VMware VSHIELD APP 1.0.0 UPDATE 1 Admin Manual page 133

Hide thumbs Also See for VSHIELD APP 1.0.0 UPDATE 1:

Programming manual (90 pages)

Quick start manual (30 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

page of 144

/ 144
Contents
Table of Contents
Bookmarks

Table of Contents

Firewall Block Rule Not Blocking Matching Traffic

Problem

I configured an App Firewall rule to block specific traffic. I used Flow Monitoring to view traffic, and the traffic

I wanted to block is being allowed.

Solution

Check the ordering and scope of the rule. This includes the container level at which the rule is being enforced.

Issues might occur when an IP address-based rule is configured under the wrong container.

Check where the affected virtual machine resides. Is the virtual machine behind a vShield App? If not, then

there is no agent to enforce the rule. Select the virtual machine in the resource tree. The App Firewall tab for

this virtual machine displays all of the rules that affect this virtual machine.

Place any unprotected virtual machines onto a vShield-protected switch or protect the vSwitch that the virtual

machine is on by installing a vShield.

Enable logging for the App Firewall rule in question. This might slow network traffic through the vShield App.

Verify vShield App connectivity. Check for the vShield App being out of sync on the System Status page. If out

of sync, click Force Sync. If it is still not in sync, go to the System Event log to determine the cause.

No Flow Data Displaying in Flow Monitoring

Problem

I have installed the vShield Manager and a vShield App. When I opened the Flow Monitoring tab, I did not

see any data.

Solution

This might be the result of one or more of the following conditions.



You did not allow enough time for the vShield App to monitor traffic sessions. Allow a few minutes after

vShield App installation to collect traffic data. You can request data collection by clicking Get Latest on

the Flow Monitoring tab.



Traffic is destined to virtual machines that are not protected by a vShield App. Make sure your virtual

machines are protected by a vShield App. Virtual machines must be in the same port group as the

vShield App protected (p0) port.



There is no traffic to the virtual machines protected by a vShield App.



Check the system status of each vShield App for out-of-sync issues.

Troubleshooting Port Group Isolation Issues

Validate Installation of Port Group Isolation

To validate installation of Port Group Isolation

Make sure that the same port group and virtual machines are not also configured for vCloud Service

Director network isolation or LabManager cross-host fencing. Double encapsulation mode is not

supported currently.

Verify that the Port Group Isolation bundle is installed: esxupdate query

Verify that vshd is running.



ESXi: ps | grep vsh. The results might contain more than one instance, which is ok.



ESX Classic: ps –eaf | grep vshd

VMware, Inc.

Appendix B Troubleshooting

133

Table of Contents

This manual is also suitable for:

Vshield manager 4.1.0 update 1 Vshield zones 4.1.0 update 1 Vshield edge 1.0.0 update 1 Vshield endpoint 1.0.0 update 1

VMware VSHIELD APP 1.0.0 UPDATE 1 Admin Manual page 133

Related Manuals for VMware VSHIELD APP 1.0.0 UPDATE 1

Related Products for VMware VSHIELD APP 1.0.0 UPDATE 1

This manual is also suitable for:

Table of Contents