrulesallowingtraffictopassthroughallvShieldAppinstances. TheserulesappearintheDefaultRulessectionoftheAppFirewalltable.Thedefaultrulescannotbedeleted oraddedto.However,youcanchangetheActionelementofeachrulefromAllowtoDeny.
TheAppFirewalltabofferstwosetsofconfigurablerules:L4(Layer4)rulesandL2/L3(Layer2/Layer3)rules. LayersrefertolayersoftheOpenSystemsInterconnection(OSI)ReferenceModel. Layer4rulesgovernTCPandUDPtransportofLayer7,orapplicationspecific,traffic.Layer2/Layer3rules monitortrafficfromICMP,ARP,andotherLayer2andLayer3protocols.YoucanconfigureLayer2/Layer 3 rulesatthedatacenterlevelonly.Bydefault,allLayer4andLayer2/Layer3trafficisallowedtopass.
Hierarchy of App Firewall Rules
EachvShieldAppenforcesAppFirewallrulesintoptobottomordering.AvShieldAppcheckseachtraffic sessionagainstthetopruleintheAppFirewalltablebeforemovingdownthesubsequentrulesinthetable. Thefirstruleinthetablethatmatchesthetrafficparametersisenforced. Therulesareenforcedinthefollowinghierarchy: 5 DataCenterHighPrecedenceRules ClusterLevelRules DataCenterLowPrecedenceRules(seenasRulesbelowthislevelhavelowerprecedencethancluster levelruleswhenadatacenterresourceisselected) SecurePortGroupRules DefaultRules
AppFirewallofferscontainerlevelandcustompriorityprecedenceconfigurations:
Containerlevelprecedencereferstorecognizingthedatacenterlevelasbeinghigherinprioritythanthe clusterlevel.Whenaruleisconfiguredatthedatacenterlevel,theruleisinheritedbyallclustersand vShieldagentstherein.AclusterlevelruleisonlyappliedtothevShieldAppwithinthecluster. Custompriorityprecedencereferstotheoptionofassigninghighorlowprecedencetorulesatthe datacenterlevel.Highprecedencerulesworkasnotedinthecontainerlevelprecedencedescription.Low precedencerulesincludetheDefaultRulesandtheconfigurationofDataCenterLowPrecedencerules. Thisflexibilityallowsyoutorecognizemultiplelayersofappliedprecedence. Attheclusterlevel,youconfigurerulesthatapplytoallvShieldAppinstanceswithinthecluster.Because DataCenterHighPrecedenceRulesareaboveClusterLevelRules,ensureyourClusterLevelRulesare notinconflictwithDataCenterHighPrecedenceRules.

Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields.
(Optional)SelectthenewrowandclickUptomovetheruleupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
NOTELayer4firewallrulescanalsobecreatedfromtheFlowMonitoringreport.SeeAddanAppFirewall RulefromtheFlowMonitoringReportonpage 69.
To create a firewall rule at the cluster level InthevSphereClient,gotoInventory>HostsandClusters. Selectaclusterresourcefromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. Bydefault,theL4Rulesoptionisselected. TocreateL2/L3rules,seeCreateaLayer2/Layer3AppFirewallRuleonpage 77. 5 ClickAdd. AnewrowappearsintheClusterLevelRulessectionofthetable. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields. 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
NOTELayer4firewallrulescanalsobecreatedfromtheFlowMonitoringreport.SeeAddanAppFirewall RulefromtheFlowMonitoringReportonpage 69. To create a firewall rule at the port group level 5 InthevSphereClient,gotoInventory>Networking. Selectaportgroupfromtheresourcetree. ClickthevShieldApptab. ClickAppFirewall. ClickAdd. AnewrowisaddedatthebottomoftheSecurePortGroupRulessection. 6 Doubleclickeachcellinthenewrowtoselecttheappropriateinformation. YoucantypeIPaddressesintheSourceandDestinationfields,andportnumbersintheSourcePortand DestinationPortfields. 9 (Optional)SelectthenewrowandclickUptomovetherowupinpriority. (Optional)SelecttheLogcheckboxtologallsessionsmatchingthisrule. ClickCommittosavetherule.
Create a Layer 2/Layer 3 App Firewall Rule
TheLayer2/Layer3firewallenablesconfigurationofallowordenyrulesforcommonDataLinkLayerand NetworkLayerrequests,suchasICMPpingsandtraceroutes.YoucanchangethedefaultLayer2/Layer3rules fromallowtodenybasedonyournetworksecuritypolicy. Layer2/Layer3firewallrulesallowordenytrafficbasedonthefollowingcriteria:
Criteria Source(A.B.C.D/nn) Destination(A.B.C.D/nn) Protocol Description Container,directioninrelationtocontainer,orIPaddresswithnetmask(nn)from whichthecommunicationoriginated Container,directioninrelationtocontainer,orIPaddresswithnetmask(nn)which thecommunicationistargeting Transportprotocolusedforcommunication

NotallguestoperatingsystemsaresupportedbyvShieldEndpoint.Virtualmachineswithnonsupported operatingsystemsarenotprotectedbythesecuritysolution. Allvirtualmachines(withsupportedoperatingsystems)thatresideonavShieldEndpointprotectedESX hostmustbeprotectedbyavShieldEndpointmodule. NotallESXhostsinavCenterServermustbeprotectedbythesecuritysolution,buteachprotectedESX musthaveanSVMinstalledonit. CAUTIONvMotionmigrationofaprotectedvirtualmachineareblockedifthetargetESXisnotenabled forvShieldEndpoint.MakesurethattheresourcepoolforvMotionofprotectedvirtualmachines containsonlysecurityenabledESXhosts.
Thischapterincludesthefollowingtopics:
ViewvShieldEndpointStatusonpage 81 Alarmsonpage 82 Eventsonpage 83 AuditMessagesonpage 86
View vShield Endpoint Status
MonitoringavShieldEndpointinstanceinvolvescheckingforstatuscomingfromthevShieldEndpoint components:thesecurityvirtualmachine(SVM),theESXhostresidentvShieldEndpointmodule,andthe protectedvirtualmachineresidentthinagent. To view vShield Endpoint status InthevSphereClient,gotoInventory>HostsandClusters. Selectadatacenter,cluster,orESXhostresourcefromtheresourcetree. ClickthevShieldApptab(orvShieldtabonESXhosts). ClickEndpointStatus.

Alarms

AlarmssignalthevCenterServeradministratoraboutvShieldEndpointeventsthatrequireattention.Alarms areautomaticallycancelledincasethealarmstateisnolongerpresent. vCenterServeralarmscanbedisplayedwithoutacustomvSphereplugin.SeethevCenterServer AdministrationGuideoneventsandalarms. UponregisteringasavCenterServerextension,thevShieldManagerdefinestherulesthatcreateandremove alarms,basedoneventscomingfromthethreevShieldEndpointcomponents:SVM,vShieldEndpoint module,andthinagent.Rulescanbecustomized.Forinstructionsonhowtocustomizerulesforalarms,see thevCenterServerdocumentation.Insomecases,therearemultiplepossiblecausesforthealarm.Thetables thatfollowlistthepossiblecausesandthecorrespondingactionsyoumightwanttotakeforremediation. vShieldEndpointdefinesthreesetsofalarms:
HostAlarmsonpage 82 SVMAlarmsonpage 82 VMAlarmsonpage 83

Host Alarms

HostalarmsaregeneratedbyeventsaffectingthehealthstatusofthevShieldEndpointmodule. Table 14-1. Warnings (Marked Yellow)
Possible Cause SVMisregistered,butvShieldEndpoint moduledoesnotseeanyvirtualmachinesto protect.Norequestsforprotectionarecoming fromanyvirtualmachines.Novirtualmachines arecurrentlyprotected. Action
Usuallyatransientstateoccurringwhileexistingvirtual machinesarebeingmovedwithvMotion,orarejustcomingup. Noactionrequired. TheESXhosthasnovirtualmachinesyet,oronlyvirtual machineswithnonsupportedoperatingsystems.Noaction required. CheckthevShieldManagerconsoleforthestatusofthevirtual machinesthatshouldbeprotectedonthathost.Ifoneormore haveanerrorstatus,theEndpointthinagentsinthosemachines maybemalfunctioning.

Basic:Basicmodeisareadonlymode.Tohaveaccesstoallcommands,youmustenterPrivilegedmode. Privileged:Privilegedmodecommandsallowsupportleveloptionssuchasdebuggingandsystem diagnostics.Privilegedmodeconfigurationsarenotsaveduponreboot.Youmustrunthewrite memory commandtosavePrivilegedmodeconfigurations.
Configuration:Configurationmodecommandsallowyoutochangethecurrentconfigurationofutilities onavShieldvirtualmachine.YoucanaccessConfigurationmodefromPrivilegedmode.From Configurationmode,youcanenterInterfaceconfigurationmode. InterfaceConfiguration:InterfaceConfigurationmodecommandsallowyoutochangetheconfiguration ofvirtualmachineinterfaces.Forexample,youcanchangetheIPaddressandIProuteforthe managementportofthevShieldManager.

CLI Syntax

Runcommandsatthepromptasshown.Donottypethe(),<>,or[]symbols.
command A.B.C.D (option1 | option2) <0-512> [word]
Textandnumericalvaluesthatmustbeenteredareitalicized. Multiple,requiredkeywordsorvaluesareenclosedinparenthesesandseparatedbyapipecharacter. Requiredvalueandnumericalrangesareenclosedinanglebrackets. Anoptionalkeywordorvalueisenclosedinsquarebrackets.

Moving Around in the CLI

Thefollowingcommandsmovethepointeraroundonthecommandline.
Keystrokes CTRL+A CTRL+Bor theleftarrowkey CTRL+C CTRL+D CTRL+E CTRL+For therightarrowkey CTRL+K CTRL+Nor thedownarrowkey CTRL+Por theuparrowkey CTRL+U CTRL+W ENTER ESC+B ESC+D ESC+F SPACE Deletesallcharactersfromthepointertotheendoftheline. Displaysmorerecentcommandsinthehistorybufferafterrecallingcommands withCTRL+P(ortheuparrowkey).Repeattorecallotherrecentlyrun commands. Recallscommandsinthehistory,startingwiththemostrecentcompleted command.Repeattorecallsuccessivelyoldercommands. Deletesallcharactersfromthepointertobeginningoftheline. Deletesthewordtotheleftofpointer. Scrollsdownoneline. Movesthepointerbackoneword. Deletesallcharactersfromthepointertotheendoftheword. Movesthepointerforwardoneword. Scrollsdownonescreen. Endsanyoperationthatcontinuestopropagate,suchasaping. Deletesthecharacteratthepointer. Movesthepointertoendoftheline. Movesthepointerforwardonecharacter. Description Movesthepointertobeginningoftheline. Movesthepointerbackonecharacter.

manager(config)# no user admin
Savetheconfiguration. RuntheexitcommandtwicetologoutoftheCLI.
Change the CLI Privileged Mode Password
YoucanchangethePrivilegedmodepasswordtosecureaccesstotheconfigurationoptionsoftheCLI. To change the Privileged mode password 7 LogintothevSphereClient. SelectavShieldvirtualmachinefromtheinventory. ClicktheConsoletabtoopenaCLIsession. LogintotheCLI. SwitchtoPrivilegedmode. SwitchtoConfigurationmode. ChangethePrivilegedmodepassword.
manager(config)# enable password (hash | plaintext) password
Savetheconfiguration. RuntheexitcommandtwicetologoutoftheCLI. LogintotheCLI. SwitchtoPrivilegedmodebyusingthenewpassword.

Command Reference

ThecommandreferencedetailseachCLIcommand,includingsyntax,usage,andrelatedcommands.
AdministrativeCommandsonpage 93 CLIModeCommandsonpage 94 ConfigurationCommandsonpage 97 DebugCommandsonpage 104 ShowCommandsonpage 108 DiagnosticsandTroubleshootingCommandsonpage 125 UserAdministrationCommandsonpage 128 TerminalCommandsonpage 129 DeprecatedCommandsonpage 131

Administrative Commands

Listsallinmodecommands. Syntax
CLI Mode Basic,Privileged,Configuration,InterfaceConfiguration Example
vShieldMgr> list enable exit list ping WORD quit show interface show ip route ssh WORD telnet WORD telnet WORD PORT traceroute WORD.

reboot

RebootsavShieldvirtualmachine.YoucanalsorebootavShieldAppfromthevShieldManageruser interface.SeeRestartavShieldApponpage 65. Syntax
CLI Mode Privileged Example

vShield# reboot

Related Commands shutdown

shutdown

In Privileged mode, the shutdown command powers off the virtual machine. In Interface Configuration mode, the shutdown command disables the interface. Toenableadisabledinterface,usenobeforethe command. Syntax

[no] shutdown

CLI Mode Privileged,InterfaceConfiguration Example

vShield# shutdown

vShield(config)# interface mgmt vShield(config-if)# shutdown vShield(config-if)# no shutdown

Related Commands reboot

CLI Mode Commands

configure terminal

SwitchestoConfigurationmodefromPrivilegedmode. Syntax
vShield# configure terminal vShield(config)#
Related Commands interface

disable

SwitchestoBasicmodefromPrivilegedmode. Syntax

CLI Mode Basic Example

vShield# disable vShield>

Related Commands enable

enable
SwitchestoPrivilegedmodefromBasicmode. Syntax
vShield> enable password: vShield#

Description Destinationsubnetmasktouse. Destinationporttouse.
CLI Mode Privileged Usage Guidelines vShieldAppCLI.Asourceordestinationvalueof0.0.0.0/0:0matchesallvalues. Example
vShield# debug 2050001_SAFLOW-FTPD-Dynamic-Port-Detection src 192.168.110.199/24:1234 dst 192.168.110.200/24:4567

debug show files

Showsthetcpdumpfilesthathavebeensaved. Syntax
vShield_Zones_host_49_269700# debug show files total 0 -rw-r--r-- Jun 23 16:04 tcpdump.d0.0
Related Commands debug copy debug remove

Show Commands

show alerts
Showssystemalertsastheyrelatetotheprotocoldecodersornetworkevents.Ifnoalertshavebeenraised,no outputisreturned. Syntax
show alerts (vulnerability|decoder|events) Option vulnerability decoder events Description Deprecated. Alertsraisedbyprotocoldecodererrors. Alertsraisedbynetworkevents.
CLI Mode Basic,Privileged Usage Guidelines vShieldAppCLI Example
vShield# show alerts events IP address HW type 192.0.2.130 0x1 192.168.110.1 0x1 Flags 0x6 0x2 HW address 00:00:00:00:00:81 00:0F:90:D5:36:C1 Mask * * Device virteth1 mgmt

show arp

ShowsthecontentsoftheARPcache. Syntax
CLI Mode Basic,Privileged Example
vShield# show arp IP address HW type 192.0.2.130 0x1 192.168.110.1 0x1 Flags 0x6 0x2 HW address 00:00:00:00:00:81 00:0F:90:D5:36:C1 Mask * * Device virteth1 mgmt

show clock

Showsthecurrenttimeanddateofthevirtualmachine.IfyouuseanNTPserverfortimesynchronization,the timeisbasedonCoordinatedUniversalTime(UTC). Syntax
vShield# show clock Wed Feb 9 13:04:50 UTC 2005
Related Commands ntp server set clock

show configuration

ShowseitherthecurrentglobalconfigurationortheconfigurationforaspecifiedserviceonavShieldEdge. Syntax
show configuration (dhcp | firewall | ipsec | lb | nat | syslog | system) Option dhcp firewall Description ShowthecurrentDHCPconfiguration. Showthecurrentfirewallconfiguration.
Option ipsec lb nat syslog system
Description ShowthecurrentVPNconfiguration. ShowthecurrentLoadBalancerconfiguration. ShowthecurrentNATconfiguration. Showthecurrentsyslogconfiguration. Showthecurrentglobalconfiguration.
CLI Mode Basic,Privileged Usage Guidelines vShieldEdgeCLI Example
vShieldEdge# show configuration system

show debug

Showthedebugprocessesthatareenabled.Youmustenableadebugpathbyrunningthedebug packetor oneofthedebug servicecommands. Syntax