Configuring Scaling Using the Multi-Center and Split-Center Features
This topic explains how to use the vGW Series Split-Center and Multi-Center features together to secure your virtualized environment as you scale.
These features are typically used together to:
- Allow for partitioned management of resources among multiple
vGW Security Design VMs at an individual vCenter.
The Split-Center feature allows you to segment responsibility for portions of your resources at an individual vCenter among multiple vGW Security Design VMs. It is as if each vGW Security Design VM were connected to an individual vCenter. For this feature, the segmentation component is the data center.
For background on the Split-Center feature, read Understanding the Split-Center Feature.
Caution: When you configure the Split-Center feature, ensure that each data center is assigned to only one vGW Security Design VM. Otherwise, unexpected consequences can occur.
- Deploy largely the same configuration to all vGW Security
Design VM delegate centers, including those that share responsibility
for a single vCenter.
The Multi-Center feature facilitates configuration management as you scale your environment. You can use it to create configurations that are largely the same for vGW Security Design VMs at different vCenters, and for vGW Security Design VMs sharing security management responsibility for resources at the same vCenter. You can effectively deploy the same configuration to them automatically with real-time updates.
For background on the Multi-Center feature, see Understanding the Multi-Center Feature.
This topic contains the following sections:
- vGW Series Split-Center Multi-Center Configuration Requirements
- About the Example
- Configuring Split-Center and Multi-Center for vGW Security Design VMs
vGW Series Split-Center Multi-Center Configuration Requirements
This example addresses a customer environment with a virtualized infrastructure that includes data centers at three individual VMware vCenters:
- The first vCenter, vCenter1, includes five customer data
centers. vCenter1 is located in Dallas, Texas. One data center is
considerably larger than the others.
The customer uses the Split-Center feature to partition management of the vCenter1 data centers among two vGW Security Design VMs in the following way:
- vGW Security Design VM-1 manages the large data center, vCenter1-data-center-1.
- vGW Security Design VM-2 manages the other four data centers:
- vCenter1-data-center-2.
- vCenter1-data-center-3.
- vCenter1-data-center-4.
- vCenter1-data-center-5.
- The second vCenter, vCenter2, includes two customer data
centers. vCenter2 is located in Minneapolis, Minnesota. vGW Security
Design VM-3 manages both:
- vCenter2-data-center-1.
- vCenter2-data-center-2.
- The third vCenter, vCenter3, includes two data centers.
vCenter3 is located in Raleigh, North Carolina. vGW Security Design
VM-4 manages both:
- vCenter3-data-center-1.
- vCenter3-data-center-2.
About the Example
This customer’s virtualized environment spans three vCenters at various locations. The customer plans to use the Split-Center feature to divide security management responsibility for resources at one of the vCenters among two vGW Security Design VMs.
The customer plans to deploy largely the same configuration for all vGW Security Design VMs. Because manually creating separate configurations with the same parameters is time consuming and error prone, the customer decides to use the Multi-Center feature to solve this problem.
The Multi-Center feature allows the customer to use a single vGW Security Design VM as the master center. Its configuration is copied to all slave, or delegate, vGW Security Design VMs.
For this example, vGW Security Design VM-3 serves as the primary center. The administrator of vGW Security Design VM-3 configures the Multi-Center feature for all delegate centers.
Using the Settings module Multi-Center feature in the Application Settings section, the administrator defines an entry for each delegate vGW Security Design VM center. For this example, delegate centers include:
- vGW Security Design VM-1
The configuration specifies that all objects are to be copied.
- vGW Security Design VM-2
The configuration specifies that all objects are to be copied.
- vGW Security Design VM-4
The configuration specifies that all objects excluding monitoring groups and IDS are to be copied.
You use the Delegate Center Configuration (Add) pane of the Settings module Multi-Center feature to create an entry for a delegate vGW Security Design VM center. To do so, you provide the following information:
- Name–Enter a name for the delegate center.
- Hostname/IP–Enter the hostname or IP address of
the delegate center. This allows the master vGW Security Design VM
and the delegate center vGW Security Design VM to communicate.
The master configuration is updated automatically on the delegate center, based on selections for the delegate center.
- User ID and Password–Enter the delegate vGW Security Design VM center credentials.
- Synchronize Objects–Check the box before the item
to select all objects or specific objects to be copied and automatically
updated, including:
- Global Policy–Synchronizes the global policy and all objects it depends on. Among other objects, configurations for the source and destination of the rules in the policy and the protocols are copied.
- Default Policy–Synchronizes the default policy and all objects it depends on. Among other objects, configurations for the source and destination of the rules in the policy and the protocols are copied.
- Quarantine Policy–Synchronizes the quarantine policy and all objects it depends on. Among other objects, configurations for the source and destination of the rules in the policy and the protocols are copied.
- Policy Groups–Synchronizes all the policy groups and policies associated with them, and all objects that they depend on. Among other configurations, the sources and destinations of the rules in the policies, the protocols, the networks and the machines in the groups are copied.
- Monitoring Groups–Synchronizes all the monitoring groups and the policies associated with them, and all objects that they depend on. Among other configurations, the sources and destinations of the rules in the policies, the protocols, the networks and the machines in the groups are copied.
- Networks–Synchronizes all networks.
- External Machines-Synchronizes all external machines.
- IDS Signatures–Synchronizes IDS Signatures and Settings.
- Compliance - Synchronizes compliance rules and all objects that they depend on, such as groups.
- Antivirus Settings–Synchronizes all AntiVirus scan configurations, and all objects that they depend, such as groups.
Configuring Split-Center and Multi-Center for vGW Security Design VMs
Configuring Split-Center for the First vGW Security Design VM
Step-by-Step Procedure
This configuration shows how to use the Split-Center feature to give vGW Security Design VM-1 management responsibility for part of the resources at vCenter1.
- From vGW Security Design VM-1, select the Settings module.
- In the navigation tree, select vCenter Integration beneath vGW Application Settings.
- In the vCenter Settings pane, enter the following information:
- The server name or IP address of the vCenter. For this example, enter vCenter1.
- The vGW Security Design VM-1 username and password to authenticate to vCenter1. For this example, enter admin-1 and talk#321.
- In the vCenter Settings pane, select a management scope
for vGW Security Design VM-1. To display the data centers belonging
to vCenter1, select the Selected Datacenters option button.
The data centers belonging to vCenter1 are displayed:
- vCenter1-data-center-1
- vCenter1-data-center-2
- vCenter1-data-center-3
- vCenter1-data-center-4
- vCenter1-data-center-5
By default, the system is configured to allow the vGW Security Design VM to manage all data centers.
- Click the check box before vCenter1-data-center-1, and
click Save to allow vGW Security Design VM-1 to manage it.
vGW Security Design VM-1 will now be able to manage only the VMs and other resources for vCenter1-data-center-1 of vCenter1.
Note: Before the system saves your selection, vCenter1 verifies the authentication credentials that you specified. The system displays the following message:
Checking vCenter login credentials. This may take up to 15 seconds depending on server loads.
If your credentials are invalid, your data center scope management selection is not committed.
- If you want to commit the configuration, click Okay.
Configuring Split-Center for the Second vGW Security Design VM
Step-by-Step Procedure
This configuration shows how to use the Split-Center feature to give vGW Security Design VM-2 management responsibility for part of the resources at vCenter1.
- From vGW Security Design VM-2, select the Settings module.
- In the navigation tree, select vCenter Integration beneath vGW Application Settings.
- In the vCenter Settings pane, enter the following information:
- The server name or IP address of the vCenter. For this example, enter vCenter1.
- The vGW Security Design VM-2 username and password to authenticate to vCenter1. For this example, enter admin-2 and talk#4*5#6.
- In the vCenter Settings pane, select a management scope
for vGW Security Design VM-2. To display the data centers belonging
to vCenter1, select the Selected Data centers option button.
The data centers belonging to vCenter1 are displayed:
- vCenter1-data-center-1
- vCenter1-data-center-2
- vCenter1-data-center-3
- vCenter1-data-center-4
- vCenter1-data-center-5
By default, the system is configured to allow the vGW Security Design VM to manage all data centers.
- Click the check boxes before vCenter1-data-center-2, vCenter1-data-center-3,
vCenter1-data-center-4, vCenter1-data-center-5,and click Save to allow vGW Security Design VM-2 to manage them.
Note: Before the system saves your selection, vCenter1 verifies the authentication credentials that you specified. The system displays the following message:
Checking vCenter login credentials. This may take up to 15 seconds depending on server loads.
If your credentials are invalid, your data center scope management selection is not committed.
- To commit the configuration, click Okay.
Defining Entries for a Delegate Center Using the Multi-Center Feature
Step-by-Step Procedure
This example shows how to define entries for one of the three vGW Security Design VMs to allow it to become a delegate center and inherit most of the vGW Security Design VM-3 master’s configuration. Configuration of the other two delegate centers is not shown here, but it is done similarly to the single configuration example.
This example shows how to configure:
- Entries for vGW Security Design VM-1 and vGW Security Design VM-2 to allow all configuration objects to be copied to them.
- An entry for vGW Security Design VM-4 to allow all configuration objects excluding monitoring groups and IDS to be copied to it.
To define a delegate center entry for vGW Security Design VM-1, from the vGW Security Design VM-3 master:
- Select the Applications Settings section of the Settings modules, and select Multi-Center.
- Enter mc-delegate-1 as the name for the delegate center entry.
- Enter admin-1 and talk#321 as the user ID and password credentials of the delegate center.
- Under Synchronize Objects, click Select All.
- If you are satisfied with the configuration, click Save. Otherwise, click Cancel.