Page 1 Endpoint 1.0.0 Update 1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-000374-01...
Page 2 VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
Page 3: Table Of Contents
Edge 12 vShield App 12 vShield Endpoint 13 Migration of vShield Components 13 VMware Tools 13 Ports Required for vShield Communication 13 vShield Manager User Interface Basics 15 Logging in to the vShield Manager User Interface 15 Accessing the Online Help 16...
Page 4 Validate Active Sessions Against Current vShield Edge Firewall Rules 51 Manage NAT Rules 51 Manage DHCP Service 52 Manage VPN Service 53 Manage Load Balancer Service 55 Start or Stop vShield Edge Services 56 Upgrade vShield Edge Software 56 VMware, Inc.
Page 5 Approve IP Addresses 76 Edit an IP Address 77 Delete an IP Address 77 vShield Endpoint Events and Alarms 79 View vShield Endpoint Status 79 Alarms 80 Host Alarms 80 SVM Alarms 80 VM Alarms 81 Events 81 Audit Messages 84 VMware, Inc.
Page 6 Virtual Machines Are Not Getting IP Addresses from the DHCP Server 136 Load-Balancer Does Not Work 136 Load-Balancer Throws Error 502 Bad Gateway for HTTP Requests 137 VPN Does Not Work 137 Troubleshooting vShield Endpoint Issues 137 Thin Agent Logging 137 Component Version Compatibility 138 Index 139 VMware, Inc.
Page 7: About This Book
Intended Audience This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment. The information in this manual is written for experienced system administrators who are familiar with virtual machine technology and virtual datacenter operations. This manual assumes familiarity with VMware Infrastructure 4.x, including VMware ESX, vCenter Server, and the vSphere Client.
Page 8 Administration Guide Support Offerings To find out how VMware support offerings can help meet your business needs, go to http://www.vmware.com/support/services. VMware Professional Services VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live online.
Page 9: Vshield Manager And Vshield Zones
Manager and vShield Zones VMware, Inc.
Page 10 Administration Guide VMware, Inc.
Page 11: Overview Of Vshield
A vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules. The vShield Manager leverages the VMware Infrastructure SDK to display a copy of the vSphere Client inventory panel.
Page 12: Vshield Edge
You should install vShield App instances on all ESX hosts within a cluster so that VMware vMotion™ operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a vShield App virtual appliance cannot be moved by using vMotion.
Page 13: Vshield Endpoint
These services restart after the ESX host comes online. VMware Tools Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance. Ports Required for vShield Communication The vShield Manager requires the following ports to be open: ...
Page 14 Administration Guide VMware, Inc.
Page 15: Vshield Manager User Interface Basics
Basics The vShield Manager user interface offers configuration and data viewing options specific to vShield use. By utilizing the VMware Infrastructure SDK, the vShield Manager displays your vSphere Client inventory panel for a complete view of your vCenter environment. You can register the vShield Manager as a vSphere Client plug-in. This allows you to configure vShield components from within the vSphere Client.
Page 16: Accessing The Online Help
Server. By default, the vShield Manager requests resource information from the vCenter Server every five minutes. Searching the Inventory Panel To search the inventory panel for a specific resource, type a string in the field atop the vShield Manager inventory panel and click VMware, Inc.
Page 17: Vshield Manager Configuration Panel
Each resource offers multiple tabs, each tab presenting information or configuration forms corresponding to the resource. Because each resource has a different purpose, some tabs are specific to certain resources. Also, some tabs have a second level of options. VMware, Inc.
Page 18 Administration Guide VMware, Inc.
Page 19: Management System Settings
Identify Your vCenter Server After the vShield Manager is installed as a virtual machine, log in to the vShield Manager user interface to connect to your vCenter Server. This enables the vShield Manager to display your VMware Infrastructure inventory. To identify your vCenter Server from the vShield Manager Log in to the vShield Manager.
Page 20: Register The Vshield Manager As A Vsphere Client Plug-In
Type the password associated with the user name in the Password field. Click Save. The vShield Manager connects to the vCenter Server, logs on, and utilizes the VMware Infrastructure SDK to populate the vShield Manager inventory panel. The inventory panel is presented on the left side of the screen.
Page 21: Set The Vshield Manager Date And Time
You can use the Support option to download the system log from a vShield component to your PC. A system log can be used to troubleshoot operational issues. To download a vShield component system log Click Settings & Reports from the vShield Manager inventory panel. Click the Configuration tab. Click Support. VMware, Inc.
Page 22: Back Up Vshield Manager Data
Enter the full name of the city in which your company resides. State Name Enter the full name of the state in which your company resides. Country Code Enter the two-digit code that represents your country. For example, the United States is US. VMware, Inc.
Page 23 Click Settings & Reports from the vShield Manager inventory panel. Click the Configuration tab. Click SSL Certificate. Under Import Signed Certificate, click Browse at Certificate File to find the file. Select the type of certificate file from the Certificate File drop-down list. Click Apply. VMware, Inc.
Page 24 Administration Guide VMware, Inc.
Page 25: Zones Firewall Management
In this way, Zones Firewall effectively has a continuous footprint on each ESX host under the managed containers. When creating Zones Firewall rules, you create 5-tuple firewall rules based on specific source and destination IP addresses. VMware, Inc.
Page 26: Default Rules
App drops the session before it reaches its destination. If you change all of the default rules to deny any traffic, the vShield App drops all incoming and outgoing traffic. VMware, Inc.
Page 27: Create A Zones Firewall Rule
Select a cluster resource from the resource tree. Click the vShield Zones tab. Click Zones Firewall. By default, the L4 Rules option is selected. To create L2/L3 rules, see “Create a Layer 2/Layer 3 Zones Firewall Rule” on page 28. VMware, Inc.
Page 28: Create A Layer 2/Layer 3 Zones Firewall Rule
In the vSphere Client, go to Inventory > Hosts and Clusters. Select a datacenter resource from the resource tree. Click the vShield Zones tab. Click Zones Firewall. Click L2/L3 Rules. Click Add. A new row is added at the bottom of the DataCenter Rules section of the table. VMware, Inc.
Page 29: Validating Active Sessions Against The Current Zones Firewall Rules
View snapshot configuration details. Do one of the following:  To return to the current configuration, select the - option from the Revert to Snapshot drop-down list.  Click Commit to overwrite the current configuration with the snapshot configuration. VMware, Inc.
Page 30: Delete A Zones Firewall Rule
You can delete any App Firewall rule you have created. You cannot delete the any rules in the Default Rules section of the table. To delete an App Firewall rule Click an existing row in the Zones Firewall table. Click Delete. Click Commit. VMware, Inc.
Page 31: User Management
Read only CRUD Read and Write Table 5-2. vShield Manager User Resources Resource Description System Access to entire vShield system Datacenter Access to a specified datacenter resource Cluster Access to a specified cluster resource None Access to no resources VMware, Inc.
Page 32: Managing The Default User Account
You can edit a user account to change the password. To edit an existing user account Click Settings & Reports from the vShield Manager inventory panel. Click the Users tab. Click a cell in the table row that identifies the user account. VMware, Inc.
Page 33: Delete A User Account
Audit Log report. To delete a user account Click Settings & Reports from the vShield Manager inventory panel. Click the Users tab. Click a cell in the table row that identifies the user account. Click Delete User. VMware, Inc.
Page 34 Administration Guide VMware, Inc.
Page 35: Updating System Software
Manager first, and then reboot each vShield App. To upload an update Click Settings & Reports from the vShield Manager inventory panel. Click the Updates tab. Click Upload Settings. Click Browse to locate the update. After locating the file, click Upload File. VMware, Inc.
Page 36: Review The Update History
The Update History tab lists the updates that have already been installed, including the installation date and a brief description of each update. To view a history of installed updates Click Settings & Reports from the vShield Manager inventory panel. Click the Updates tab. Click Update History. VMware, Inc.
Page 37: Backing Up Vshield Manager Data
12 From the Transfer Protocol drop-down menu, select either SFTP or FTP. 13 Click Backup. Once complete, the backup appears in a table below this form. 14 Click Save Settings to save the configuration. VMware, Inc.
Page 38: Schedule A Backup Of Vshield Manager Data
Click Settings & Reports from the vShield Manager inventory panel. Click the Configuration tab. Click Backups. Click View Backups to view all available backups saved to the backup server. Select the check box for the backup to restore. Click Restore. Click OK to confirm. VMware, Inc.
Page 39: System Events And Audit Logs
From the and Severity drop-down menu, select a severity by which to filter results. All severities are included by default. You can select one or more severities at a time. Click View Report. In the report output, click an Event Time link to view details about a specific event. VMware, Inc.
Page 40: System Event Notifications
The system event message logged in the syslog has the following structure: syslog header (timestamp + hostname + sysmgr/) Timestamp (from the service) Name/value pairs Name and value separated by delimiter '::' (double colons) Each name/value pair separated by delimiter ';;' (double semi-colons) VMware, Inc.
Page 41: View The Audit Log
Select the vShield resource on which the action was performed. Operation Select the type of action performed. Status Select the result of action as either Success or Failure. Operation Span Select the vShield component on which the action was performed. Local refers to the vShield Manager. VMware, Inc.
Page 42 Administration Guide VMware, Inc.
Page 43: Uninstalling Vshield Components
To uninstall a vShield App or vShield Zones instance Log in to the vSphere Client. Select the ESX host from the inventory tree. Click the vShield tab. Click Uninstall for the vShield App or vShield Zones service. The instance is uninstalled. VMware, Inc.
Page 44: Uninstall A Vshield Edge From A Port Group
Go to View > Inventory > Hosts and Clusters. Click the ESX host from the vSphere Client inventory panel on which Port Group Isolation is installed. Click the vShield tab. Click Uninstall for to the vShield Edge Port Group Isolation service. VMware, Inc.
Page 45: Uninstall A Vshield Endpoint Module
To uninstall an vShield Endpoint module from an ESX host Log in to the vSphere Client. Select an ESX host from the inventory tree. Click the vShield tab. Click Uninstall for to the vShield Endpoint service. Uninstallation removes port group epsec-vmk-1 and vSwitch epsec-vswitch-2. VMware, Inc.
Page 46 Administration Guide VMware, Inc.
Page 47: Vshield Edge And Port Group Isolation
Edge and Port Group Isolation VMware, Inc.
Page 48 Administration Guide VMware, Inc.
Page 49: Vshield Edge Management
Edge module. To view the status of a vShield App In the vSphere Client, go to Inventory > Networking. Select an internal port group that is protected by a vShield Edge. Click the Edge tab. Click the Status link. VMware, Inc.
Page 50: Specify A Remote Syslog Server
To create a vShield Edge firewall rule In the vSphere Client, go to Inventory > Networking. Select an internal port group that is protected by a vShield Edge. Click the vShield Edge tab. Click the Firewall link. VMware, Inc.
Page 51: Validate Active Sessions Against Current Vshield Edge Firewall Rules
Click the vShield Edge tab. Click the NAT link. Under Direction OUT (SNAT), click Add. A new row appears in the table. Double-click each cell in the row to enter the appropriate information. Click Commit to save the rule. VMware, Inc.
Page 52: Manage Dhcp Service
56. To add a DHCP static binding In the vSphere Client, go to Inventory > Networking. Select an internal port group that is protected by a vShield Edge. Click the vShield Edge tab. Click the DHCP link. VMware, Inc.
Page 53: Manage Vpn Service
Remote VPN routers can be located behind a NAT device as well. You must provide both the VPN native address and the NAT public address to set up the tunnel. On both ends, static one-to-one NAT is required for the VPN address. VMware, Inc.
Page 54 Double-click the Remote Site Subnet cell and enter the IP address in CIDR format (A.B.C.D/M). Double-click the Encryption cell and select the appropriate encryption type. 10 Click Commit. 11 Enable VPN service. See “Start or Stop vShield Edge Services” on page 56. VMware, Inc.
Page 55: Manage Load Balancer Service
11 Double-click the cell to enter the IP address of the first web server. 12 Press ENTER. 13 Click Add Rule above the Load Balanced Servers IP Addresses table. 14 Double-click the new cell to enter the IP address of the second web server. VMware, Inc.
Page 56: Start Or Stop Vshield Edge Services
Click the vShield Edge tab. Click the Status link. To the right of the Configuration heading, determine if there is a new version to the right of the Upgrade to link. Click Upgrade to to locate and install the upgrade file. VMware, Inc.
Page 57: Vshield App And Vshield Endpoint
App and vShield Endpoint VMware, Inc.
Page 58 Administration Guide VMware, Inc.
Page 59: Vshield App Management
App includes traffic analysis and container-based policy creation. vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App integrates with ESX hosts through VMsafe APIs and works with VMware vSphere platform features such as DRS, vMotion, DPM, and maintenance mode.
Page 60: Back Up The Running Cli Configuration Of A Vshield App
To force a vShield App to re-synchronize with the vShield Manager Log in to the vShield Manager user interface. Select a vShield App from the inventory panel. Click the Configuration tab. Click System Status. Click Force Sync. VMware, Inc.
Page 61: Restart A Vshield App
Select a vShield App from the inventory panel. Click the Configuration tab. Click System Status. Click an interface under the Port column to view traffic statistics. For example, to view the traffic statistics for the vShield App management interface, click mgmt. VMware, Inc.
Page 62 Administration Guide VMware, Inc.
Page 63: Flow Monitoring
This charting method enables you to track your server resources per application. Traffic statistics display all inspected sessions within the time span specified. The last seven days of data are displayed by default. VMware, Inc.
Page 64: View A Specific Application In The Flow Monitoring Charts
If an L2/L3 protocol was selected, select an L2/L3 protocol or message type. Select the traffic direction: Incoming, Outgoing, or Intra (between virtual machines). Select the port type: Categorized (standardized ports) or Uncategorized (non-standardized ports). Select an application protocol or port. VMware, Inc.
Page 65: Add An App Firewall Rule From The Flow Monitoring Report
A pop-up window opens. Click Ok to proceed. The App Firewall table appears. A new table row is displayed at the bottom of the Data Center Low Precedence Rules or Cluster Level Rules section with the session information completed. VMware, Inc.
Page 66: Delete All Recorded Flows
Click Add. A new row is inserted above the selected row. Double-click the Application cell and type the application name. Double-click the Port Number cell and type the port number. Double-click the Protocol cell to select the transport protocol. VMware, Inc.
Page 67: Delete An Application-Port Pair Mapping
Click a row in the table. Click Delete to delete it from the table. Hide the Port Mappings Table When you click Edit Port Mappings, the label changes from Edit Port Mappings to Hide Port Mappings. Click Hide Port Mappings. VMware, Inc.
Page 68 Administration Guide VMware, Inc.
Page 69: App Firewall Management
You can create a rule to deny any incoming traffic that is not tagged with a VLAN ID. When you specify a container as the source or destination, all IP addresses within that container are included in the rule. VMware, Inc.
Page 70: Default Rules
Allow all traffic by default. You keep the default allow all rules and add deny rules based on Flow Monitoring data or manual App Firewall rule configuration. In this scenario, if a session does not match any of the deny rules, the vShield App allows the traffic to pass. VMware, Inc.
Page 71: Create An App Firewall Rule
(Optional) Select the Log check box to log all sessions matching this rule. Click Commit to save the rule. Layer 4 firewall rules can also be created from the Flow Monitoring report. See “Add an App Firewall Rule from the Flow Monitoring Report” on page 65. VMware, Inc.
Page 72 (Optional) Select the Log check box to log all sessions matching this rule. Click Commit to save the rule. Layer 4 firewall rules can also be created from the Flow Monitoring report. See “Add an App Firewall Rule from the Flow Monitoring Report” on page 65. VMware, Inc.
Page 73: Create A Layer 2/Layer 3 App Firewall Rule
In the vSphere Client, you can add a security group at the datacenter resource level. To add a security group by using the vSphere Client Click a datacenter resource from the vSphere Client. Click the vShield App tab. Click Security Groups. Click Add Group. VMware, Inc.
Page 74: Assign Resources To A Security Group
To validate active sessions against the current firewall rules Update and commit the App Firewall rule set at the appropriate container level. Open a console session on a vShield App issue the validate sessions command. vShieldApp> enable Password: vShieldApp# validate sessions VMware, Inc.
Page 75: Revert To A Previous App Firewall Configuration
After synchronizing with the vCenter Server, the vShield Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine. Up to vShield 4.1, vShield trusted the IP address provided by VMware Tools on a virtual machine. However, if a virtual machine has been compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.
Page 76: Spoofguard Screen Options
To approve an IP address In the vShield Manager user interface, go to the Hosts and Clusters view. Select a datacenter resource from the resource tree. Click the SpoofGuard tab. Click the Require Approval or Duplicate IP assignments link. VMware, Inc.
Page 77: Edit An Ip Address
In the vShield Manager user interface, go to the Hosts and Clusters view. Select a datacenter resource from the resource tree. Click the SpoofGuard tab. Click one of the option links. In the Approved IP column, click Delete. Click Publish Changes. VMware, Inc.
Page 78 Administration Guide VMware, Inc.
Page 79: Vshield Endpoint Events And Alarms
To view vShield Endpoint status In the vSphere Client, go to Inventory > Hosts and Clusters. Select a datacenter, cluster, or ESX host resource from the resource tree. Click the vShield App tab (or vShield tab on ESX hosts). Click Endpoint Status. VMware, Inc.
Page 80: Alarms
The vShield Monitor is not receiving status from Either there are network issues between the vShield Monitor and the the SVM. SVM, or the SVM is not operating properly. The SVM failed to initialize Contact your security provider for help with SVM errors. VMware, Inc.
Page 81: Vm Alarms
VSM_FSFD_EVENT_DISK_FULL timestamp warning The vShield Endpoint Thin Agent encountered a "disk full" error while attempting to write to the local disk. 0004 VSM_FSFD_EVENT_TIMEOUT timestamp warning A timeout occurred in the communication between the SVM and the Thin Agent. VMware, Inc.
Page 82 SVM is unregistered with the vShield Manager. timestamp, info vShield Endpoint module has 3005 VSM_HOST_EVENT_VMS_CONNECTED Host version connected with SVM. of vShield Endpoint module protocol 3006 VSM_HOST_EVENT_VMS_DISCONNECTED timestamp info vShield Endpoint module has disconnected from the SVM VMware, Inc.
Page 83 The vShield Endpoint Thin Agent may need to write to a file on the local disk for file remediation purposes, as well as for temporary storage. The file location for the temporary files is: %SYSTEMROOT%\temp\vmware\eps010\ For remediation purposes, the needed storage is comparable to the size of the file being remediated.
Page 84: Audit Messages
Administration Guide Audit Messages Audit messages include fatal errors and other important audit messages and are logged to vmware.log. The following conditions are logged as AUDIT messages:  Thin agent initialization success (and version number.)  Thin agent initialization failure.
Page 85 Appendixes VMware, Inc.
Page 86 Administration Guide VMware, Inc.
Page 87 Basic: Basic mode is a read-only mode. To have access to all commands, you must enter Privileged mode.  Privileged: Privileged mode commands allow support-level options such as debugging and system diagnostics. Privileged mode configurations are not saved upon reboot. You must run the write memory command to save Privileged mode configurations. VMware, Inc.
Page 88 Deletes the word to the left of pointer. ENTER Scrolls down one line. ESC+B Moves the pointer back one word. ESC+D Deletes all characters from the pointer to the end of the word. ESC+F Moves the pointer forward one word. SPACE Scrolls down one screen. VMware, Inc.
Page 89 Log in to the vSphere Client. Select a vShield virtual machine from the inventory. Click the Console tab to open a CLI session. Log in by using the admin account. manager login: admin password: manager> Switch to Privileged mode. manager> enable password: manager# VMware, Inc.
Page 90 Select a vShield virtual machine from the inventory. Click the Console tab to open a CLI session. Log in to the CLI. Switch to Privileged mode. Switch to Configuration mode. Change the Privileged mode password. manager(config)# enable password abcd1234 VMware, Inc.
Page 91 WORD telnet WORD telnet WORD PORT traceroute WORD reboot Reboots a vShield virtual machine. You can also reboot a vShield App from the vShield Manager user interface. See “Restart a vShield App” on page 61. Syntax reboot VMware, Inc.
Page 92 Related Commands reboot CLI Mode Commands configure terminal Switches to Configuration mode from Privileged mode. Syntax configure terminal CLI Mode Privileged Example vShield# configure terminal vShield(config)# Related Commands interface disable Switches to Basic mode from Privileged mode. Syntax disable VMware, Inc.
Page 93 Related Commands exit quit exit Exits from the current mode and switches to the previous mode, or exits the CLI session if run from Privileged or Basic mode. Syntax exit CLI Mode Basic, Privileged, Configuration, and Interface Configuration VMware, Inc.
Page 94 Quits Interface Configuration mode and switches to Configuration mode, or quits the CLI session if run from Privileged or Basic mode. Syntax quit CLI Mode Basic, Privileged, and Interface Configuration Example vShield(config-if)# quit vShield(config)# Related Commands exit VMware, Inc.
Page 95 Copies the current system configuration to the startup configuration. You can also copy and save the running CLI configuration of a vShield App from the vShield Manager user interface. See “Back Up the Running CLI Configuration of a vShield App” on page 60. Syntax copy running-config startup-config CLI Mode Privileged VMware, Inc.
Page 96 Privileged mode password is the same for each CLI user account. Syntax enable password PASSWORD Option Description PASSWORD Password to use. The default password is default. CLI Mode Configuration Example vShield# configure terminal vShield(config)# enable password plaintext abcd123 Related Commands enable show running-config VMware, Inc.
Page 97 Identifies a DNS server to provide address resolution service. You can also identify one or more DNS servers by using the vShield Manager user interface. See “Identify DNS Services” on page 20. To remove a DNS server, use no before the command. VMware, Inc.
Page 98 App. This key must be entered during vShield App installation. If the shared key between a vShield App and the vShield Manager is not identical, the service cannot install and is inoperable. Syntax manager key KEY Option Description The key that the vShield App and vShield Manager must match. VMware, Inc.
Page 99 You cannot connect to an NTP server.  You frequently power off and power on a vShield App, such as in a lab environment. A vShield App can become out of sync with the vShield Manager when it is frequently power on and off. VMware, Inc.
Page 100 Old configuration will be lost, and system needs to be rebooted Do you want to save new configuration (y/[n]): y Please log out and log back in again. manager> Starts or stops the SSH service on a vShield virtual appliance. Syntax ssh (start | stop) VMware, Inc.
Page 101 IP address of syslog server. CLI Mode Configuration Example vShield(config)# syslog 192.168.1.2 Related Commands show syslog write Writes the running configuration to memory. This command performs the same operation as the write memory command. Syntax write CLI Mode Privileged Example manager# write VMware, Inc.
Page 102 Add a URL in the format userid@<ip_address>:<directory>. For example: admin@10.10.1.10:/tmp packet-traces Copy and export packet traces. tcpdumps Copy and export system tcpdumps. Identify a specific packet trace or tcpdump file to export. FILENAME Copy and export all packet trace or tcpdump files. CLI Mode Privileged VMware, Inc.
Page 103 Displays all packets captured by a vShield App or vShield Edge interface, similar to a tcpdump. Enabling this command can impact vShield App or vShield Edge performance. To disable the display of packets, use no before the command. VMware, Inc.
Page 104 Remove one or all tcpdump files. FILENAME Identify a specific packet trace or tcpdump file to export. Remove all packet trace or tcpdump files. CLI Mode Privileged Usage Guidelines vShield App CLI Example vShield# debug remove tcpdumps all VMware, Inc.
Page 105 To disable logging, use no before the command. Syntax [no] debug SERVICE flow src A.B.C.D/M:P dst W.X.Y.Z/M:P Option Description SERVICE The name of the service. A.B.C.D Source IP address to use. Source subnet mask to use. Source port to use. VMware, Inc.
Page 106 Shows the tcpdump files that have been saved. Syntax debug show files CLI Mode Privileged Usage Guidelines vShield App CLI Example vShield_Zones_host_49_269700# debug show files total 0 -rw-r--r-- 1 0 Jun 23 16:04 tcpdump.d0.0 Related Commands debug copy debug remove VMware, Inc.
Page 107 Shows the current time and date of the virtual machine. If you use an NTP server for time synchronization, the time is based on Coordinated Universal Time (UTC). Syntax show clock CLI Mode Basic, Privileged Example vShield# show clock Wed Feb 9 13:04:50 UTC 2005 VMware, Inc.
Page 108 Show the debug processes that are enabled. You must enable a debug path by running the debug packet or one of the debug service commands. Syntax show debug CLI Mode Basic, Privileged Usage Guidelines vShield App CLI Example vShield# show debug No debug logs enabled Related Commands debug service debug service flow src VMware, Inc.
Page 109 = 9980 size of rule_details = 36 Kernel Rules Begin Proxy Id = 0, Service Name = proxy-unused, Num Threads = 0 ACTION=FORWARD Proxy Id = 1, Service Name = proxy-zombie, Num Threads = 0 ACTION=FORWARD VMware, Inc.
Page 110 Intel Corporation 82371AB/EB/MB PIIX4 ISA +-07.1 Intel Corporation 82371AB/EB/MB PIIX4 IDE +-07.3 Intel Corporation 82371AB/EB/MB PIIX4 ACPI +-07.7 VMware Inc Virtual Machine Communication Interface +-0f.0 VMware Inc Abstract SVGA II Adapter +-10.0 BusLogic BT-946C (BA80C30) [MultiMaster 10] +-11.0-[0000:02]----00.0 Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) +-15.0-[0000:03]--...
Page 111 CLI Mode Basic, Privileged Example vShield# show ip addr show ip route Shows the IP routing table. Syntax show ip route [A.B.C.D/M] Option Description A.B.C.D IP address to use. Subnet mask to use. CLI Mode Basic, Privileged VMware, Inc.
Page 112 Shows the last 10 kernel messages for a vShield Edge. Syntax show kernel message CLI Mode Basic, Privileged Usage Guidelines vShield Edge CLI Example vshieldEdge# show kernel message Related Commands show kernel message last VMware, Inc.
Page 113 7 17:34:37 vShield_118 ntpdate[21466]: adjust time server 10.115.216.84 offset 0.002739 sec 7 17:35:37 vShield_118 ntpdate[21483]: adjust time server 10.115.216.84 offset 0.010884 sec Related Commands show log alerts show log events show log last show log alerts Shows the log of firewall rule alerts. Syntax show log alerts VMware, Inc.
Page 114 CLI Mode Basic, Privileged Example vShield# show log last 2 9 12:30:55 localhost ntpdate[24503]: adjust time server 192.168.110.199 off set -0.000406 sec 9 12:31:54 localhost ntpdate[24580]: adjust time server 192.168.110.199 off set -0.000487 sec Related Commands show log VMware, Inc.
Page 115 10 Related Commands show manager log show ntp Shows the IP address of the network time protocol (NTP) server. You set the NTP server IP address by using the vShield Manager user interface. VMware, Inc.
Page 116 Shows the current routes configured on a vShield Edge. Syntax show route CLI Mode Basic, Privileged Usage Guidelines vShield Edge CLI Example vShieldEdge# show route show running-config Shows the current running configuration. VMware, Inc.
Page 117 Shows the current status of all services on a vShield Edge. Details include the running status for VPN and the Load Balancer, DHCP leases, and iptable entries for firewall and NAT. Syntax show service statistics CLI Mode Basic, Privileged Usage Guidelines vShield Edge CLI Example vShieldEdge# show service statistics VMware, Inc.
Page 118 SYNs, and so forth. Syntax show session-manager counters CLI Mode Basic, Privileged Usage Guidelines vShield App CLI Example vShield# show session-manager counters sa_tcp_sockets_allocated_high_water_mark 8 sa_tcp_tw_count_high_water_mark 3 SA_TCP_STATS_OpenreqCreated 61 SA_TCP_STATS_SockCreated 61 SA_TCP_STATS_NewSynReceived 61 SA_TCP_STATS_RetransSynReceived 0 Related Commands show session-manager sessions VMware, Inc.
Page 119 System Recovery v0.3.2 Slot 1: 13Aug09-09.49PDT Slot 2: * 16Aug09-23.52PDT (Boot) show stacktrace Shows the stack traces of failed components. If no components have failed, no output is returned. Syntax show stacktrace CLI Mode Basic, Privileged Example vShield# show stacktrace VMware, Inc.
Page 120 [follow | reverse] Option Description Update the displayed log every 5 seconds. follow reverse Show the log in reverse chronological order. CLI Mode Basic, Privileged Usage Guidelines vShield Edge CLI Example vShieldEdge# show system events VMware, Inc.
Page 121 Shows the currently opened network connections and listening interfaces for a vShield Edge. Syntax show system network_connections CLI Mode Basic, Privileged Usage Guidelines vShield Edge CLI Example vShield# show system network_connections show system storage Shows the disk usage details for a vShield Edge. Syntax show system storage VMware, Inc.
Page 122 Shows the sessions that matched a firewall rule. Syntax show vmwall log [follow | reverse] Option Description Update the displayed log every 5 seconds. follow reverse Show the log in reverse chronological order. CLI Mode Basic, Privileged Usage Guidelines vShield App CLI VMware, Inc.
Page 123 Enables link detection for an interface. Link detection checks the status of an interface as enabled or disabled. Link detection is enabled by default. To disable link detection for an interface, use no before the command. Syntax [no] link-detect VMware, Inc.
Page 124 The hostname or IP address of the destination. DEST HOSTNAME | A.B.C.D CLI Mode Basic, Privileged Usage Guidelines vShield Edge only This command is useful for debugging IPSec-related issues. Enter CTRL+C to end ping replies. Example vshieldEdge# ping interface addr 192.168.1.1 69.147.76.15 VMware, Inc.
Page 125 Syntax telnet (HOSTNAME | A.B.C.D) [PORT] Option Description HOSTNAME | The hostname or IP address of the target system. A.B.C.D PORT Listening port on remote system. CLI Mode Basic, Privileged Example vShield# telnet server123 vShield# telnet server123 1221 VMware, Inc.
Page 126 User Administration Commands default web-manager password Resets the vShield Manager user interface admin user account password to default. Syntax default web-manager password CLI Mode Privileged mode Usage Guidelines vShield Manager CLI Example manager# default web-manager password Password reset VMware, Inc.
Page 127 CLI Mode Configuration Usage Guidelines vShield Manager CLI. You can use this command after you have run the no web-manager command to stop and then restart the HTTP services of the vShield Manager. Example manager(config)# no web-manager manager(config)# web-manager VMware, Inc.
Page 128 Enter the number of rows to display. If length is 0, no display control is performed. CLI Mode Privileged Example manager# terminal length 50 Related Commands reset terminal no length terminal no length Negates the terminal length command. VMware, Inc.
Page 129 (half|full) speed (10|100|1000) ip policy-address linkwatch interval <5-60> mode policy-based-forwarding open support-tunnel set support key show raid show raid detail VMware, Inc.
Page 130 Administration Guide VMware, Inc.
Page 131 When I try to install the vShield OVA file, the install fails. Solution If a vShield OVA file cannot be installed, an error window in the vSphere Client notes the line where the failure occurred. Send this error information with the vSphere Client build information to VMware technical support. VMware, Inc.
Page 132 However, the firewall continues to run. You can store vShield virtual machines to local storage if remote storage is not reliable. Take a snapshot or create a TAR of the affected vShield App by using the vSphere Client. Send this information to VMware technical support. VMware, Inc.
Page 133 Verify that the Port Group Isolation bundle is installed: esxupdate query Verify that vshd is running.  ESXi: ps | grep vsh. The results might contain more than one instance, which is ok.  ESX Classic: ps –eaf | grep vshd VMware, Inc.
Page 134 Adds an entry to the services list on ESX to expose VSHD services. You can verify this entry by opening the file /etc/vmware/hostd/proxy.xml and searching for word vsh. The removal script removes all of the operations created by the installation script.
Page 135 ESX hosts in question. Confirm that the NIC connected to these vSwitches connect to the same physical network. Run /opt/vmware/vslad/fence-util info command multiple times on all ESX hosts to see if any dropped packet counters are incremented.
Page 136 Verify that the Load balancer is running by running the CLI command: show service lb. Load balancer can be started by issuing the start command. Verify the load-balancer configuration by running command: show configuration lb. This command also shows on which external interfaces the listeners are running. VMware, Inc.
Page 137 There are two registry values, log_dest and log_level. The two entries are located in the following registry locations: HKLM\System\CurrentControlSet\Services\VFileScsiFilter\Parameters\log_dest HKLM\System\CurrentControlSet\Services\VFileScsiFilter\Parameters\log_level Both are DWORD bit masks that can be any combination of the following values: log_dest WINDBLOG VMWARE_LOG log_level AUDIT ERROR WARN INFO DEBUG 0x10 VMware, Inc.
Page 138  GVM: Right-click on the properties of the driver files to get the build number. Also, the audit logs prints the build number (vmware.log for release).  vShield Endpoint Module: The esxupdate command provides the installed module version. Also, the audit logs print the build number.
Page 139 App 40 Cluster Level Rules 26, 70 vShield Manager 40 command syntax 88 events for vShield Endpoint 81 configuration mode of CLI 88 exit 93 configure terminal 92 export tech-support scp 123 connecting to vCenter Server 19 VMware, Inc.
Page 140 97 system events 39 ip route 98 reset 128 restarting a vShield App 61 restoring backups 38 L2/L3 rules Revert to Snapshot 75 about 70 roles and rights adding 28, 73 about 31 assigning to a user 32 VMware, Inc.
Page 141 128 show route 116 time 21 show running-config 116 traceroute 126 show service 117 traffic analysis date range 64 show service statistics 117 traffic stats for a vShield App 61 show services 118 show session-manager counters 118 VMware, Inc.
Page 142 60 sync with vCenter Server 19 notification based on events 40 system events 39 restarting 61 user interface panels 16 sending events to syslog server 59 vSphere Plug-in 20 System Status 60 traffic stats 61 uninstall 43 VMware, Inc.
Page 143 Plug-in 20 web-manager 127 write 101 write erase 102 write memory 102 Zones Firewall 25 adding L2/L3 rules 28 adding L4 rules 27 deleting rules 30 hierarchy of rules 26 planning rule enforcement 26 validate sessions 29 VMware, Inc.
Page 144 Administration Guide VMware, Inc.

This manual is also suitable for:

Vshield manager 4.1.0 update 1 Vshield zones 4.1.0 update 1 Vshield edge 1.0.0 update 1 Vshield endpoint 1.0.0 update 1

VMware VSHIELD APP 1.0.0 UPDATE 1 Admin Manual

Vshield Manager and Vshield Zones

1 Overview of Vshield

2 Vshield Manager User Interface Basics

3 Management System Settings

4 Zones Firewall Management

5 User Management

6 Updating System Software

7 Backing up Vshield Manager Data

8 System Events and Audit Logs

9 Uninstalling Vshield Components

Vshield Edge and Port Group Isolation

10 Vshield Edge Management

Vshield App and Vshield Endpoint

11 Vshield App Management

12 Flow Monitoring

13 App Firewall Management

14 Vshield Endpoint Events and Alarms

Quick Links

Related Manuals for VMware VSHIELD APP 1.0.0 UPDATE 1

Summary of Contents for VMware VSHIELD APP 1.0.0 UPDATE 1

This manual is also suitable for:

Table of Contents