User manual VMWARE VSHIELD ENDPOINT SECURITY 1.0 ADMIN GUIDE

[. . . ] vShield Administration Guide vShield Manager 4. 1 vShield Edge 1. 0 vShield App 1. 0 vShield Endpoint Security 1. 0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www. vmware. com/support/pubs. EN-000374-00 vShield Administration Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www. vmware. com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware. com Copyright © 2010 VMware, Inc. and international copyright and intellectual property laws. [. . . ] The App Firewall tab represents the vShield App firewall access control list. NOTE App Firewall rules apply to vShield App instances, but not vShield Edge or vShield Endpoint instances. The Zones Firewall tab becomes the App Firewall tab when the vShield App license is activated. This chapter includes the following topics: "Using App Firewall" on page 73 "Create an App Firewall Rule" on page 75 "Create a Layer 2/Layer 3 App Firewall Rule" on page 77 "Creating and Protecting Security Groups" on page 77 "Validating Active Sessions against the Current App Firewall Rules" on page 78 "Revert to a Previous App Firewall Configuration" on page 79 "Delete an App Firewall Rule" on page 79 Using App Firewall The App Firewall service is a centralized, hierarchical firewall for ESX hosts. App Firewall enables you to create rules that allow or deny access to and from your virtual machines. Each installed vShield App enforces the App Firewall rules. You can manage App Firewall rules at the datacenter, cluster, and port group levels to provide a consistent set of rules across multiple vShield App instances under these containers. As membership in these containers can change dynamically, App Firewall maintains the state of existing sessions without requiring reconfiguration of firewall rules. In this way, App Firewall effectively has a continuous footprint on each ESX host under the managed containers. Securing Containers and Designing Security Groups When creating App Firewall rules, you can create rules based on traffic to or from a specific container that encompasses all of the resources within that container. For example, you can create a rule to deny any traffic from inside of a cluster that targets a specific destination outside of the cluster. You can create a rule to deny any incoming traffic that is not tagged with a VLAN ID. When you specify a container as the source or destination, all IP addresses within that container are included in the rule. A security group is a trust zone that you create and assign resources to for App Firewall protection. Security groups are containers, like a vApp or a cluster. Security groups enables you to create a container by assigning resources arbitrarily, such as virtual machines and network adapters. After the security group is defined, you add the group as a container in the source or destination field of an App Firewall rule. See "Creating and Protecting Security Groups" on page 77. VMware, Inc. 73 vShield Administration Guide Default Rules By default, the App Firewall enforces a set of rules allowing traffic to pass through all vShield App instances. These rules appear in the Default Rules section of the App Firewall table. The default rules cannot be deleted or added to. However, you can change the Action element of each rule from Allow to Deny. Layer 4 Rules and Layer 2/Layer 3 Rules The App Firewall tab offers two sets of configurable rules: L4 (Layer 4) rules and L2/L3 (Layer 2/Layer 3) rules. Layers refer to layers of the Open Systems Interconnection (OSI) Reference Model. [. . . ] 138 VMware, Inc. Appendix B Troubleshooting Load-Balancer Throws Error 502 Bad Gateway for HTTP Requests To determine why the load balancer service on a vShield Edge is throwing a 502 Bad Gateway error This error occurs when the backend or Internal servers are not responding to requests. 1 Verify that internal server IP addresses are correct. The current configuration can be seen through the vShield Manager or through the CLI command show configuration lb. 2 3 Verify that internal server IP addresses are reachable from the vShield Edge internal interface. [. . . ]