Deploying vGW Security VMs Out to ESX/ESXi Hosts

To gather information and protect network traffic, you deploy a vGW Security VM on each ESX/ESXi host to be monitored and secured. When you install a vGW Security VM on a host, it loads the kernel module, and it maintains policy and logging information. All connection enforcement occurs in the vGW VMsafe kernel module. See Figure 85.

Figure 85: Deploying a vGW Security VM to an ESX/EXSi Host

Deploying a vGW Security VM to an ESX/EXSi
Host

To install the vGW Security VM on a host:

  1. In the vGW Security Design VM Settings module vGW Application Settings section, select Installation.
  2. In the Unsecured Network pane, select the host on which you want to install the vGW Security VM by checking the box in front of its name.
  3. Specify a name for the vGW Security VM firewall.
  4. Click Secure.

    A message is displayed confirming that the system will install the vGW kernel component on the host.

    After you click Secure, the vGW Series associates all virtual NICs (vNICs) for the relevant VMs with the vGW Series VMsafe kernel module. By default, each vNIC has a restrictive default security policy. You can use the Firewall module’s Manage Policy tab to make the policy less restrictive. You can also exclude certain vNICs in the VM from application and enforcement of the vGW Security policy. For example, you might want to do this if you do not want to implement security on a vNIC connected to a storage network device.

    The vGW Series includes a feature called Policy-per-vNIC feature that allows you to configure separate firewall policies for individual interfaces, or virtual NICs (vNICs), on the same VM. For details on the feature, see Understanding the vGW Series Policy-per-vNIC Feature and Configuring the vGW Series Policy-per-vNIC Feature.

  5. Click OK.

    The Security VM Parameters window is displayed.

    Specify or select values for the following parameters:

    1. Enter a name for the vGW Security VM.
    2. Select the security management addressing mode.
    3. Specify the port group to use to connect the vGW Security VM to the vGW Security Design VM.
    4. Specify the data store for the vGW Security VM.
    5. Specify if the hypervisor communication console should be monitored. For details on enabling hypervisor console monitoring, see Understanding the vGW Security VMs Settings for configuration information.
    6. Click Secure.

To un-install the vGW Security Design VM from a host:

  1. In the Secured Network pane of the vGW Application Settings Installation section, select the host whose vGW Security VM you want to move out of the secured network.
  2. Click the Unsecure arrow button.
  3. The VMsafe Firewall Uninstall status window is displayed. As the vGW Security Design VM removes the firewall from the host–or moves a specific VM out of the secured network, if you selected a VM–the status window identifies the active process.

When you select an individual VM to remove from the secure network and click the Unsecure button, the vGW Security Design VM removes all relevant VMX entries related to VMsafe protection for that VM, reverting the VM to its state prior to its vGW Series protection.

If you plan to un-install vGW Series from your virtualized environment, unsecure all VMs in this manner. Afterward, select the check box for each of the ESX/ESXi hosts and click Unsecure to remove them from vGW Series protection. This process removes the kernel module and the related VMservice vSwitch and port groups.

Unsecuring a host before removing its VMs does not affect the VMs adversely. However, the process does not remove VMsafe VMX entries that pertain to vGW Series. These entries are no longer required by that VM.

Note: You might not want the VMsafe VMX entries for a VM to be removed under these conditions. For example, you might want to remove only the vGW Series kernel module from a specific host. This might be the case if you want the VMs to be moved to a different ESX/ESXi host for protection, or you intend to reinstall vGW Series later.

Related Documentation