Configuring vGW Series Automatic Securing of Virtual Machines

This topic covers the vGW Series Auto-Secure feature and it explains how to configure it.

Rather than using the Settings module Installation window to manually secure individual VMs or groups of VMs, you can configure your installation settings to automatically secure selected groups of VMs, individual VMs and groups of VMs that have a policy associated with them, or all VMs. You use the Auto-Secure feature for this purpose. Auto securing VMs streamlines policy application allowing you to efficiently ensure security throughout your virtual infrastructure. When you enable Auto-Secure and configure it to secure VMs automatically, vGW Series attaches different security policies to the VMs, depending on the option that you select. The Auto-Secure feature options allow you to determine the most appropriate way to select VMs to automatically secure.

Note: Groups with vNIC membership enabled are excluded as valid options for auto-securing.

You can use the Auto-Secure feature with both Static and Smart Groups.

To enable automatic securing of VMs:

  1. Select Settings > vGW Application Settings > Install Settings.
  2. In the Automatic Securing of VMs pane, select the VMs that you want to be secured automatically. Select one of the following options to specify the VMs and groups of VMs:
    • No VM

      No individual VMs or groups of VMs are automatically secured. This is the default behavior.

    • VMs in the following group

      This option allows you to select either a Static Group or a Smart Group from the list of existing groups. The list contains all groups, including those configured as Policy Groups and those that are not. Using this option, you can select only one group.

      Note: Only VMs in the selected group are automatically secured.

      • If you did not configure the selected group as a Policy Group, vGW Series automatically secures members of the group with the Global and Default policies.
      • If you configured the selected group with the Policy Group option and you selected Automatic for the Apply Policy Option, then any rules that were created for the group and that were applied to it take effect; the Default policy is not used.

      This example shows configuration of a Static group called user-workstations that includes three workstations: Workstation2, Workstation3 , and Workstation4. As Figure 86 shows, Policy Group was not selected when the group was configured.

      Figure 86: Static Group Created Without a Policy

      Static Group Created Without a Policy

      Figure 87 shows that the user-workstations group was selected from the list of groups in the “VMs in the following group:” option for auto-securing of its VMs.

      Figure 87: user-workstations Static Group Selected for Auto-Securing of VMs Example

      user-workstations Static Group Selected
for Auto-Securing of VMs Example

      Because the user-workstations group was not defined as a Policy Group, vGW Series applies the Global and Default policy rules that were configured using the Firewall > Global Policy and Firewall > Default Policy windows. Figure 88 shows the Global Policy configuration window.

      Figure 88: Global Policy Rules Configured for Auto-Securing

      Global Policy Rules Configured for Auto-Securing
    • VMs with a VM Policy or in a Policy Group

      Because Default Policy and Global Policy rules tend to be restrictive, they are not appropriate for securing all VMs. This option allows you to predefine policies for individual VMs and groups of VMs and direct vGW Series to use the policies that you predefined for them to automatically secure them rather than relying on just the Default and Global policy rules. Using this option, you can automatically secure many Policy Groups and individual VMs automatically instead of being restricted to selecting a single group.

      VMs that fit any of the following criteria are automatically secured:

      • Individual VMs for which you have predefined specific policies and to which you have applied those policies using the Firewall > Apply Policy window.
      • Groups of VMs that you created as Static Groups or Smart Groups and for which you selected Policy Group with Automatic for the Apply Policy Option. You must also have created and applied a policy for the group, and that policy must contain rules.

      Warning: If a VM is a member of a group that was created with Policy Group selected but without the Apply Policy Option set to Automatic or if the Policy Group does not contain any rules, the VM will not be automatically secured.

    • All VMs

      All VMs are automatically secured. You can refine this selection by excluding a specific group of VMs.

      As described previously for all cases, any specifically defined Policy Groups and individual rules that are pre-applied will take effect. If a VM is not a member of any group, then Global and Default Policies and any individual VM rules will take effect.

  3. Optionally, exclude a group of VMs from being automatically secured.

This section provides an example that uses the Auto-Secure feature in combination with the Smart Groups feature. It creates a Smart Group called HighPriorResGrp, and it configures it as a Policy Group. It creates rules for the HighPriorResGrp Policy Group. And it selects the HighPriorResGrp group for auto-securing.

  1. From the Settings > Security Settings > Groups window, configure a Smart group called HighPriorResGrp that watches for any VMs connected to a particular VMware resource pool (called high-prior-res) obtained through vi.resourcepool.

    When any VM is added to this resource pool by a VM administrator, a security policy is instantly installed on that VM without requiring that the vGW Series administrator intervene. Figure 89 shows the Smart Group configuration. Notice that Policy Group is selected and Automatic is selected for the Apply Policy Option.

    Figure 89: Configuring a Smart Group As a Policy Group

    Configuring a Smart Group As a Policy
Group
  2. Configure Policy rules for the HighPriorityResGrp Policy Smart Group.

    When you create a group and define it as a Policy Group, vGW Series places it in under Policy Groups in the VM Tree. You can click on the group name to display the Firewall > Manage Policy tab that allows you to configure rules for the group. You must configure rules for the policy for the Auto-Secure feature to take effect.

    Figure 90: Configuring Policy Rules for a Policy Smart Group Example

    Configuring Policy Rules for a Policy Smart Group Example
  3. Select Settings > Install Settings. In the Automatic Securing of VMs pane, “VMs in the following group:” option, select HighPriorityResGrp from the list of groups.

    Figure 91 shows the Auto-Secure setting which immediately implements policies on the VMs in the HighPriorityResGrp Smart Group. In this case, the group is selected from the list of groups in the “VMs in the following group:” option. However, because it is a Policy Group and it meets all the required criteria, if “VMs with a VM Policy or in a Policy Group:” were selected, the VM members of HighPriorityResGrp would also be automatically secured.

    Figure 91: Configuring Auto-Secure for a Smart Group

    Configuring Auto-Secure for a Smart Group

If a VM is secured through Auto-Secure, you cannot unsecure it using the Settings > Installation window. The VM is shown in a grayed-out box and a message is presented informing you that it is auto-secured. (If you were able to unsecure the VM, Auto-Secure would simply secure it automatically once again.) To unsecure a VM, you must first remove it from a group that is auto-secured, and then use Settings > Installation to unsecure it. If you selected the “VMs with a VM Policy or in a Policy Group” option, then you must remove the policy from the VM if it is an individual VM with a policy, and then unsecure it.

Warning: The vGW Series Auto-Secure feature will not attempt to secure a VM that is enabled for fault tolerance (FT). vGW Series generates an alert telling you that you must disable FT for that VM or suspend the VM for vGW Series to secure the VM. The Auto-Secure feature monitors for cases in which an FT-enabled VM is disabled and for VMs that are suspended and powered-off. If the VM belongs to an Auto-Secure group, then vGW Series will secure it.

Related Documentation