Understanding Policy per vNIC and Smart Groups for VMware Environments

You use the vGW Security Design VM Settings module vGW Application Settings > Install Settings > Policy Per vNIC pane to enable the Policy per vNIC feature. When it is enabled, you can add individual vNICs to a Smart Group. When you configure a Smart Group, you can specify whether requirements for membership in the group apply to an entire VM, that is, all of its interfaces, or only to the vNICs that the logic pertains. For example, Smart Group criteria might specify that the vNIC must belong to a port group or that it must be attached to a VLAN to gain membership in the group.

The ability to configure Smart Groups for vNICs is available only when Policy per vNIC is enabled. You can configure this information when Advanced Attributes is selected.

After you configure the group, you can test it. When you click Test, the results show the vNIC extensions, not just the VM name.

You can use the following Smart Group attributes to configure groups to include vNICs. These attributes do not pertain to the VM as a whole.

Table 16: Smart Group Attributes for vNICs When Policy per vNIC Is Enabled

Smart Group Attribute Definition

Data Type

Comment

vf.firewall

String

Is this VM a vGW Security VM?

vf.group

Multi String

Comma-separated string of all vGW groups to which a VM belongs.

vf.has_installed_group_policy

Boolean

Does the VM have a non-default group policy installed?

vf.has_installed_policy

Boolean

Does the VM have an installed security policy?

vf.monitored

Boolean

Is the VM currently being monitored by the vGW Security Design VM?

vf.secured

Boolean

Is a VM currently secured by the vGW Security Design VM?

vf.secured_active

Boolean

Is the VM actively protected by vGW?

vi.host.vmkernel.isolated.vlan

Boolean Value

Is the vmkernel management network on this hypervisor on an isolated VLAN?

vi.host.vmkernel.isolated.vswitch

Boolean Value

Is the vmkernel management network on this hypervisor on an isolated vSwitch?

vi.ipv4

IPv4 (multi value)

The IP addresses as known on a VM.

vi.ipv6

IPv6 (multi value)

The IP addresses as known on a VM. They can be coded as single addresses or an address range.

Example Addresses:

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334
  • fe80::202:b3ff:fe1e:8329

vi.pg_security.forgedtransmits

Boolean Value

Is VM connected to a port group which allows forged MAC addresses (MACs other than defined in the VMX)?

vi.pg_security.macchanges

Boolean Value

Is VM connected to a port group which allows reception of unknown MAC addresses (MACs other than defined in the VMX)?

vi.pg_security.promiscuous

Boolean Value

Is VM connected to a promiscuous port group?

vi.portgroup

String Value

Port groups on the virtual switch this VM is actively connected to. Port Groups for disconnected vNICs will not be included. (For a running/suspended VMs this will be the port groups actually connected. For a stopped VM, this value is the port groups that are connected at power-on.)

vi.portgroup.all

String Value

Port groups on the virtual switch this VM configured to be connected to, this list includes port groups even if the vNIC is disconnected. (For a running/suspended VMs this will be the port groups actually connected. For a stopped VM, this value is the port groups that are connected at power-on.)

vi.pvlan

Numeric Value

Private VLAN values for connected port groups.

vi.pvlan.all

Numeric Value

List of all Private VLANs in use by this VM, includes vNICs in both connected and disconnected states.

vi.vlan

Multi-value integer

VLANs of connected port groups.

vi.vlan.all

Multi-value integer

VLANs of all interfaces.

vi.vmsafe_configured

Boolean

Is VMsafe firewall security enabled for this VM?

vi.vmsafe_dvfilter

Multi String

The dvfilters protecting this VM.

vi.vmsafe.initfailmode

Enumeration

If VMsafe is unable to initialize, what is the network connectivity choice for this VM?

vi.vnic.count

Numeric Value

Number of connected vnics.

vi.vswitch

Multi String

vSwitch VM is connected to.

You use the attributes shown in Table 16 to define a Smart Group. The Smart Group editor has two modes: basic and advanced. Basic mode lets you select one to many attributes and assign an All or Any constraint. You simply add rules by clicking the + sign. Advanced mode allows you to configure the Smart Group for vNICs.

  1. In the Security Settings section of the vGW Security Design VM Settings module, select the Groups subsection.
  2. Click Add Smart Group on the displayed page.
  3. Click Advanced at the top of the page to display vNIC group options.
  4. In the Add Group definition pane, enter a name for the Smart Group. For this example, enter Apache Web Servers.
  5. Click Enable vNIC membership to specify that group membership pertains to vNICs, and not the VM.
  6. Select the All option button in the Matches section.
  7. Click the down arrow to display a list of attributes. Select the attribute vi.name, select Contains, and enter www.
  8. Click the + mark at the end of the row to display another row.
  9. Select the attribute vf.application, select Contains, and enter www..
  10. Under Group Attributes, select Policy Group allow a policy to be associated with this group.
  11. Select Medium as the Priority level, and assign it a precedence of 2 in the Precedence within Level.
  12. Select Manual.

    This allows you to use the Settings module and apply a policy to the group using the Firewall Apply Policy tab.

  1. Specify a name for the group and configure its attributes.
  2. Click Enable vNIC membership to specify that group membership pertains to vNICs, and not the VM.
  3. Click Test to view the results of your configuration.

    The test results show the VM name with the vNIC extension that the Smart Group logic applies to.

When you view a Smart Group in the VM Tree and display the VM with its nested vNICs, vNICs that belong to the group–that satisfy the group’s logic criteria–are displayed as usual. vNICs that do not belong to the group are greyed out.

Whether a vNIC is secured or not is indicated as usual for all of the VM’s vNICs.

Related Documentation