VMware

VMware vShield 5.0.1 Release Notes

VMware vShield 5.0.1 | 15 March 2012 | Build 631028

Last updated: 15 March 2012

What's in the Release Notes

The release notes cover the following topics:

What's New

  • Enhanced reporting and export options for vShield Data Security allows users to view data as pie charts or bar graphs and export this data in various file formats.
  • New REST API calls to simplify automation of vShield Data Security workflows including triggers for completion of scans.
  • Improved audit logs for vShield Manager provide detailed information about administrative user actions on vShield security operations.
  • Simplified troubleshooting with single file download of vShield system configuration and events.
  • Improved vShield App policy management offers the option to fail open or fail close for network security and selectively exclude virtual machines from the policy.
  • vShield App High Availability enhancements automatically restarts vShield App or virtual machines if a heartbeat is not detected.
  • Enablement of Autodeploy (Stateless ESXi) by providing vShield VIBs (host modules) for download from vShield Manager.

System Requirements and Installation

For information about system requirements and installation instructions, see the VMware vShield Quick Start Guide.

Before installing vShield Edge, you must verify the SSL certificate for the ESX/ESXi hosts on which vShield Edge is to be installed. For more information, see the Configure SSL Settings section in the vCenter Server and Host Management Guide.

Known Issues

The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.

The known issues are grouped as follows:

General Issues

vShield CLI enable password changes
If the vShield CLI enable password is changed by the admin user, only the admin user can change it again. This issue does not occur if a CLI user other than the admin user changes the CLI enable password.

vmservice-vswitch not deleted during uninstallation
Uninstalling vShield components does not delete the vmservice-vswitch. If required, you can delete it manually.

Cannot create a new user with the same name as an existing user
You cannot create a new user with the same name as an existing vCenter or vShield user. Also, you cannot assign a role to a vCenter user whose name is the same as a vShield user even if the vShield user does not have a role assigned to it.

vmservice-vswitch not deleted during uninstallation
Uninstalling vShield components does not delete the vmservice-vswitch. If required, you can delete it manually.

vShield App Issues

Old flows are reported on reinstalling vShield App on the same host
When vShield App is reinstalled on the same host, flows for the virtual machines which were reported for the previous vshield App are also reported on the current vShield App.

vShield App uninstallation fails if the host is in maintenance mode
If the host is in maintenance mode, vShield App uninstallation fails and you may need to delete the security virtual machine manually.

vShield Edge Issues

If the vShield Edge virtual machine is migrated during installation, the install fails
If the vShield Edge virtual machine is automatically or manually migrated while a vShield Edge install is going on, the install operation may fail with one of the following error messages:.

  • "Error while connecting to edge. Please retry." (Code: 70907)
  • "Internal error in communication with edge. Please retry." (Code: 70913)

Workaround: Re-try the same operation as these errors might occur during processing of some intermediate states.

VPN configuration fails if CN contains special characters
If the CN contains special characters other than dots and underscores, VPN configuration fails with the following error message:
"Configuration Failed" (Code: 73000)
Workaround: Ensure that the CN contains only alphanumeric characters, dots, and underscores.

vShield Endpoint Issues

Incorrect Health Status for SVMs
When the last protected guest VM on a host is powered off and there are no remaining connections to an SVM, the status of the SVM is unknown. However, the vShield Endpoint Health and Alarms page erroneously reports the status of the SVM as either green or red.

vShield Endpoint health monitoring and vShield Data security do not function properly when there are multiple virtual machines with the same UUID
When there are multiple virtual machines with the same UUID, vShield Endpoint reports only one virtual machine as protected and vShield Data security violations may be reported on the wrong object..
Workaround: When you copy a VM, make sure to always indicate that you copied the VM so that a new UUID is generated. In addition, power cycle the VM once (no soft reboot) after the copy.

Uninstalling vShield Endpoint from a host that has vShield Data Security installed on it
If a host has both vShield Endpoint and vShield Data Security installed on it, you must uninstall vShield Data Security before uninstalling vShield Endpoint.

Output of the Version REST API call
The REST call:
GET https://vsm-ip/api/versions
returns the following output for vShield Endpoint in 5.0.1:
module name="Endpoint" baseUri="/api/2.0/endpointsecurity" version="2.0"

vShield Data Security Issues

Incorrect Health Status for SVM during installation
When the vShield Data Security SVM is being deployed by the vShield Manager, an alarm may be prematurely triggered for the SVM. The alarm is removed once the SVM is up and running.

Uninstalling vShield Endpoint stops vShield Data Security from working
If you uninstall vShield Endpoint from a host, vShield Data Security on that host does not work.

vShield Manager does not support UTF8 character encoding for display and reporting purposes
File names or paths which include UTF8 character sets will display in the UI with '?' substituted for the unsupported characters.

State specific policies match US driver licenses from all states
If one of the US state policies is enabled in vShield Data Security, files containing driver's licences from other states may be incorrectly identified as violating files.

Resolved Issues

The following issues reported in the vShield 5.0 Release Notes have been resolved in the 5.0.1 release.

  • Host reboot needs to be handled for SVMs
  • Cannot rename vShield App SVMs
  • Cannot change role for logged-in user
  • vShield Manager does not validate Nexus1000V certificate when the certificate changes

Zones 1.0 released with vSphere 5.0

Read this only if you are running ESX 4.1 with vShield Zones 4.1, and want to upgrade to ESXi 5.0. In this situation, you must manually uninstall vShield Manager 4.1 and Zones 4.1, upgrade to ESXi 5.0, then install Vshield Manager 1.0 and Zones 1.0 (released with vSphere 5.0).