VMware vCloud Networking and Security App Firewall is a hypervisor-based firewall that protects applications in the virtual datacenter. Using App Firewall, organizations gain visibility and control over network communications between virtual machines. App Firewall installs as a hypervisor module and firewall service virtual appliance. In this blog, I am going to go show how to install vCloud Networking and Security App Firewall.
App Firewall Installation
Once the vCloud Networking and Security Manager (formerly known as vShield Manager) is connected with vCenter Server, it will fetch the inventory of data centers, clusters, hosts, VMs etc. as shown below.
Clicking on a host, in the summary tab you will see an option to install App Firewall.
Clicking on Install, prompts for the Datastore, Management Port Group, and IP address details.
We need a unique IP address for the management port of each App Firewall virtual appliance. This IP address should be reachable from vCloud Networking and Security Manager and usually on the Management network used for vCenter and vSphere host management interfaces.
Once you click on Install after configuring Datastore, Management Port Group and IP address details, vCloud Networking and Security Manager starts App Firewall installation and shows the installation progress.
After the installation is complete, you see the following.
If you run into any of the following App Firewall installation errors, refer the associated KB articles for the resolution.
Previous installation of host services encountered an error (KB 1028003)
Error while installing vib:vshield-dvfilter-module not loaded in vmkernel (KB 1028003 – same resolution steps as the previous one)
App installation encountered error while installing vib (KB 2032211)
Configuring Fail Safe Mode for App Firewall
By default, traffic is blocked when the App Firewall service virtual machine fails or is unavailable. Configure the Fail Safe mode to allow traffic to pass by clicking on Change link as shown below.
Excluding Virtual Machines from App Firewall Protection
We can exclude a set of virtual machines from App Firewall protection. This exclusion list is applied across all App Firewall installations within the specified Manager. If a virtual machine has multiple vNICs, all of them are excluded from protection. The Manager and service virtual machines (App Firewall, Edge Gateway, Data Security virtual machines) are automatically excluded from App Firewall protection. Configure the Exclusion List by clicking on Add as shown below.
In the next blog post, I will show how to setup App Firewall Rules using vCenter containers and security groups.
Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.
Clicking on a host, in the summary tab you will see an option to install App Firewall.
Clicking on Install, prompts for the Datastore, Management Port Group, and IP address details.
We need a unique IP address for the management port of each App Firewall virtual appliance. This IP address should be reachable from vCloud Networking and Security Manager and usually on the Management network used for vCenter and vSphere host management interfaces.
After the installation is complete, you see the following.
Excluding Virtual Machines from App Firewall Protection
In the next blog post, I will show how to setup App Firewall Rules using vCenter containers and security groups.
