Understanding the vGW Series Enforcer Profiles Tab

This topic describes the vGW Series Introspection module’s Enforcer Profiles tab. It explains how to use the Enforcer Profiles page to create profiles that allow you to compare the configurations of VMs to that of a Gold Image. It covers the information that you select or specify to create or modify a profile.

The Image Enforcer allows you to compare VMs to a VM template or an active VM that is elevated to the status of a Gold Image. For a template or an active VM to be considered a Gold Image, Gold Images are VM templates or VMs whose configurations are considered valid and desirable. Based on the outcome of the comparison scan, you can take actions such as quarantining VMs that deviate from the Gold Image, or adding or removing applications from a VM to bring it into conformance.

When VMs are quarantined, they are added to the Quarantine Policy Group. When you select a quarantined VM that is in the group, the Main module dashboard is displayed, showing compliance status for the VM, its top talkers, and IDS alerts for it. You can select the Main module Quarantine tab to take action on the VM. The Main module Quarantine tab displays information about VMs that have been quarantined as a result of AntiVirus, Compliance, or Image Enforcer scans. Using it, you can view the time that the VM was quarantined, when it was removed from quarantine, and the reason that it was quarantined.

Before you read this topic, read Understanding the vGW Series Introspection Image Enforcer Feature.

This topic includes the following sections:

About the Enforcer Profiles Screen

When you select the Introspection module Enforcer Profiles tab, the Enforcer Profiles page is displayed. Information shown in this page reflects the profiles that you have already configured, if any. You add a new Enforcer Profile from this page.

Figure 96: vGW Series Introspection Module Enforcer Profiles Tab

vGW Series Introspection Module Enforcer Profiles Tab

When you add a new profile, you give it a name that then appears in the profiles list. For each profile, the list shows the Gold Image that you selected for it and the VMs compared against it.

The Add Enforcer Profile Pane

To add a new profile, click Add beneath the Enforcer Profiles pane. The Add Enforcer Profile pane appears. You use this pane to configure Enforcer profiles that cover parameters for a comparison scan. In this pane, you select the Gold Image to use for the comparison; you can specify match criteria to define the comparison; and you can specify actions to take after the scan completes. You can specify conditions that exempt VMs from certain requirements, and you can specify whether the vGW Security Design VM should quarantine a non-complaint VM.

Figure 97: Adding a vGW Series Introspection Module Image Enforcer Profile

Adding a vGW Series Introspection Module Image Enforcer
Profile

Table 9: Add Enforcer Profile: Selecting the Gold Image and VMs to Be Compared Against It

Field

Specifies

Name

A name for the profile that infers its contents.

Description

A description of the profile that indicates what it is used for.

Gold Image

The VM template or VM to use as the Gold Image for this comparison. You use the Gold Image selection list to select either an existing template or VM.

Using the option button at the bottom of the selection list, you can choose to see all Gold Image candidates or only templates or VMs.

Note: After you elevate a template or VM to the status of a Gold Image, it is moved to the Gold Images group in the Monitoring Group section of the VM tree.

VM Groups

The VM groups or VMs whose configurations you want to compare against the selected Gold Image.

Use the arrow buttons to include or remove a VM group or VM from the profile.

Table 10: Edit Enforcer Profile Options

Option

If you select this check box, you specify that

Apps matching previous scan are acceptable

If a VM was previously scanned against the profile’s Gold Image and matched it, but it no longer does, the VM is allowed.

In this case, a Gold Image might have been updated and re-scanned. Because it takes time to update the VMs specified in the Enforcer Profile group, they are allowed as matching during the transition.

VMs can deviate from 100% match

A VM compared against the profile’s Gold Image is allowed to deviate from it in any of the ways that you specify by selecting options identified in Table 11.

Ignore differences in inspected registry keys

You permit differences in registry key application settings from those of the Gold Image.

Table 11: VM Gold Image Allowed Deviations

Option

If you select this checkbox, you specify that:

Removal of apps is acceptable

An application that is missing from the VM, but that is present on the Gold Image is acceptable.

Additions of known apps is acceptable

If an application is part of a Gold Image, it is classified as known.

App version mismatch is acceptable

The VM can contain an older or more recent version of an application than the one that exists on the Gold Image.

Hot fixes are excluded

Hot fixes are exempted from the comparison and are allowed on the VM.

Caution: Although you select the “App version mismatch is acceptable” option to allow a VM to contain an older or more recent version of an application than the one that exists on the Gold Image, the option might not take effect. For example, an application might have a version number as part of its program name on the MS Windows control panel. In this case, the version number might not be recognized and vGW Series would not allow the deviation. The actions that you specify in the Actions section of the Add Enforcer pane would be enacted on the VM.

Table 12 identifies the actions that you can direct vGW Series to take following a comparison scan.

Table 12: Actions

option button

If you select this check box, you direct vGW Series to . . .

Rescan immediately when template is changed

Automatically run the comparison of the VM against the Gold Image again whenever a template that is used as a Gold Image is changed by being converted to a VM, modified, and then converted back to a template.

Create compliance rule to track state of VMs

Automatically define a compliance rule derived from the Gold Image configuration and take the actions that you select in Table 13.

Table 13: Compliance Rule Specifications

Alert On Deviation

Notify you when the VM deviates from the Gold Image.

Quarantine VMs which are out of compliance

Quarantine VMs whose configurations do not conform with that of the Gold Image, taking into account the allowances that you specify as options described in Table 11.

Related Documentation