Creating vGW Series Smart Groups for VMware

This topic explains how to configure vGW Series Smart Groups. You can create groups comprised of members who meet or violate the designated match criteria defined in the Matches field of the Smart Group.

To define a Smart Group, you use the Settings module Security Settings > Groups page, and click Add Smart Group. The editor has two modes: Basic and Advanced. The default mode is Basic.

Suppose you want to create a compliance rule that states that all Web server VMs should have version Apache 2.x installed because of known security issues in versions 1.x. You can configure a Smart Group for a compliance rule and configure vGW Series to issue an alert when any Web server currently in production or brought online in the future has a version of Apache that is prior to 2.x.

Smart Group creation options–the parameters used to define the group–are obtained from two locations: namely, Security Design vGW attributes and vCenter attributes. Through VM Introspection, the vGW Security Design VM can discover items such as which applications are installed on a VM, while VMware’s vCenter identifies attributes such as the port group to which the virtual network interface is connected. There are numerous attributes each classified into “vf” (vGW-based) and “vi” (vCenter-based) categories as described in the topic vGW Series Attributes for VMware.

The following values are returned for the Type field.

In Basic mode you can select one or more attributes and assign an All or Any constraint. You add rules by clicking the + sign.

Figure 146 shows a group called WebServers that is created when the VMware vCenter name (vi.name) contains www and the application named Apache is installed on the VM. Both conditions must exist for a VM to be included in this group. The information that defines this Smart Group is obtained through VI Introspection and is stored in vf.application.

Figure 146: Creating a Smart Group Using Basic Mode

Creating a Smart Group Using Basic
Mode

To define a Smart Group using basic mode:

  1. Select Setting > Security Settings > Groups.
  2. To create a new Smart Group:
    1. Click Add Group.
    2. On the displayed pane, click Add a Smart Group .

    If you do not know the meaning of an attribute or the values that it can take, click ? at the end of the row. The pop-up message box that appears describes the attribute. It gives its data type, and it identifies possible values.

  3. Give the Smart Group a short, descriptive name. The name is displayed in the Groups table.
  4. For Matches, select All if the VM must meet all criteria defined in the field below or Any if the VM can meet any of the criteria defined in the field below.
  5. For each row, select the following information:
    • An attribute.
    • A comparator. For example, you can require that a VM must meet the attribute specification to be associated with the group, or you can define a rule that excludes VMs that meet the criteria.
    • A value.
  6. Select the Policy Group check box if you want the Smart Group to belong to a policy group.

    When you select Policy Group:

    • The Smart Group is added to the Policy Groups area in the VM tree.

      You can now configure a firewall policy for the Smart Group on its Group Policy page. You use the Firewall module in conjunction with the VM tree to display the Smart Group’s policy page.

    • Specify a priority level and a precedence level:
      • You can select high, medium (default), or low for the priority level.
      • You can use Precedence within Level to define the precedence for Smart Groups that are created with the same priority level.

      Note: A VM can belong to more than one Smart Group. In this case, the policy rules of all Smart Groups that the VM is a member of are applied to the VM. How the rules are applied also depends on the precedence and priority settings.

      It can happen that more than one Smart Group is defined with the same priority level and the same precedence within that level. In this case, Smart Group rules are applied to the VM in the order in which the Smart Groups were created.

  7. Test the configuration before you save the Smart Group definition. Click Test to verify that the group contains the VMs that you intended it to include.

In addition to creating a Smart Group by adding rows to the rules table using Basic mode, the editor’s Advanced mode allows you to write regular expressions to construct more complicated scenarios. Figure 147 shows how to define the simple WebServers example in Advanced mode using a regular expression.

Figure 147: The Smart Group Editor in Advanced Mode Using Regular Expressions

The Smart Group Editor in Advanced
Mode Using Regular Expressions

The selection query allows you to define expressions based on a simple set of operators. You can write an expression in the context of each VM, getting its attributes, and if the expression evaluates as True, the VM becomes part of the group. Table 18 covers the various Smart Group attribute types and operators.

Table 18: Operators for Creating Smart Groups Using Regular Expression

Attribute Type

Supported Operators

String

The most common attribute type.

Contains (~), Not-Contains (!~), Equals (=), Not-Equals (!=), Matches RegExp (=~).

Full wildcard support such as name =”finance-*” is recognized.

Numerical

Equals (=), Greater than (>), Not-Equals (!=), Less-Than (<), In (in), Not in (not_in).

IP

Equals (=), In (in), Not in (not_in).

Boolean

Equals (=), Not-Equals (!=) Return value is either true or false. For example, vf.secured = false or vf.secured != true.

Multi

Contains (~), Not-Contains (!~), Equals (=), Not-Equals (!=), Matches RegExp (=~).

Group

Contains (~), Not-Contains (!~), Equals (=), Not-Equals (!=), Matches RegExp (=~).

You can also create wildcard matches if you match on a full string. For example:

Related Documentation