VMware vShield 5.0 Release Notes

VMware vShield 5.0 | 1 September 2011 | Build 473791

Last updated: 6 January 2012

What's in the Release Notes

The release notes cover the following topics:

What's New

  • vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive data is adequately protected and assess compliance with regulations around the world.
  • Role based access control (RBAC) Separates workflow for VI and security administrators, thereby providing flexibility in delegating administration across resource pools and security groups and improving security of applications and data.
  • Adaptive trust zones with layer 2 firewall protects against password sniffing, dynamic host configuration protocol (DHCP) snooping/poisoning attacks and address resolution protocol (ARP) spoofing.
  • Application aware firewalling improves security by only opening sessions (ports) when needed for common applications, such as Oracle DB, MS Exchange, and MS RPC.
  • Flexible IP addressing allows administrators to use the same IP address in multiple tenant zones.
  • Ability to import signed certificate avoids certificate error on the vShield Manager UI and allows you to generate a certificate signing request.
  • Logical groupings of IP addresses in IPset and application set simplifies using IP addresses when creating firewall rules.
  • Enhanced security groups allows administrators to group IPSet, MacSet, resource pools, virtual machines, and vNics in their environment when creating firewall rules.
  • Architectural improvements results in improved performance and avoids data path issues related to dynamic protocols such as FTP.
  • Port Group Isolation in vShield Edge not supported from release vShield 5.0 onwards.

System Requirements and Installation

For information about system requirements and installation instructions, see the VMware vShield Quick Start Guide.

Before installing vShield Edge, you must verify the SSL certificate for the ESX/ESXi hosts on which vShield Edge is to be installed. For more information, see the Configure SSL Settings section in the vCenter Server and Host Management Guide.

Known Issues

The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.

The known issues are grouped as follows:

General Issues

Cannot change role for logged-in user
If a user is logged in, any change in roles will not impact the current session. You must logout and then login for the new role to be effective.

vSphere plugin page does not refresh on revisiting the node
When you install vShield Manager, register the plugin with vCenter server, and assign a role to the vCenter user, the vShield tab is not refreshed.
Workaround: Click Refresh

Host reboot needs to be handled for SVMs
To configure SVM for autostart on host reboot, refer to the article "Automating the process of starting and stopping virtual machines on VMware ESX" on http://kb.vmware.com/.
Note that if HA is enabled after SVM deployment, HA module disables the setting for Allow virtual machines to start and stop automatically with the system. You must enable this setting.

vShield App Issues

SVMs do not automatically power ON/OFF during HA/DPM/Maintenance mode
During HA reboot, Enter Maintenance, and Enter Standby modes, SVMs do not always get powered off. Subsequently, they do not automatically get powered on when coming out of these modes.
Workaround: When HA is enabled on a cluster, ensure that you select "Enable Host Monitoring" in the section "Host Monitoring Status" under the cluster settings for "vSphere HA". Remember that When DPM is configured on the cluster and the SVMs are in the Powered ON state, DPM will not be able to trigger and take the host into Standby Mode.

vShield Manager does not force sync the vShield App appliance after vShield App is rebooted
Workaround: Manually force sync vShield App.

SpoofGuard does not work after you upgrade from 4.1 to 5.0
After an upgrade from 4.1 to 5.0, ensure that you clear the browser cache on all clients that have accessed the 4.1 product. This will help in clearing the cached javascript or other files from that release that may have changed in the current one.

Old flows are reported on reinstalling vShield App on the same host
When vShield App is reinstalled on the same host, flows for the virtual machines which were reported for the previous vshield App are also reported on the current vShield App.

vShield Manager does not show vShield App 4.1 based flows after migrating to 5.0 enhanced mode.
After you upgrade vShield Manager and vShield App to 5.0 and migrate the datacenter to enhanced mode, vShield App does not display the 4.1 based flows as vShield App has a new firewall UI.

Cannot add any other rule on 5.0 if custom port dynamic rules was migrated from 4.1 U1 to 5.0 at any specific node
Rules with dynamic application on custom port (i.e. Oracle TNS on port 1511 ) do not allow indefinite set in the destination field. In other words Any and Outside Container is not allowed in destination field for rules with dynamic application on custom port.
Workaround: Delete or modify all such rules before switching to regular mode.

Cannot rename vShield App SVMs
If you change the default name of a vShield App SVM (vShield-FW-hostname), you cannot upgrade vShield App to a later release.

vShield Edge Issues

vShield Service virtual machines install can fail in certain scenarios
Consider a scenario where there are two DRS-enabled clusters in a datacenter and each cluster has two hosts. You create a dVSwitch and add one host from each cluster into the dvSwitch successfully. Now if you deploy a new virtual machine or install vShield Edge with its vnic in the dvPG of the above created dvSwitch, the virtual machine is not created and the OVF file is not imported.
Workaround: If DRS is enabled, you must add at least two hosts from the same cluster in a dvswitch.

vShield Edge virtual machine names can contain only ASCII characters
vShield Edge virtual machine names cannot contain multi-byte characters.

If the vShield Edge virtual machine is migrated during installation, the install fails
If the vShield Edge virtual machine is automatically or manually migrated while a vShield Edge install is going on, the install operation may fail with one of the following error messages:.

  • "Error while connecting to edge. Please retry." (Code: 70907)
  • "Internal error in communication with edge. Please retry." (Code: 70913)

Workaround: Re-try the same operation as these errors might occur during processing of some intermediate states.

VPN configuration fails if CN contains special characters
If the CN contains special characters other than dots and underscores, VPN configuration fails with the following error message:
"Configuration Failed" (Code: 73000)
Workaround: Ensure that the CN contains only alphanumeric characters, dots, and underscores.

vShield Endpoint Issues

Incorrect Health Status for SVMs
When the last protected guest VM on a host is powered off and there are no remaining connections to an SVM, the status of the SVM is unknown. However, the vShield Endpoint Health and Alarms page erroneously reports the status of the SVM as either green or red.

vShield Endpoint does not work properly when a VM is cloned by copying files
When a virtual machine is cloned by copying its files (vmx, vmdk) rather than by using the vSphere clone functionality, vShield Endpoint does not report that virtual machine is protected even though the thin agent is properly installed.
Workaround: Power off the VM and power it back on. Note that a soft reboot does not resolve the issue.

vShield Endpoint does not function properly when there are multiple virtual machines with the same UUID
When there are multiple virtual machines with the same UUID, vShield Endpoint reports only one virtual machine as protected.
Workaround: When you copy a VM, make sure to always indicate that you copied the VM so that a new UUID is generated. In addition, power cycle the VM once (no soft reboot) after the copy.

vShield Endpoint driver does not load after installation
After installing the vShield Endpoint driver via the VMware Tools installer, the Endpoint driver is not loaded.
Workaround: To load the driver, reboot the guest. Alternatively, an administrator can enable the driver manually after installation by typing the following command in a Command Prompt: fltmc load vsepflt.

vShield Data Security Issues

Incorrect Health Status for SVM during installation
When the vShield Data Security SVM is being deployed by the vShield Manager, an alarm may be prematurely triggered for the SVM. The alarm is removed once the SVM is up and running.

vShield Endpoint and vShield Data Security do not work from the time a Certificate Signing Request (CSR) is generated until the vSM is restarted
When generating a Certificate Signing Request (CSR), vShield Endpoint and vShield Data Security will stop functioning until the vShield Manager is restarted (preferably after having imported the signed certificate).

Zones 1.0 released with vSphere 5.0

Read this only if you are running ESX 4.1 with vShield Zones 4.1, and want to upgrade to ESXi 5.0. In this situation, you must manually uninstall vShield Manager 4.1 and Zones 4.1, upgrade to ESXi 5.0, then install Vshield Manager 1.0 and Zones 1.0 (released with vSphere 5.0).