VMware vShield Release Notes
vShield 4.1.0 Update 1 | 19 NOV 2010 | Build 310451
For organizations that want to leverage the benefits of cloud computing without sacrificing security, control or compliance, the VMware vShield family of security solutions provides comprehensive protection for virtual datacenters and cloud environments. vShield enables customers to strengthen application and data security, improve visibility and control, and accelerate IT compliance efforts across the organization.
vShield includes virtual appliances and services essential for protecting virtual machines. vShield can be configured through a web based user interface, a vSphere Client plug-in, a command line interface (CLI), and REST API.
These release notes contain the following sections:
What's New in This Release
vShield 4.1.0 Update 1 adds the following features.
- SpoofGuard: SpoofGuard allows you to authorize or alter the IP addresses of your virtual machines as reported by VMware Tools. Operating separately from the App Firewall rules, you can use SpoofGuard to block traffic determined to be from a spoofed IP address. You must upgrade your vShield App instances to vShield 1.0.0 Update 1 before enabling SpoofGuard.
- vShield Edge Upgrade: You can upgrade vShield Edge software from the vSphere Client or via REST API.
Installation Notes for This Release
Before you install this release:
- Read the vShield Quick Start Guide for guidance on installing vShield. This guide contains information about all requirements and procedures to set up vShield.
- Read the vShield Administration Guide for workflows describing vShield system management, such as setting up firewall protection, analyzing traffic sessions, configuring edge services, and event and status monitoring.
- Read the vShield API Programming Guide for instructions on managing your vShield deployment via REST API.
Upgrading to vShield 4.1.0 Update 1
You can install vShield 4.1.0 Update 1 as an offline update or new install.
You must have at least one vSwitch on each ESX host to install Port Group Isolation.
You cannot upgrade a vShield Edge if vShield Zones/vShieldApp upgrade is in progress on the local datastore of the ESX host that stores the vShield Edge files.
- Offline Update
- Download the upgrade bundle.
- Click Settings & Reports from the vShield Manager inventory panel.
- Click the Updates tab.
- Click Upload Settings.
- Click Browse to locate the update.
- After locating the file, click Upload File.
- New Install: Refer to the vShield Quick Start Guide.
- vShield Edge Upgrade:
- Upgrade the vShield Manager software.
- After the upgrade is complete, log in to the vSphere Client.
- In to the vSphere Client, go to Inventory > Networking.
- Select an Internal port group where a vShield Edge has been installed.
- Click the vShield Edge tab.
- Click the Status link.
- To the right of the Configuration heading, determine if there is a new version to the right of the Upgrade to link.
- Click Upgrade to to locate and install the upgrade file.
The following are known issues with vShield 4.1.0 Update 1:
- vShield Manager
- Problem: When configuring a vShield Edge DNAT or firewall rule, if the selected Protocol is ICMP (any variation) and Port/Range contains 0 or any other number, saving the rule throws this error: Specified protocol cannot be associated with port. Invalid port in rule.
Workaround: If you select ICMP from Protocol, you must enter any in the Port/Range fields.
- Problem: Port groups which are assigned Private VLANs (PVLANs) are shown under VLAN-0 in vShield Manager user interface Network view. You will not be able to configure firewall rules for PVLANs or port groups with PVLANs.
Workaround: You can configure a firewall rule for VLAN-0. Otherwise, do not use PVLANs with vShield.
- vShield Edge
- Problem: MTU settings do not persist after vShield Edge upgrade to vShield Edge 1.0.0 Update 1.
- Problem: After configuring a vShield Edge service (e.g., Load Balancer, VPN), the service shows Not configured on the status page.
Workaround: Click Refresh Now to retrieve the latest configuration.
- Problem: After configuring VPN settings, requesting the detailedConfig via REST API returns the following error: no config found.
Workaround: You must start the VPN service to view results via detailedConfiguration REST API request.
- vShield Zones or vShield App
- Problem:SpoofGuad in enabled mode at time of vShield Manager back up. SpoofGuard disabled after backup. After restoring backup, SpoofGuard appears to return to enabled mode. However, SpoofGuard is actually disabled.
Workaround: You must perform the Force Sync operation on each vShield App to enable SpoofGuard.
- Problem: If there are multiple vShield Edges configured with the same internal subnet addressing, SpoofGuard in enabled mode will block traffic from virtual machines using duplicate IP addresses.
Workaround: Use different subnets for each vShield Edge, or disable SpoofGuard.
- Problem: Cannot upgrade vShield Zones or vShield App software via REST API.
Workaround: Use the vShield Manager user interface Updates option.
- Problem: A crash or hard reboot of an ESXi host, which has not been rebooted after vShield Zones or vShield App installation, might lead to vShield configuration loss.
Workaround: Reboot an ESXi host after installing a vShield Zones or vShield App instance to save the configuration.
- Problem: If a vShield Zones/App is powered off, checking the status under the Summary tab in the vShield Manager user interface for the ESX host throws the following error: Unknown error occurred.
Workaround: Verify the powered off state of the vShield Zones/App virtual machine in the vSphere Client. If it is powered on, verify that you can reach the vShield Manager from the vShield Zones/App via the network. If the vShield Manager cannot be reached, there is a networking error. Verify if IP addresses are in the same subnet. If the vShield Zones/App virtual machine is powered off, you must manually power on the virtual machine and force sync from the vShield Manager user interface.
- Problem: If an ESX host is (hard) rebooted, a vShield Zones or vShield App virtual machine does not power on after reboot.
Workaround: You must manually power on the vShield Zones or vShield App virtual machine. You must then force sync with the vShield Manager.
- Problem: If a vShield Zones or vShield App install fails due to the vShield virtual machine failing to power on, an attempt to uninstall the powered off vShield virtual machine also fails.
Workaround: You must delete this vShield virtual machine manually before attempting another installation.
- vShield Endpoint
- Problem: When the on demand scan (ODS) is active running it will affect these three scenarios:
1) Attempting to unmount a hard drive during ODS gives an error message that the drive is in use.
2) Shutting down the OS does not complete while running an ODS on the floppy until the ODS is finished.
3) Shutting down the OS does not complete while running an ODS on a USB drive until the ODS is finished.
- Problem: After deploying an SVM to an ESX host, the Endpoint Status panel does not report the status of that SVM. This is because the vShield Manager does not propagate some configuration parameters to the SVM until an inventory change occurs in the vCenter Server.
Workaround: Perform an inventory change in the vCenter Server, such as suspending and then resuming that virtual machine.
- Problem: Hot adding and hot removing SCSI disks from a protected VM may interfere with vShield Endpoint operations.
Workaround: Before (hot) removing a SCSI disk from a protected VM make sure that the it is not used by the vShield Endpoint Thin Agent. For example, if the disk you are about to remove is scsi(0,5) make sure that you do not have the following line SCSI0:5.filters=VFILE in the configuration for the protected VM. Also, before (hot) adding a disk to a protected VM make sure that you add it with a scsi bus id higher than the scsi disk that is currently used for . For example, if the disk used for vShield Endpoint Thin Agent is scsi(0:5), then the new disk should have a scsi bus id larger than 5, e.g., scsi(0,8)..
- Problem: After the vShield Manager is rebooted, a series of alarms are created when the EPSec status page is displayed in the vSphere client.
If these alarms already exist, an error message will be displayed in the vSphere client.
Workaround: None. These errors are informational only and do not affect the operation of the EPSec status page.
- Problem: The EPSec status page contains a table that displays alarms. When the table is filtered by severity type, the table data displays correctly,
but the total number of records is incorrect. For example, if 36 total records were filtered to display just 30 records, the toolbar still shows the message "Displaying 1 - 30 of 36 records."
- Problem: On the EPSec status page, events may be reported for the wrong VM if two or more VMs share the same BIOS UUID.
Workaround: Change the UUID of one or more of the virtual machines. See KB 1002403.
- Problem: When an SVM is registered with the vShield manager, the vShield Manager attempts to reconfigure templates and fails. The 'recent tasks' screen in the vSphere client will show the error message
"The operation is not supported on the object".
- Problem: The guest driver creates a temporary files in systemroot%\temp\vmware\eps010. If read permissions are removed from this directory then certain vShield Endpoint operations that require large data transfers may fail.
Workaround: Ensure the directory is globally readable.
- Problem: In order to remediate a read-only file, vShield Endpoint removes the file's read-only attribute.
This attribute will not be restored after the file has been remediated.
The following issues have been resolved in VMware vShield 4.1.0 Update 1.
- Windows 7 64-bit support has been added to the list of compatible operating systems for vShield Endpoint Thin Agent drivers in the vShield Quick Start Guide.
- The procedure for the vShield Manager System Events report has been corrected in the vShield Administration Guide.
- vShield Manager
- In the SSL Certificates feature in the vShield Manager user interface, if you set Algorithm to DSA and Keysize to 2048, keypair generation fails. If you do not configure a new setting, you will not be able to login to the vShield Manager subsequently.
- If you backup the vShield Manager and perform a restore of that backup on the same or different vShield Manager virtual machine, any vShield Zones or vShield App instances cannot reconnect with the vShield Manager.
- vShield Zones
- For Zones Firewall rules, user could not add ANY as a source or destination value.
- vShield Edge
- If you have both NAT rules and VPN service configured, issuing the validate session command from the CLI causes the vShield Edge to crash.
- When configuring VPN from the vShield user interface, user could specify 0 for MTU Size.
- In the vShield user interface, the Protocol options for vShield Edge NAT rules were not in alphabetical order.
- If a vShield Edge is removed (not uninstalled) from the vSphere Client immediately after installation, an attempt to uninstall the vShield Edge virtual machine results in a null pointer exception.
- vShield Endpoint
- Few thousand events in a short time period resulted in many of the events not appearing in the event monitor.
- When VMware View is refreshed, an existing open thread on the vShield Endpoint Security Virtual Machine (SVM) causes an ESX kernel panic (purple screen) when the SVM is forced to restart.
- Uninstalling vShield Components
You must move the vShield Manager virtual machine before uninstalling vShield Zones/vShield App, vShield Endpoint, or Port Group Isolation from the ESX host on which the vShield Manager resides. Uninstallation of these components requires the ESX host to enter maintenance mode. The vShield Manager must be up at all times, thus cannot be subject to maintenance mode or reboot.
- Do Not Upgrade or Uninstall VMware Tools on vShield Virtual Machines
VMware Tools is a suite of utilities that improves the performance of guest operating systems and enhances virtual machine management. A specific installation of VMware Tools has been installed on all vShield virtual machines. Do not change or remove VMware Tools from a vShield virtual machine.
- Using any in Firewall Rules
For vShield Edge firewall rules, type any in all lower case letters. For Zones Firewall and App Firewall rules, type ANY in all upper case letters.
User Account Management
- vShield Manager UI User Accounts Are Not Linked to vShield CLI User Accounts
The default user account for the vShield Manager user interface is not linked to the default CLI user account for any vShield virtual machine. These accounts are managed separately. Also, the default CLI user account is unique to each vShield virtual machine.
- Cannot Change the Password of the CLI admin User Account, Create a New CLI User and Delete admin User
You cannot change the password of the admin user account in the vShield CLI. You should create a new CLI user account and remove the admin account to secure access to the CLI on each vShield virtual machine.
User account management in the CLI conforms to the following rules.
- You can create CLI user accounts. Each created user account has administrator-level access to the CLI.
- You cannot change the password for any CLI user account on a vShield Manager or vShield App virtual machine. If you need to change a CLI user account password, you must delete the user account, and then re-add it with a new password. However, you can change the CLI password of any user account on the vShield Edge via REST API.
- The CLI admin account password and the Privileged mode password are managed separately. The default Privileged mode password is the same for each CLI user account. You should change the Privileged mode password to secure access to the CLI configuration options.
vSphere Client Plug-In
- Registering the vShield Manager as a vSphere Client Plug-in
You can register the vShield Manager user interface as a vSphere Client plug-in. You must exit your vSphere Client session before sending the plug-in registration request from the vShield Manager user interface. After registering as a vSphere plug-in, restart the vSphere Client. You can now install and configure vShield components from the vSphere Client.
- Clicking Delete All Flows Deletes All Traffic Statistics Permanently
If you click Delete All Flows from the Flow Monitor tab for a datacenter container, all traffic sessions for that container are deleted permanently. Typically, this option is only used when moving your vShield deployment from a lab environment to a production environment. If you must maintain a history of traffic sessions, do not use this feature.
- Only alphanumeric characters are allowed for site and tunnel names.
Top of Page