Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring the Firefly Host

    When you install SVM on the hosts, all the VMs are unsecured by default. Before defining security policies, you must secure the VM environment.

    Step-by-Step Procedure

    To configure Firefly Host, follow these steps:

    1. The first step in configuration is to log in to the Firefly Host to select the VMs that should be secured. The example below contains several ESXi hosts under Unsecured Network and Secured Network. On the left side (under Unsecured Network), Win2012-Exch02 VM is not secured. On the right side (under Secured Network), Win2012-Exch06 VM is secured. To secure or unsecure VM, you need to select or deselect the check box in front of the VM and click on Secure or Unsecure in the Settings tab. You also need to secure the port group when securing a VM (this is done similarly by selecting Secure in the Settings tab for a dvPort Group).

      Figure 1: An Example dvPort Group

      An Example dvPort Group
    2. Configure a group for one set of applications. The example below shows an application name (MediaWiki) that represents a single group. Additional application groups can be created using Add Smart Group under Security Settings, Group tab in Firefly Host. Define vi.notes which contains the keyword MediaWiki in the Firefly Host. By doing this, it will detect all VMs that have the keyword MediaWiki in an annotation of VM. Before defining security policies, it is a good idea to survey the existing VM environment to obtain a list of the applications hosted in the data center. Creating Smart Groups initially will save time during security policy configuration.

      Figure 2: Configure an Application Group

      Configure an  Application Group
    3. Once groups are defined in Firefly Host, an additional step is required on the vCenter Server. At the MediaWiki VM summary tab under vCenter Server, add the same keyword you used in vi notes in the Annotations field in Step 2. This is required to enable the Firefly Host to properly detect the virtual machine. In the below example, the MediaWiki Group in the Firefly Host will detect all VMs that are properly annotated with the tag MediaWiki.

      Figure 3: The Annotation Allows Firefly Host to Detect Related VMs

      The Annotation Allows Firefly Host to Detect Related
    4. Next, define security policies in the Firewall area of the Firefly Host. Also define an initial, Global rule under Global Policy in Policy Group. This rule creation applies to all VMs in the environment, enabling security even if an application group isn’t properly created. To create specific rules, navigate to Policy Groups in the left pane. You will notice that the policy groups contain both Inbound and Outbound rules. Inbound rule means traffic is coming into the VM and Outbound rule means traffic is originating from the VM. Below is an example rule that allows HTTP, HTTPS, and ICMP inbound to the MediaWiki application VM.

      Figure 4: Define Security Policies

      Define Security Policies

    Published: 2015-04-20