Creating vGW Series Smart Groups
This topic explains how to configure vGW Series Smart Groups. For information about Smart Groups, see Understanding vGW Series Smart Groups.
To define a Smart Group:
- Select Setting > Security Settings > Groups.
- To create a new Smart Group:
- Click Add Group.
- On the displayed pane, click Add a Smart Group .
The pane displays with the Advanced options shown by default. In Advanced mode, you can add as many rows as needed to define the Smart Group criteria. Each row establishes an equation.
If you do not know the meaning of an attribute or the values that it can take, click ? at the end of the row. The pop-up window that is displayed describes the attribute. It gives its data type, and it identifies possible values.
- Give the Smart Group a name. A short, descriptive name is best as it will be displayed in the Groups table.
- For Matches, select
- Any–A VM matches any of the configured rules to become a member of the Smart Group.
- All–A VM must meet all configured rules to become a member of the Smart Group.
- For each row, select the following information:
- An attribute. See Table 16.
- A comparator. For example, you can require that VMs meet the attribute specification to belong to the group, or you can define a rule that excludes VMs that meet the criteria.
- A value.
- Select the Policy Group check box if you want the Smart
Group to belong to a policy group.
When you select Policy Group:
- The Smart Group is added to the Policy Groups area in
the VM tree.
You can now configure a firewall policy for the Smart Group on its Group Policy page. You use the Firewall module in conjunction with the VM tree to display the Smart Group’s policy page.
- You specify a priority level and a precedence level:
- You can select high, medium (default), or low for the priority level.
- Smart Groups can be created with the same priority level. You can use Precedence within Level to define the precedence for Smart Groups with the same priority level.
A VM can belong to more than one Smart Group. In this case, the policy rules of all Smart Groups that the VM is a member of are applied to the VM. How the rules are applied also depends on the precedence and priority settings. It can happen that more than one Smart Group is defined with the same priority level and the same precedence within that level. In this case, Smart Group rules are applied to the VM in the order in which the Smart Groups were created.
- The Smart Group is added to the Policy Groups area in
the VM tree.
- Test the configuration before you save the Smart Group definition. Click Test to verify that the group contains the VMs that you intended it to include.
The following values are returned for the Type field.
- Boolean: True or False
- Integer: Numeric value
- String: Free-form text string
- Multi String: Multiple string values concatenated together with separators such as commas, semicolons, or slashes
- Multi Value: List of available choices
Table 16: Smart Group Attributes
Attribute name | Data Type | Description |
|---|---|---|
vf.antivirus.database.version | String Value | What version of AV database version is this VM using? (What's installed on the central AV database it is connected to)? |
vf.antivirus.endpoint.connected | Boolean Value | Is this VM properly connected to central AV scan engine? |
vf.antivirus.endpoint.enabled | Boolean Value | Does this VM have an operational AV agent installed? |
vf.antivirus.endpoint.version | String Value | Version of endpoint installed on the VM. |
vf.antivirus.engine.version | String Value | What version of the AV engine is this VM is using? (What is installed on the central VM database it is connected to?) |
vf.antivirus.onaccess.enabled | Boolean Value | Does this VM have on-access AV scanning enabled? |
vf.antivirus.quarantine.enabled | Boolean Value | Is this VM configured to quarantine virus files? |
vf.app_count_bad | Integer | Number of applications on a VM that are classified as bad. |
vf.app_count_known | Integer | Number of applications on a VM that are classified as known. |
vf.app_count_unclassified | Integer | Number of applications on a VM that are unclassified. |
vf.app_count_unknown | Integer | Number of applications on a VM that are classified as unknown. |
vf.app.gi.compliant | String Value | Is this VM in compliance with the selected Gold Image? |
vf.app.is.gold.image | Boolean Value | Is this VM defined as a master image for Image Enforcer comparisons? |
vf.app.matches.gold.image | Boolean Value | Is this VM compliant with its configured Gold Image? |
vf.app.registry | String Value | Registry value from Windows registry as determined by Introspection of VM. |
vf.application | String Value | An application installed on a VM. |
vf.description | String | The text string description of the VM, as defined in the vGW Security Design Settings module Machines section. |
vf.firewall | String | Is this VM a vGW Security VM? |
vf.group | Multi String | Comma-separated string of all vGW groups to which a VM belongs. |
vf.has_installed_group_policy | Boolean | Does the VM have a non-default group policy installed? |
vf.has_installed_policy | Boolean | Does the VM have an installed security policy? |
vf.hotfix | Multi String | Hotfix installed on a VM. |
vf.monitored | Boolean | Is the VM currently being monitored by the vGW Security Design VM? |
vf.name | String | Name as defined in the vGW Security Design VM. |
vf.os | String | The operating system installed on the VM. |
vf.quarantined | Boolean Value | Is this VM in a quarantined state, and thus in the Quarantine Policy group? |
vf.secured | Boolean | Is a VM currently secured by the vGW Security Design VM? |
vf.secured_active | Boolean | Is the VM actively protected by vGW? |
vf.tag | String | Tags associated with this VM that are semicolon separated. |
vf.type | Enumeration | The machine object type. |
vf.virus.infected | Boolean Value | Has a virus been detected on this VM by the vGW antivirus engine? |
vi.attribute | String Value | The attribute values that are defined in the annotation box in VI. |
vi.cluster | String | Cluster containing a VM. |
vi.datacenter | String | Data Center in vCenter where a VM is housed. |
vi.deleted | Boolean Value | Has this VM been deleted? |
vi.excfg.copy.disable | Boolean Value | Is the copy and paste to remote console feature disabled for this VM? |
vi.excfg.deviceconnectable.disable | Boolean Value | Is this VM configured to allow devices to be connected? |
vi.excfg.deviceedit.disable | Boolean Value | Is this VM configured to allow devices to be connected and removed? |
vi.excfg.diskshrink.disable | Boolean Value | Is this VM configured to prevent virtual disk shrinking? |
vi.excfg.diskwiper.disable | Boolean Value | Is this VM configured to prevent virtual disk shrinking? |
vi.excfg.dragndrop.disable | Boolean Value | Is the copy and paste to remote console feature disabled for this VM? |
vi.excfg.hostinfo.disable | Boolean Value | Is access to host performance information available to this VM? |
vi.excfg.log.disable | Boolean Value | Is the VM log file size limited for this VM? |
vi.excfg.log.keep.old | Numeric Value | Is the number of stored log files limited for this VM? |
vi.excfg.log.rotatesize | Numeric Value | Is the VM log file size limited for this VM? |
vi.excfg.paste.disable | Boolean Value | Is the copy and paste to remote console feature disabled for this VM? |
vi.excfg.remotedisplay.max | Numeric Value | How many remote consoles are available for this VM? VMware Hardening guideline recommends limiting to one. |
vi.excfg.remoteop.disable | Boolean Value | Are remote operations disabled for this guest? |
vi.excfg.setguiopts.disable | Boolean Value | Is the copy and paste to remote console feature disabled for this VM? |
vi.excfg.vmxfilesize.limit | Numeric Value | Is the VMX file size limited (to limit the informational messages from VM to VMX file)? |
vi.folder | Multi-String | The folder containing a VM in vCenter. |
vi.host | String | ESX/ESXi hosting a VM. |
vi.host.console.ids | Boolean Value | Is vGW IDS inspection enabled for this hypervisor's service console? |
vi.host.console.monitor | Boolean Value | Is vGW network monitoring enabled for this hypervisor's service console? |
vi.host.lockdown | Boolean Value | Is lockdown mode enabled for this hypervisor host? |
vi.host.ntp.enabled | Boolean Value | Is Network Time Protocol (NTP) configured and enabled for this hypervisor? |
vi.host.techsupportmode.disable | Boolean Value | Is tech support mode enabled for this hypervisor? |
vi.host.vmkernel.isolated.vlan | Boolean Value | Is the vmkernel management network on this hypervisor on an isolated VLAN? |
vi.host.vmkernel.isolated.vswitch | Boolean Value | Is the vmkernel management network on this hypervisor on an isolated vSwitch? |
vi.indep.nonpersist.disk.ct | Numeric Value | The number of virtual disks used by this VM that are configured as Independent nonpersistent and thus cannot be introspection scanned. |
vi.ipv4 | IPv4 (multi value) | The IP addresses as known on a VM. |
vi.memory_inspection | Boolean | Are VMsafe memory and CPU API enabled for this VM? |
vi.name | String | Name of this VM as defined in vCenter. |
vi.notes | String | Annotation free text notes attached to the VM in vCenter. |
vi.os | String Value | Operating system defined for the VM in vCenter. |
vi.pg.security.forgedtransmits | Boolean Value | Is VM connected to a port group that allows forged MAC addresses (MACs other than defined in the VMX)? |
vi.pg.security.macchanges | Boolean Value | Is VM connected to a port group that allows reception of unknown MAC addresses (MACs other than defined in the VMX)? |
vi.pg.security.promiscuous | Boolean Value | Is VM connected to a promiscuous port group? |
vi.portgroup | String Value | Port groups on the virtual switch this VM is actively connected to. Port Groups for disconnected vNICs will not be included. (For a running/suspended VM, this will be the port groups actually connected. For a stopped VM, this value is the port groups that are connected at poweron.) |
vi.portgroup.all | String Value | Port groups on the virtual switch this VM is connected to. This list includes port groups even if the vNIC is disconnected. (For a running/suspended VM, this will be the port groups actually connected. For a stopped VM, this value is the port groups that are connected at poweron.) |
vi.powerstate | Enumeration | What is the current power state of this VM? |
vi.pvlan | Numeric Value | Private VLAN values for connected port groups. |
vi.pvlan.all | Numeric Value | List of all private VLANs in use by this VM, includes vNICs in both connected and disconnected states. |
vi.os | String | Operating system defined for the VM in vCenter |
vi.resourcepool | String | Resource pool VM is a member of vCenter. |
vi.snapshots.count | Numeric Value | How many snapshots exist for this VM? |
vi.vapp | Multi String | vApp group VM is a member of vCenter. |
vi.vlan | Multi-value integer | VLANs of connected port groups. |
vi.vlan.all | Multi-value integer | VLANs of all interfaces. |
vi.vmci_enabled | Boolean | Is VMCI (shared memory communications) enabled for this VM? |
vi.vmsafe_configured | Boolean | Is VMsafe firewall security enabled for this VM? |
vi.vmsafe_dvfilter | Multi String | The dvfilters protecting this VM. |
vi.vmsafe.initfailmode | Enumeration | If VMsafe is unable to initialize, what is the network connectivity choice for this VM? |
vi.vmwaretools.running | Boolean | Is VMware Tools running on this VM? |
vi.vmwaretools.uptodate | Boolean | Is the version of VMware Tools installed on this VM current? |
vi.vnic.count | Numeric Value | Number of connected vNICs. |
vi.vswitch | Multi String | vSwitch VM is connected to. |
To define a Smart Group, you use the attributes in Table 16. Select Settings > Groups, and click Add Smart Group.
The editor has two modes, Basic and Advanced. In Basic mode you can select one to many attributes and assign an All or Any constraint. You simply add rules by clicking the + sign.
This example uses Advanced mode.
- From the Settings module, select Security Settings.
- Click Add Smart Group.
- In the Add Group pane, enter a name for the Smart Group. For this example, enter Apache Web Servers.
- Select the All option button in the Matches area.
- Click the down arrow to display a list of attributes.
Select vi.name for the attribute, select Contains for the comparator, and enter www for
the value.
If you are unsure of the meaning of an attribute, click ? at the end of the row. A pop-up window shows the attribute data type and its possible values.
- Click the + mark at the end of the section to
display another row.
This simple Smart Group example uses only two attributes, but you can add as many rows as needed to define the Smart Group.
- Select vf.application, select Contains, and enter www.
- Under Group Attributes, select Policy Group.
- Select Medium as the priority level, and assign it a precedence of 2 in the Precedence within Level .