Understanding Policy-per-vNIC and Smart Groups

When the Policy-per-vNIC feature is enabled through the vGW Security Design VM Settings module Installation section, you can add individual vNICs to a Smart Group. When you configure a Smart Group, you can specify whether membership in the group applies to the entire VM, that is, all of its interfaces, or only to the vNICs that the logic applies to, for example, whether the interface belongs to a port group or is attached to a VLAN. You can configure this information when Advanced Attributes is selected. The option to configure Smart Groups for vNICs is displayed only when the Policy-per-vNIC feature is enabled.

After you configure the group, you can test it. When click Test, the results show the vNIC extensions, not just the VM name.

You can use the following Smart Group attributes to configure groups to include vNICs. These attributes do not pertain to VM as a whole.

Table 14: Smart Group Attributes for vNICs When Policy-per-vNIC Is Enabled

Smart Group Attribute Definition

Data Type

Comment

vf.firewall

String

Is this VM a vGW Security VM?

vf.group

Multi String

Comma-separated string of all vGW groups to which a VM belongs.

vf.has_installed_group_policy

Boolean

Does the VM have a non-default group policy installed?

vf.has_installed_policy

Boolean

Does the VM have an installed security policy?

vf.monitored

Boolean

Is the VM currently being monitored by the vGW Security Design VM?

vf.secured

Boolean

Is a VM currently secured by the vGW Security Design VM?

vf.secured_active

Boolean

Is the VM actively protected by vGW?

vi.host.vmkernel.isolated.vlan

Boolean Value

Is the vmkernel management network on this hypervisor on an isolated VLAN?

vi.host.vmkernel.isolated.vswitch

Boolean Value

Is the vmkernel management network on this hypervisor on an isolated vSwitch?

vi.ip4

IPv4 (multi value)

The IP addresses as known on a VM.

vi.pg_security.forgedtransmits

Boolean Value

Is VM connected to a port group which allows forged MAC addresses (MACs other than defined in the VMX)?

vi.pg_security.macchanges

Boolean Value

Is VM connected to a port group which allows reception of unknown MAC addresses (MACs other than defined in the VMX)?

vi.pg_security.promiscuous

Boolean Value

Is VM connected to a promiscuous port group?

vi.portgroup

String Value

Port groups on the virtual switch this VM is actively connected to. Port Groups for disconnected vNICs will not be included. (For a running/suspended VMs this will be the port groups actually connected. For a stopped VM, this value is the port groups that are connected at power-on.)

vi.portgroup.all

String Value

Port groups on the virtual switch this VM configured to be connected to, this list includes port groups even if the vNIC is disconnected. (For a running/suspended VMs this will be the port groups actually connected. For a stopped VM, this value is the port groups that are connected at power-on.)

vi.pvlan

Numeric Value

Private VLAN values for connected port groups.

vi.pvlan.all

Numeric Value

List of all Private VLANs in use by this VM, includes vNICs in both connected and disconnected states.

vi.vlan

Multi-value integer

VLANs of connected port groups.

vi.vlan.all

Multi-value integer

VLANs of all interfaces.

vi.vmsafe_configured

Boolean

Is VMsafe firewall security enabled for this VM?

vi.vmsafe_dvfilter

Multi String

The dvfilters protecting this VM.

vi.vmsafe.initfailmode

Enumeration

If VMsafe is unable to initialize, what is the network connectivity choice for this VM?

vi.vnic.count

Numeric Value

Number of connected vnics.

vi.vswitch

Multi String

vSwitch VM is connected to.

You use the attributes shown in Table 14 to define a Smart Group. The Smart Group editor has two modes: basic and advanced. Basic mode lets you select one to many attributes and assign an All or Any constraint. You simply add rules by clicking the + sign. Advanced mode allows you to configure the Smart Group for vNICs.

  1. In the Security Settings section of the vGW Security Design VM Settings module, select the Groups subsection.
  2. Click Add Smart Group on the display screen.
  3. Click Advanced at the top of the screen to display vNIC group options.
  4. In the Add Group definition pane, enter a name for the Smart Group. For this example, enter Apache Web Servers.
  5. Click Enable vNIC membership to specify that group membership pertains to vNICs, and not the VM.
  6. Select the All option button in the Matches section.
  7. Click the down arrow to display a list of attributes. Select the attribute vi.name, select Contains, and enter www.
  8. Click the + mark at the end of the row to display another row.
  9. Select the attribute vf.application, select Contains, and enter www..
  10. Under Group Attributes, select Policy Group allow a policy to be associated with this group.
  11. Select Medium as the Priority level, and assign it a precedence of 2 in the Precedence within Level.
  12. Select Manual.

    This allows you to use the Settings module and apply a policy to the group using the Firewall Apply Policy tab.

  1. Specify a name for the group and configure its attributes.
  2. Click Enable vNIC membership to specify that group membership pertains to vNICs, and not the VM.
  3. Click Test to view the results of your configuration.

    The test results show the VM name with the vNIC extension that the Smart Group logic applies to.

When you view a Smart Group in the VM Tree and display the VM with its nested vNICs, vNICs that belong to the group–that satisfy the group’s logic criteria–are displayed as usual. vNICs that do not belong to the group are greyed out.

Whether a vNIC is secured or not is indicated as usual for all of the VM’s vNICs.

Related Documentation