VMware vShield Zones Release Notes
vShield Zones 1.0 | 21-May-2009 | Build R1.0G68
VMware vShield Zones 1.0 introduces vShield Zones to the vMware vCenter Server environment.
These release notes contain the following sections:
vShield Zones is an application-aware firewall built for VMware vCenter Server integration. vShield Zones inspects client-server communications and inter-virtual-machine communication to provide detailed traffic analytics and application-aware firewall protection. vShield Zones is a critical security component for protecting virtualized datacenters from attacks and misuse helping you achieve your compliance-mandated goals. vShield Zones provides the following features.
Central Management of Logical Zone Boundaries and Segmentation
- Leverages existing virtual infrastructure containers—hosts, virtual switches, VLANs—as logical trust or organizational zones.
- Defines policies to bridge, firewall, or isolate network traffic between zone boundaries.
- Manages and deploys policies across entire VMware vCenter Server deployment.
- Integrates with VMware vCenter Server and automatically deploys on existing virtual networks.
- Scans and discovers existing applications running on virtual machines to identify application protocols.
Network Enforcement and Flow Monitoring
- Classifies traffic by network or application protocol (e.g. HTTP, FTP, SNMP).
- Filters traffic with stateful packet inspection (SPI).
- Tracks dynamic port connections for protocols such as RDP.
- Tracks network connections across VMware VMotion migration events.
- Easily converts observed network flows into precise network enforcement rules.
- Monitors both allowed and disallowed activity.
Robust Management and Reporting
- Provides access to the Web-based vShield Manager interface remotely from any Web browser.
- Allows administrators to be common with VMware vCenter Server or distinct for separation of duties and roles.
- Displays activity hierarchically at individual virtual machine or aggregate levels to generate graphical or tabular reports.
- Retains log data for archival and compliance purposes.
- Enables export of events and data in syslog format.
vShield Zones 1.0 is compatible with vCenter Server 4.0, ESX 4.0, and the vSphere Client.
You can access the vShield Manager interface using the following Web browsers:
- Microsoft Internet Explorer 5.x and later
- Mozilla Firefox 1.x and later
- Apple Safari 1.x or 2.x
Installation Notes for This Release
Before you install this release:
- Read the Introduction to vShield Zones for a high-level architectural overview and workflow.
- Read the Quick Start Guide for step-by-step guidance on installing vShield Zones. This guide contains information about all requirements and procedures to set up vShield Zones.
- Read the Administration Guide for step-by-step workflows describing connecting vShield Zones to your vCenter Server, setting up firewall protection, analyzing traffic sessions, discovering open applications on virtual machines, event and status monitoring, and a discussion of roles and privileges.
The following are known issues with vShield Zones:
- vShield Agent Installation Fails
If vShield agent installation fails during installation from the vShield Manager, check the following:
- Can the vShield Manager MGMT interface communicate with the vShield MGMT interface? The vShield Manager must be able to communicate with the vShield tom complete installation. If these two IP addresses cannot communicate, installation fails. If the vShield Manager MGMT interface has been tagged with a VLAN ID, then the vShield MGMT interface must also be tagged with this ID. You can specify the VLAN ID during vShield installation in the Specify associated VLAN ID (optional) field.
- Is the vShield datastore available? During installation, you selected a datastore for the configuration file of the vShield. If the datastore is unavailable during installation, installation fails.
- If installation fails for any other reason, there might be an issue with the vShield Manager when creating the initial configuration file of the new vShield. If you have checked the previous issues and installation fails, reboot the vShield Manager virtual appliance and retry vShield installation when the vShield Manager powers on. If installation fails after a reboot, contact technical support.
- An Existing Session Is Not Dropped When a Matching Rule Has Been Created After the Session Has Started
If you create a firewall rule to block traffic matching an existing session, the session is not blocked. The rule takes affect for new sessions only. To drop the existing session, you must reboot the vShield.
- Any vShield Instances on an ESX Host Will Not Work When the ESX Host Is Migrated from One Cluster to Another Cluster
If a vShield is connected to an ESX host that has migrated from one cluster to another, the vShield will not operate after the move. You can work around this issue by using one of the following scenarios:
- If before migration: From the vShield Manager, uninstall all vShield instances from the ESX host by using the Uninstall vShield tab for each vShield. Move the ESX host to the new cluster. Refresh the inventory panel of the vShield Manager. When the ESX host appears, install each vShield instance anew by using the Install vShield tab for that ESX host.
- If after migration: If the ESX host has migrated before you uninstalled vShield instances, you must manually uninstall each vShield instance on the ESX host from the vShield Manager. Follow the manual uninstallation steps in the vShield Zones Administration Guide. After completing uninstallation, refresh the inventory panel of the vShield Manager. When the ESX host appears, install each vShield instance anew by using the Install vShield tab for that ESX host.
- Distributed Power Management (DPM) Issues with vShield Installation
When DPM is enabled, it powers off or powers on ESX hosts based on the cluster and per-host capacity of powered-on hosts to the cluster and per-host demand of running VMs. This affects vShield installation in the following ways:
- If you attempt to install a vShield on an ESX host that is in standby mode, in maintenance mode, disconnected, or powered off, the vShield Manager is unable to communicate with the ESX host and does not perform the install. This is evident in the Configure Install Parameters screen wherein the Storage drop-down menu is empty.
- If the ESX host is powered on, and then a vShield instance is installed on the host, the host cannot return to DPM standby mode while the vShield is powered on. In order for the ESX host to enter standby mode, you must power off or suspend the vShield instance. If you do this and the ESX host enters standby mode, then when that ESX host is powered on, the vShield instance remains in powered off or suspended mode.
- If you configure a ESX host to power on vShield instances when the host starts up, the vCenter cannot put the ESX host back into Standby mode after virtual machines are migrated back to their primary hosts. This is the result of vShield instances being powered on.
- vShield Manager Displays the Incorrect IP Address for the Second NIC on a Virtual Machine with Two NICs
vShield Zones does not recognize separate IP addresses for two NICs that have IP addresses in the same subnet when those two NICs are connected to a single virtual machine. vShield Zones recognizes that the NICs have separate MAC addresses, but only recognizes the IP address of the default route, which is the first NIC.
- Slow or No Access to Datastore Can Cause vShield Updates to Fail
During a vShield update, if the update takes longer than 10 minutes to complete, the update fails. This is caused by slow or no access to the datastore.
- vShield Zones Does Not Support Duplicate Data Center Names
If you have two data centers with the same name in your vCenter Server, you cannot install vShield Zones.
- Inconsistency in VM Flow Counters for Blocked Sessions
In the VM Flow report, the total number of blocked sessions might not match the number of sessions when the view is expanded to view each session. This is due to a minor delay between the request and display of data.
- Do Not Power On vShield Virtual Machine After Installation from OVF
After installing the vShield OVF, do not power on the vShield virtual machine that was created. You must convert this virtual machine into a template. This template is referenced by the vShield Manager. vShield instances are powered on when installed from the vShield Manager.
- Installing vShield Zones in a vNetwork Distributed Switch Environment Requires Manual Installation
If you plan to install vShield Zones in a vNetwork Distributed Switch environment, you must install each vShield agent instance manually. Refer to the vShield Zones Administration Guide.
Role and Permissions
- vShield Manager UI User Accounts Are Not Linked to CLI User Accounts
The default user account for the vShield Manager user interface is not linked to the default CLI user account for a vShield Zones virtual machine. These accounts are managed separately. Also, the default CLI user account is unique to each vShield Zones virtual machine.
vSphere Client Plug-in
- Registering the vShield Manager as a vSphere Client Plug-in
You can register the vShield Manager user interface as a vSphere Client plug-in. You must close your vSphere Client session before sending the plug-in request from the vShield Manager user interface.
- Clicking Delete All Flows Deletes All Traffic Statistics Permanently
If you click Delete All Flows from the VM Flow tab for a datacenter container, all traffic sessions for that container are deleted permanently. Typically, this option is only used when moving your vShield Zones deployment from a lab environment to a production environment. If you must maintain a history of traffic sessions, do not use this feature.