Configuring a Compliance Rule

This topic explains how to create a compliance rule. For an overview of the Compliance module, see Understanding the vGW Series Compliance Module.

To create a compliance rule:

  1. From the Compliance module > Rules tab, click Add. The Add Rule dialog box appears.
  2. Define the rule. Table 15 describes the available options.

    Table 15: Compliance Rule Creation Parameters

    Option

    Action

    Compliance Scope

    Select All Machines or Selected Group, and then choose a group from the list.

    Name

    Enter a name for the rule. Rule names can contain characters and numbers and should be descriptive, yet simple. You can describe the rule in more detail in the Comment field, if needed.

    Weight

    Enter a weight to be used when calculating the compliance level.

    Generate Alert when compliance state changes

    Direct the vGW Series to post a warning when the compliance level changes.

    Compliance Groupings

    Click Edit, move one or more labels to the Selected Labels list, and then click Apply.

    Create Groups

    Create groups comprised of members who meet or violate the designated match criteria (defined in the Matches field).

    You are not required to create groups, but if you do select one of the two options, you will by default create a non-policy, Smart Group. This group can be changed to a Policy group through Settings -> Security Settings -> Groups. The benefit of automatically creating a compliance-based group is that you can easily find VMs in the VM Tree using this criterion and use the group throughout the vGW Series Table 15.

    Matches

    Select All if the VM must meet all criteria defined in field below or Any if the VM can meet any of the criteria defined in the field below, and then choose an attribute, choose an operator, and enter a value.

    • To add another criterion to the rule, click +.
    • Click - to remove a criterion from the rule.

    Advanced

    Enter a selection query rather than defining. For information about query syntax.

  3. Click Test.

    The vGW checks your criteria and posts a message in the Edit Rule dialog box indicating which VMs are included in the group (if any), given the criteria you specified.

  4. Click Save.

    Note: In addition to the items described in Table 15, you also have the option of disconnecting VMs from the network during a compliance check. By default this option is hidden because if it is used incorrectly it can cause serious problems resulting in unintended network downtime. For example, if you created a compliance rule with this action incorrectly, you could bring all VMs offline. To enable this compliance action, execute the following command from within the Web interface of the vGW Security Design VM. After it is executed, you will see a selection box called “Disconnect from the network when non compliant”.

    http:///compDisconnect?disconnect=true (or false)

You can select a predefined rule to use. To facilitate your search for a rule, you can specify a filter.

Figure 105: Adding a Predefined Compliance Rule

Adding a Predefined Compliance Rule

If DHCP is available, you can determine the IP address from the vCenter server. To do so, select the vGW Security Design VM in the vCenter console, and then select the Summary tab. Alternatively, you can display the IP address by selecting the Console tab.

By default, the vGW Security Design VM is configured for dual stack, with IPv4 configured to use DHCP and IPv6 configured to use stateless autoconfiguration.

Note: By default, a dual stack vGW Security Design VM communicates with a vGW Security VM using the IPv4 protocol. However, you can use the vGW CLI to change the default IP protocol used by setting the center.dual.stack.default.communication.ipv4 parameter to false.

center.dual.stack.default.communication.ipv4=false

By default, this parameter is set to true.

This parameter is relevant only if the vGW Security Design VM is configured for dual stack and one or more vGW Security VMs is also configured for dual stack. In all other cases, the protocol used is the one that is common to both the vGW Security Design VM and the vGW Security VM, and this parameter is irrelevant.

Related Documentation