V gw admin_guide_45sp3

Copyright © 2011, Juniper Networks, Inc
vGW Virtual Gateway
Administration Guide
Release 4.5 Service Pack 3

Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the
United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All
other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479,
6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase
order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper
Networks. By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally
speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against
certain uses. The software license may state conditions under which the license is automatically terminated. You should consult the
license for further details.
For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
END USER LICENSE AGREEMENT
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE
SOFTWARE.
BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE
TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT
AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE
TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY
CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or
Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being
referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller
the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for
which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by
Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates,
upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the
Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the
equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to
Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject
to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by
Customer from Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units
for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access
Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space
and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines
(e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a
single chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may
specify limits to Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints,
concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the

purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide
throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may
restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other
specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the
Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not
extend or create an additional trial period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s
enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-
Belted Radius software to support any commercial network access services. The foregoing license is not transferable or assignable by
Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper
or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees
not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized
copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the
Software, in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any
product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in
Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted feature, function, service, application, operation, or
capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service,
application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party;
(h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized
Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on
Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of
testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any
manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper,
Customer shall furnish such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper.
As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence,
which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the
Software for Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to
the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of
any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of
the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the
warranty statement that accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation
to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written
support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST
PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL,
INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR
IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE
WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO
THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT
ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its
suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the
price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price
paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this
Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of
risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that
the same form an essential basis of the bargain between the Parties. 9. Termination. Any breach of this Agreement or failure by Customer
to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall
destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising
from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing
jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or
modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to
Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation
showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding
tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply

with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any
liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under
this Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any
applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such
restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the
Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an
export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use,
duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS
227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer
with the interface information needed to achieve interoperability between the Software and another independently created program, on
payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use
such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose
products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this
Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition,
certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective
owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the
source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public
License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request
for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N.
Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html,
and a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html .
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws
principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes
arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal
courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the
Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral
or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement
executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with
terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly
assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall
not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English
language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que
cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation:
The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Copyright © 2011, Juniper Networks, Inc i
Contents
Administration Guide.................................................................................................................... 1
SOFTWARE LICENSE................................................................................................................... 2
END USER LICENSE AGREEMENT............................................................................................. 2
Contents ..........................................................................................................................................i
About This Guide ........................................................................................................................... 1
Understanding the vGW Virtual Gateway................................................................................. 1
Understanding Cloud Computing and the vGW Virtual Gateway........................................................................1
Understanding Hypervisors and the vGW Virtual Gateway....................................................................................1
Understanding the VMware Infrastructure and the vGW Virtual Gateway.....................................................2
Understanding vSphere and the vGW Virtual Gateway.................................................................................2
Understanding VMware ESX and ESXi Hosts and the vGW Virtual Gateway.......................................2
Understanding vMotion and the vGW Virtual Gateway.................................................................................2
VGW Security Design VM Navigation ....................................................................................... 2
Button Bar.................................................................................................................................................................................4
VM Tree Pane...........................................................................................................................................................................5
Main Module...................................................................................................................................7
Dashboard................................................................................................................................................................................. 7
Status..........................................................................................................................................................................................8
Network Module ......................................................................................................................... 10
Time Interval ........................................................................................................................................................................... 11
Advanced Options ................................................................................................................................................................12
Table Sorting.......................................................................................................................................................................... 13
Firewall Module ...........................................................................................................................14
Manage Policy Tab .............................................................................................................................................................. 14
Apply Policy Tab...................................................................................................................................................................16
Logs Tab ..................................................................................................................................................................................18
Status and Configuration Tab.........................................................................................................................................18
Install Tab ................................................................................................................................................................................21
VMsafe Firewall + Monitoring Mode Security Installation...........................................................................22
VMsafe Monitoring Mode Security Installation............................................................................................... 25
Bridge Mode Security Installation........................................................................................................................ 25
Auto Secure VMs tab ......................................................................................................................................................... 26
IDS Module ..................................................................................................................................28
IDS Setup Steps................................................................................................................................................................... 28
Top Alerts Tab......................................................................................................................................................................30
Alert Sources Tab................................................................................................................................................................30
Alert Targets Tab ................................................................................................................................................................30
All Alerts Tab.........................................................................................................................................................................30
Introspection Module .................................................................................................................31
Applications Tab .................................................................................................................................................................. 31

vGW Virtual Gateway
ii Copyright © 2011, Juniper Networks, Inc
VMs Tab...................................................................................................................................................................................33
Scan Status Tab.................................................................................................................................................................. 35
Scheduling Tab ....................................................................................................................................................................36
Compliance Module...................................................................................................................39
Compliance Tab ..................................................................................................................................................................39
Rules Tab................................................................................................................................................................................. 41
Example 1 – Defining a Basic Compliance Rule.............................................................................................. 43
Example 2 – Defining an Advanced Compliance Rule with Custom Security Policies...................45
Reports Module ..........................................................................................................................48
Generating Reports.............................................................................................................................................................48
Add/Edit Reports Tab...............................................................................................................................................48
Recent Reports Tab...................................................................................................................................................49
Custom Report Types...............................................................................................................................................49
Filters................................................................................................................................................................................ 51
Scheduling Reports .................................................................................................................................................... 51
Settings Module ......................................................................................................................... 52
About Obtaining, Installing, and Managing vGW Virtual Gateway Licenses ............................................... 52
About vGW Virtual Gateway Licenses ............................................................................................................... 52
Installing Licenses in the vGW Security Design VM....................................................................................... 53
vGW Application Settings................................................................................................................................................ 53
Status & License.........................................................................................................................................................54
vCenter Integration....................................................................................................................................................54
Installation .................................................................................................................................................................... 55
Administrators.............................................................................................................................................................56
Active Directory ...........................................................................................................................................................56
Machines.........................................................................................................................................................................57
High Availability............................................................................................................................................................57
E-Mail and Reporting ................................................................................................................................................58
E-mail Settings and Configuration Parameters .............................................................................................58
Reporting Module Settings Configuration Parameters ...............................................................................59
Security Settings..................................................................................................................................................................59
IDS Configuration ........................................................................................................................................................61
IDS Signatures ..............................................................................................................................................................61
Alerting ............................................................................................................................................................................61
Protocols.........................................................................................................................................................................61
Protocol Groups.......................................................................................................................................................... 62
Groups............................................................................................................................................................................. 62
Networks........................................................................................................................................................................ 62
SRX Zones..................................................................................................................................................................... 62
Appliance Settings.............................................................................................................................................................. 62
Updates.......................................................................................................................................................................... 62
Network Settings........................................................................................................................................................63
Proxy Settings..............................................................................................................................................................63
Time Settings...............................................................................................................................................................63
Log Collection..............................................................................................................................................................63
Log Viewer.....................................................................................................................................................................64

Copyright © 2011, Juniper Networks, Inc iii
Support...........................................................................................................................................................................64
Firewall Policy.............................................................................................................................65
Policy Creation and Rule Precedence .........................................................................................................................66
Smart Groups............................................................................................................................. 69
VMotion Support ..................................................................................................................................................................74
Enabling VMotion Support in Bridge Mode Installations (Non-VMsafe) ..............................................74
Configuring VMware HA and DRS..................................................................................................................................75
System Updates ......................................................................................................................... 76
Manually Applying System Updates ........................................................................................................................... 76
Using Batch Update to Update Multiple vGW Security VMs ............................................................................. 78
Status and Alerts ...................................................................................................................... 80
Status.......................................................................................................................................................................................80
Alerts ........................................................................................................................................................................................80
E-mail Alert Settings...........................................................................................................................................................81
SNMP Trap Settings........................................................................................................................................................... 82
AutoConfig and Multicast Alerts................................................................................................................................... 82
High Availability .........................................................................................................................83
The vGW Security Design VM High Availability .......................................................................................................83
vGW Security VM HA..........................................................................................................................................................84
Juniper Networks Product Interoperability............................................................................85
About SRX Series Services Gateway Security Zones............................................................................................85
SRX Series Services Gateway Zones...........................................................................................................................86
Enabling the Junoscript Interface for vGW Virtual Gateway Access......................................................86
Configuring an SRX object ...................................................................................................................................... 87
Configuring the vGW Virtual Gateway Automatic Zone Synchronization Process ..........................88
About VM Zone Groupings......................................................................................................................................89
About Populating VM Objects in the SRX Series Zone Address Books.................................................89
Zone Validation Procedure.....................................................................................................................................89
STRM........................................................................................................................................................................................90
About STRM .................................................................................................................................................................90
Configuring the vGW Security Design VM to Send Syslog and Netflow Data to Juniper Networks
STRM................................................................................................................................................................................91
Configuring STRM to Receive vGW Virtual Gateway Syslog and NetFlow Data ...............................91
IDP............................................................................................................................................................................................. 97
About Juniper Networks IDP Series Intrusion Detection and Prevention Appliances...................... 97
Configuring the vGW Virtual Gateway and IDP Interoperation ................................................................98

Copyright © 2011, Juniper Networks, Inc 1
About This Guide
The purpose of this guide is to help you understand the features and
operational tasks involved in using and managing the vGW Virtual Gateway. For
information about initial installation of the vGW Virtual Gateway software, see
the Juniper Networks vGW Virtual Gateway Installation Guide.
Understanding the vGW Virtual Gateway
This section gives background on concepts underlying the vGW Virtual
Gateway, and it provides a brief description of the VMware® components that
the vGW Virtual Gateway uses and runs on.
The vGW Virtual Gateway delivers a security solution for virtualized
environments for both multi-tenant public and private clouds.
The vGW Virtual Gateway relies on a central management server known as the
vGW Security Design VM, which manages one-to-many vGW Security VMs.
Administrators log in to the management server, configure security policies, and
then deploy them to the vGW Security VMs. Several modules (network visibility,
firewall, VM introspection, compliance, and reporting) are combined in the vGW
Virtual Gateway solution to provide complete virtualization security.
Understanding Cloud Computing and the vGW Virtual Gateway
A cloud is an Internet-based environment of computing resources including
servers, software, and applications that can be accessed by individuals or
businesses with Internet connectivity. Customers, referred to as tenants, can
access resources that they need to run their business.
Clouds:
 Allow customers to share the same infrastructure in order to gain price
and performance advantages.
 Provide customers with a pay-as-you-go lease-style investment
versus buying all of the required hardware and software upfront
themselves.
 Allow businesses to scale easily and tier more services and
functionality on an as-needed basis.
Whether for public clouds or private clouds, virtualized data centers must
offer secure, discrete, virtual machine (VM) environments to their
customers and organizations.
The vGW Virtual Gateway secures the virtual network in ways that physical
security mechanisms protecting physical networks cannot do because
physical network mechanisms do not have visibility into traffic
transmission and communication between virtual machines.
Understanding Hypervisors and the vGW Virtual Gateway
In cloud computing, a hypervisor, also called a Virtual Machine Manager (VMM),
is platform virtualization software that runs on a host computer. It allows
multiple instances of a variety of operating systems, called guests, to run
concurrently on the host within their own VMs and share virtualized hardware
resources. It presents a virtual operating platform to the guest operating
systems, and it manages their execution.

vGW Virtual Gateway
2 Copyright © 2011 Juniper Networks, Inc.
The vGW Virtual Gateway is a hypervisor-based virtualization security solution
that uses technologies such as VM introspection to maintain deep knowledge
of each VM. The vGW Virtual Gateway inserts a vGW kernel module in the
hypervisor of each VMware ESX/ESXi host to be secured. From this vantage,
the vGW Virtual Gateway can monitor the security of each VM and apply
protections adaptively as changes to the VM security posture necessitate
enforcement and alerting. It can also identify VMs on the network not secured
by it.
By processing inspections in the VMware hypervisor kernel, the vGW Virtual
Gateway provides fast throughput and continuous firewall protection as VMs
are moved from one server to another.
Understanding the VMware Infrastructure and the vGW Virtual Gateway
The Juniper Networks vGW Virtual Gateway runs as integrated software on
VMware vSphere servers.
Understanding vSphere and the vGW Virtual Gateway
VMware vSphere is a cloud operating system able to manage large pools of
virtualized computing infrastructure, including software and hardware.
The vGW Virtual Gateway components integrate with the VMware vSphere
infrastructure. Because the vGW Virtual Gateway is purpose-built to support
virtualization, it synchronizes automatically with the VMware vCenter and it
uses VMsafe to provide breakthrough levels of security and performance.
Understanding VMware ESX and ESXi Hosts and the vGW Virtual Gateway
The VMware ESX and ESXi hosts provide the foundation for building and
managing a virtualized IT environment. These hypervisor hosts contain abstract
processors, memory, storage and networking resources which are shared
among multiple virtual machines that run unmodified operating systems and
applications.
The vGW Virtual Gateway manages and secures ESX and ESXi hosts and the
VMs that run on them.
Understanding vMotion and the vGW Virtual Gateway
VMware provides a feature called vMotion that allows for transition of active, or
live, VMs from one physical server to another. VMs can be moved from one
server to another to perform maintenance operations on the host. Also, they
can be moved automatically when vMotion is triggered through Dynamic
Resource Scheduler (DRS), which is used to evenly distribute system resource
usage across physical servers.
Because VMs can be migrated between servers, their security levels can be
compromised and lowered to those of the new system. A VM could be
migrated to an unsecured zone or one with a lower trust level.
Unlike traditional firewalls, the vGW Virtual Gateway supports live migration by
maintaining open connections and security throughout the event. The vGW
Virtual Gateway ensures that appropriate security for a VM remains intact
throughout migration.
VGW Security Design VM Navigation
The vGW Security Design VM provides security policy manipulation, network
traffic analysis, and the information that you want to see regularly. The IP
address to be accessed through a Web interface is available by clicking the
summary tab of the vGW Security Design VM in VMware.

Figure 1 vGW Login Fields
Enter admin for username and the password that was set during installation.
For more information, see the Juniper Networks vGW Virtual Gateway
Installation Guide. The vGW Security Design VM opens showing the Main
module screen and the vGW Virtual Gateway Dashboard as shown in the
following figure.
Figure 2 Main Dashboard
You use the button bar and VM Tree pane to navigate throughout the vGW
Virtual Gateway solution as described in the following sections.

vGW Virtual Gateway
To log out of the vGW Security Design VM, click logout in the upper right corner
of the vGW Security Design VM screen.
If you use the default self-signed certificate, your browser will display a
warning message. If you replace the certificate with a valid one, the
warning message will not appear again. For details on replacing the
certificate contact Juniper Networks Support.
Button Bar
The vGW Virtual Gateway button bar is shown in Figure 3.
Figure 3 Navigation Button Bar
The vGW Virtual Gateway navigation buttons are described in Table 1.
Table 1 Navigation Buttons
Icon Indicates
Main Combines status, alerts, and network activity
into a single view.
See “Main Module”
on page 7.
Network Displays a network activity summary, top
protocols, sources, destinations, talkers, and
connections.
See “Network
Module” on page 10.
Firewall Manages and installs policies, and displays logs. See “Firewall
Introspection Scans systems and reports on the software
running in each VM (operating systems, patch-
levels, and applications).
See Introspection
Module” on page 39
Compliance Monitors the virtual infrastructure against a
predefined set of rules to guarantee all
components are configured securely.
See Compliance
Moduleon page 39.
Reports Produces detailed system and security reports. See “Reports
Settings Controls configuration settings, including
passwords.
See “Settings
Note: When IDS is enabled, the IDS icon is also displayed on the Navigation button

VM Tree Pane
The VM Tree pane controls the display in the screen to the right. For example,
to view the network activity for a single VM or a group of VMs: select the
appropriate item in the tree. To view network traffic for all machines, select All
Machines in the tree, and then click then the Network icon in the button bar.
See Figure 4.
Figure 4 VM Tree Pane
At a high level there are four main groupings in the tree:
 Policy Groups contains all security policy groups, including Global and
Default policies as well as any groups defined by your administrator.
 Monitoring Groups contains groups of machines that do not have a
security policy associated with them.
 Monitored/Secured VMs lists all VMs monitored by the vGW Virtual
Gateway, those that have a firewall protecting their network traffic, or both.
 Unsecured Machines lists all VMs not currently being analyzed or
protected by the vGW Virtual Gateway solution.
Table 2 describes the icons showing state of monitored VMs.
Table 2 VM Icon States
Icon Indicates
The VM is a component of the vGW Virtual Gateway solution—either the
vGW Security Design VM or the vGW Security VM.
The vGW Virtual Firewall is loaded on this VM and is protecting traffic to the
VM based on the defined security policy.

vGW Virtual Gateway
Icon Indicates
The VM is being fully monitored, but it is not secure (for example, no firewall
policy is loaded).
The system (VM or externally defined machine) is not being monitored and
hasn’t been moved to ‘secured’ network. Note that network reports can
display sessions between an unmonitored system and a monitored VM.
The vGW Virtual Gateway is unable to determine the IP address of the
system. This could be because the system is powered down, suspended, or
does not have VMware Tools installed.
Tip: You can manually define an IP address by clicking
Settings -> vGW Application Settings -> Machines.
These VMs are compliant.
These VMs are not compliant.
This is a VMware component (for example, an ESX host).

Main Module
The Main module displays information from several areas of the application in a
single screen. When the vGW Virtual Gateway detects new events and alerts,
data and graphs in the Main screen automatically refresh. The Main screen
contains two tabs in the upper right area of the screen.
 Dashboard
 Status
Dashboard
The Dashboard tab provides an at-a-glance view of how your system is
behaving in both a graphical and table format.
 vGW Status provides an overview of the current security status of your
infrastructure. The vGW Virtual Gateway solution provides a status check
for vCenter connectivity as well as overall vGW Virtual Gateway
deployment status.
 Compliance Status for All Machines shows the overall posture of all the
VMs in your organization that might be violating compliance rules. The
more VMs violating rules (high weighting), the farther the needle moves to
the red. You can also select a different group in the tree to display
compliance status for that particular group.
 Top Talkers for All Machines displays network activity for the past hour. To
graph data for a specific VM or group of VMs, select the appropriate VM or
group in the VM Tree pane.
 IDS Alerts graph displays high, medium, and low priority alerts for the past
24 hours, if IDS is configured. To view activity for a single VM or a group of
VMs, select the appropriate item in VM Tree pane.

vGW Virtual Gateway
Status
The Status tab displays a summary of the vGW Virtual Gateway settings for
each module. Here you can scan settings, alerts, and events. See Figure 5.
Figure 5 vGW Virtual Gateway Status in the Main Screen
vGW Status summarizes the settings for each module in your vGW Virtual
Gateway solution. Status icons indicate the current state of each module. See
Table 3 and Figure 6.
Table 3 vGW Status Icons
Icon Indicates
This vGW Virtual Gateway component is working properly.
One or more issues exist with this component. For example,
maintenance settings may be incompatible or disabled, or firewalls
might need updating. For more details, click more.
There are significant issues related to this component. For example,
a module hasn’t loaded correctly. For more details, click more.
Security Alerts lists all alerts that have occurred in the vGW Virtual Gateway
solution, apart from IDS alerts. Alerts are classified as high (H), medium (M), or
low (L) depending on their severity. Click the Priority or Date column to sort the
list. These alerts are primarily vGW Virtual Gateway system related events,
such as the vGW Virtual Gateway version update alerts or alerts when failures
in components are occurring.

System Status and Events displays recent events that have occurred in the
vGW Virtual Gateway solution, including how many times events have
occurred. Events are listed chronologically; the most recent event listed at the
top of the table. For example, an event posts when vGW Security Design VM
synchronizes with vCenter. Additional events can be viewed by accessing the
vGW Security Design VM database.
In addition to the icons documented above, there is an overall health state icon
that will appear when individual components are in need of attention. The icon
shown in Figure 6 can be red or yellow depending on the underlying state of the
various components it is monitoring. Roll the mouse pointer over the icon to see
exactly which components are currently in need of attention.
Figure 6 Overall Status Icon

vGW Virtual Gateway
Network Module
The Network module displays network traffic for objects selected in the VM
tree. The Network screen shown in Figure 7 has six tabs:
 Summary
 Top Protocols
 Top Sources
 Top Destinations
 Top Talkers
 Connections
Objects must have a known IP address, which is determined automatically if
VMware Tools is installed on the VM. Otherwise, you can set the IP address
manually by choosing Settings -> vGW Application Settings -> Machines.
At the top of this screen, you see a line graph that plots bandwidth usage for
the top VMs in the report. A table below the graph provides detailed network
data for the VMs selected in the VM Tree.
Figure 7 Network Summary Tab for All Machines

TIPS:
 To display a VM’s connection view, click an individual line in a
graph.
 To display a filter for a protocol, click the protocol field.
 For more detailed VMware resource and event information,
select a single VM in the tree rather than a group of VMs, as
shown in Figure 8.
Figure 8 Network Summary Tab for an Individual VM
Time Interval
To change the period for which network data is plotted in the line graph, choose
a different interval from the Time Interval menu, and then click Update. See
Figure 9.
Figure 9 Configuring Report Time Intervals

vGW Virtual Gateway
Real-time data from the last traffic interval populates the Total, In, Out, and
Internal table columns. If you are charting protocols, sources, destinations, or
talkers, the interval selected is used to calculate the minimum, maximum, and
average figures in the table below the graph.
You can view historical data by specifying a custom time period. In the Time
Interval menu, select Custom Time Period, and then enter dates in the From
and To fields or use the calendar pop-up window to enter dates. If you do not
specify a time, the field defaults to 00:00. See Figure 10.
Figure 10 Configuring a Custom Date Range
CAUTION: Depending on the size of the database and the resources
available to the vGW Security Design VM, specifying a Custom Time
Period can take several minutes to chart (30 minutes or more). When
examining a large data set (for example, data from a month or more)
it is best to use the vGW Virtual Gateway Reporting module instead.
Advanced Options
To show filtering options, click show advanced in the time interval bar. See
Figure 11.
Figure 11 Advanced Filtering Options
Click the Filter 1 and Filter 2 menus to select filtering options, enter settings in
their respective fields, and then click Update to refresh the graph and data
based on your settings. Click Clear to reset filter fields.
NOTE: Configured filters affect all data in the graph and tables.
Other advanced options differ slightly depending on the tab you are viewing.
Advanced options are described in Table 4.

Table 4 Advanced Options
Select To do this
Auto-refresh Refreshes data automatically every 60 seconds.
mark verified VMs Causes the vGW Virtual Gateway to automatically use the
unique VMware ID/UUID as well as the IP address to
validate connections are actually coming from the identified
server. This protects against issues such as IP spoofing. VMs
for which this extra validation occurred can be displayed in
the interface with a Display of this icon is enabled or
disabled by the mark verified VMs setting.
multicast in table Includes multicast packets when monitoring. Because
multicast packets are not destined for a specific host and
are seen by all machines on the network, they are included
in the connection session list for all the VMs. However, the
amount of multicast traffic can be quite large and obscure
sessions specific to a selected VM. To remove multicast
from this view, clear the multicast in table check box.
To exit the advanced view, click show basic.
Table Sorting
You can sort table data in the Network screen by column. Drag the pointer over
the column headings. When the pointer changes to the pointing hand, click the
column heading to sort.

vGW Virtual Gateway
Firewall Module
The Firewall module is where you define, install, apply, and monitor security
policies. The Firewall screen has six tabs:
 Manage Policy
 Apply Policy
 Logs
 Status and Configuration
 Install
 Auto Secure VMs
As in other vGW Virtual Gateway modules, you select items in the VM Tree to
change data displayed in the Firewall screen. See Figure 12.
Figure 12 Firewall Screen
Manage Policy Tab
The Manage Policy tab is where you define and edit security policies. See
Figure 13. To create a new rule, click a rule number in the # column, and then
choose Add Rule Above or Add Rule Below. Rules are applied in order of
execution from top to bottom. For more information on the vGW Virtual
Gateway policy model, see “Firewall Policy” on page 65.

Figure 13 Adding Policy Rules
To configure policy settings, click table cells and edit the information using the
pop-up dialog box. To quickly make selections in dialog box menus, type the
first letter of the item you want to select. For example, typing “t” in the All
Protocols menu takes you to telnet in the list. You can also type directly into
the filter box to immediately find an item. If you want to define a policy that
contains all but a few policies, click Advanced then negate this selection to
enter All protocols except: in the Selected Protocols list, and then select one
or more exception protocols and move them to the list. See Figure 14.
Figure 14 Creating Protocol Groups and Protocols from Dynamic Lists
Table 5 describes the policy configuration settings:

vGW Virtual Gateway
Table 5 Manage Policy Tab Options
This field Allows you to
Sources Define the object from which the connection originates.
Protocols Define which protocols are used in the rule. You can also
dynamically create a new protocol or protocol group by
selecting the appropriate option.
Action Allow the connection, drop the connection (silent drop), or
reject the connection (drop traffic and send source a
notification). In addition, you will see options here for
redirecting or duplicating packets to third-party devices. See
Settings -> Security Settings -> Global -> External
Inspection Devices.
Logging Log the connection matching the rule, skip logging for this
connection, or send an alert when this connection matches
the rule. With the Alert option, the vGW Virtual Gateway sends
e-mail messages or SNMP traps. For more information about
configuring alerts, see “Alerts” on page 80.
Description Enter a description for this policy.
When you are finished entering or editing policy settings, click Save to save your
changes in the vGW Security Design VM database.
CAUTION: You must apply policy changes in the Apply Policy tab for
new rules to go into effect. You can apply rules immediately or during a
maintenance window.
To delete an existing rule, disable (or reactivate) an existing rule, or move rules
up or down in the list, click the rule number and choose the appropriate menu
item. Disabled rules appear dimmed and are formatted with a strikethrough.
Apply Policy Tab
This policy installation screen allows you to push the security policies out to the
firewall protecting various virtual machines in your infrastructure. The vGW
Virtual Gateway analyzes both the existing policies, and the new policies, and
presents a graphic stipulating what needs to occur (for example, which VMs
need updated policies).
The policy installation process is driven by the VM Tree on the left-hand side.
For example, if you want to install a policy on only a single VM, you can select
the VM and click the Apply Policy tab.

Table 6 Policy Installation Icons
Icon Indicates
The policy is current and no further actions are necessary.
The VM is in a policy group, but cannot retrieve policies because it is not
actually being protected by a vGW Virtual Gateway firewall. This usually
indicates an error condition, which should be investigated.
The policy type does not exist for the VM. For example, there is no
individual VM policy for that VM. You are not required to build individual
VM policies for each VM.
The policy has been modified and needs to be deployed for that VM.
There is an error preventing policy installation. You may also see a grey
check mark icon when there is a problem distributing a new policy (but the
old one is working properly)
When you are ready to implement a policy, click either install or install all to
push the policy out to the firewall. The policy is then deployed on one or more
selected VMs. Figure 15 shows the Apply Policy tab.
Figure 15 Apply Policy Tab
TIP: Place the pointer over a policy status icon to display a tool tip
that describes the icon.

vGW Virtual Gateway
Logs Tab
Firewall rules can be defined with notification options of Log, Don’t Log, and
Alert. When you select Log or Alert for a rule, traffic that matches that rule is
logged.
The Logs tab has an advanced option with a mark verified VMs setting. The
vGW Virtual Gateway uses the unique VMware ID/UUID as well as an IP
address to validate that connections are actually coming from the identified
server, which protects the network from issues such as IP spoofing and DHCP
changes. VMs for which this extra validation is allowed are flagged with a .
Use the mark verified VMs setting to display or hide this icon. Click Auto-
refresh to refresh the log display automatically every 60 seconds. Figure 16
shows the Logs tab.
Figure 16 Firewall Logs
You can use filters to narrow the list of logs displayed or display only those logs
related to a specific VM by selecting a VM in the VM Tree.
Status and Configuration Tab
The Status and Configuration tab displays a table listing all of the vGW Security
VMs that are deployed. This screen is refreshed every 60 seconds showing how
many logs have been processed, which VMs are being protected by the
individual firewalls, and so on.
Status icons indicate the general state of the vGW Firewall module, the
Network visibility module, and service console monitoring. Three different icons
can appear in the status column simultaneously. Table 7 shows the principle
states of each icon. You can place the pointer over icons to display tool tips
that describe states not described here.

Table 7 Status and Configuration Icons
Icon Indicates
The firewall is online and communicating properly with the vGW
Security Design VM.
The firewall is rebooting or having an issue connecting to the vGW
Security Design VM. Use the tool tip to determine the exact error.
Check that the VM is powered on and IP connectivity (NTP,
HTTPS and TCP 8443) exists between the vGW Security Design
VM and the firewall.
You can also check that the module is loaded properly by clicking
the vGW Security VM and checking for any fastpath installation
error messages.
The system is configured to monitor the network and a firewall
policy is implemented. The magnifying glass over the server is
monitoring the hypervisor.
A time synch is taking place. Click Main -> Status -> System
Events for more details.
You can select an individual vGW Security VM in the table to display more
management-related options. However, while you are editing these new
options, the Activity column will not update. The Activity column displays the
number of firewall logs processed (received) as well as the IDS process rating
(displayed in mbps), if IDS is configured. You must click Hide & Resume
Refresh to continue incrementing the log count. See the following figure.
Figure 17 Status and Configuration Tab
After you click an entry in the table, additional options appear in the Status and
Configuration tab. Each of those options is described in Table 8.
Table 8 Status and Configuration Options
Option Description
Firewall IP
Configuration
The firewall VM in Bridge mode has three virtual network
interfaces. Two of the interfaces are L2 bridging and do not have
IP addresses. The third interface is used to communicate with
the vGW Security Design VM and requires an IP address. You
initially configure the IP address through the Firewall Install
wizard when the firewall is first deployed. If later you choose to
change the IP address, you can reconfigure it here.
In VMsafe Mode, the vGW Security VM requires an IP address for
communication with the vGW Security Design VM, which you
configure here.

vGW Virtual Gateway
Option Description
Network Traffic
Monitoring
In most cases, you will want to collect network traffic
information for the vGW Virtual Gateway solution’s Network
module. If you are interested in implementing only firewall
protection for VMs, you can increase overall system
performance by disabling network monitoring in this screen. This
selection is relative to the particular firewall VM you are working
with. If some firewall VMs still have this option enabled, they will
continue collecting and displaying traffic statistics in the
Network module screens.
Get Logs This option allows you to gather debug information in a tgz file
for use with Juniper Networks technical support. This particular
section will generate logs for the vGW Security VM you selected.
To collect logs from the vGW Security Design VM, you must use
the tool located in
Settings -> Appliance Settings -> Log Collection.
After you click Start Collection, all relevant log files are
collected from the vGW Security VM and compressed into a
single file. If you select Download Log Collection, the log
reaches Juniper Networks through e-mail or by posting it to a
server. We recommend selecting Upload Collection to Juniper
Networks. Choosing this option automatically encrypts the file
using AES-256 and transfers it to a protected Juniper Networks
server. You can include a comment on the uploaded file and
there will be a unique ID for the log collection. Reference this ID
in any support ticket or communication with Juniper Networks.
NetFlow
Configuration
This option instructs the vGW Module to send NetFlow
information directly to the NetFlow collector defined in Settings
-> Security Settings -> Global. If this option is not selected,
vGW modules send NetFlow information to the vGW Security
Design VM, which then forwards it to the defined NetFlow
collector. We recommend that you keep this option enabled for
optimal performance.
Console Monitoring This option allows an administrator to activate the network
traffic monitoring module (Monitor) or network traffic
monitoring module with the IDS module (Monitor and IDS), if
IDS is configured, for VMware service console connections. The
vGW Virtual Gateway connects to the service console network
and monitors traffic in and out of the system to make sure no
inappropriate activity is occurring.
IDS Configuration
(Bridge Mode Only)
By default, the vGW Virtual Gateway monitors traffic only for
VMs that have been selected for security through the Firewall
Install screen. In some cases, you may want to monitor systems
that are not placed behind the firewall. To do so, you can enable
this option when a Bridge Mode firewall on a VM network is
deployed.
Software Update This is where each of the vGW Security VMs in your deployment
can be updated. You can update individual vGW Security VMs or
multiple VMs using a batch method. See “Updates” on page 62
for important information about using this feature and the order
of operations to guarantee an upgrade without downtime.
Update Preferences Allows or disallows the vGW Virtual Gateway solution to
periodically check with Juniper Networks update servers for the
latest version of software. If a newer version is found, the
Software Updates section will indicate a new version is
available. Though the update can be downloaded automatically,
the installation of the new version must be done manually.
Syslog
Configuration
As is the case with NetFlow, the vGW Virtual Gateway can send
syslog directly from the vGW Security VMs instead of having
syslog sent to the vGW Security Design VM and then sent to the
syslog collector. You can override the Global syslog
configuration and select the destination syslog server IP address,
as well as protocol and port.
Reboot This option allows an administrator to gracefully reboot the
vGW Security VM without logging into the console.

Option Description
High Availability
(VMsafe Mode
Only)
In VMsafe Mode installations, there is a vGW Security VM
responsible for interacting with the kernel module in the VMware
host. The vGW security VM can be deployed in pairs in case the
primary module (VM) fails. See “High Availability” on page 83 for
details.
Install Tab
To gather and protect network traffic, vGW Security VMs are deployed on each
ESX host to be monitored and secured. There are three vGW Control
deployment options:
 VMsafe Firewall + Monitoring: This mode (also displayed as VMsafe
Firewall) is available to customers running vSphere 4.x. In this mode, the
vGW Virtual Gateway solution loads a kernel module into the VMware
hypervisor. This is the preferred mode.
 VMSafe Monitoring: This mode is similar to VMsafe Firewall + Monitoring
except that no firewall policy is loaded on the VMs. This allows you to
deploy the solution and not be concerned that security policies will block
traffic.
 Bridge Firewall + Monitoring: In this mode the vGW Virtual Gateway
solution runs as a virtual machine and bridges two virtual switches for
secure connections. This is the only option for versions of ESX prior to 4.0
(vSphere).
Either VMsafe Mode is preferred when available, because they allow
connections to be processed in the kernel, which is significantly faster. They
also allow full protocol inspection and protection for all VMs. When two VMs
are connected to the same protected virtual switch in Bridge Firewall +
Monitoring mode, traffic flowing between them can be protected only with
TCP RSTs.
In any mode, the vGW Virtual Gateway integrates without requiring IP address
changes on protected VMs or installation of software on the Guest VM
operating systems.
The Install tab has options for each installation mode (VMsafe Firewall +
Monitoring, VMsafe Monitoring or Bridge Firewall + Monitoring) and can be
used to add security to a port group, VM, or the entire vSwitch.
If you do not see all three options (and need an option that is not displayed), go
to Settings -> Installation and make an appropriate selection.

vGW Virtual Gateway
The vGW Virtual Gateway solution queries the VMware vCenter system to pull
all available datacenter network objects (ESX servers with vSwitches, Port
Groups, and associated VMs) to populate this tab. See Figure 18.
Figure 18 Installing or Removing Objects from a Secured Network
You can deploy just one form of monitoring or a combination of all three across
various ESX hosts. However, we recommend that you use VMsafe Firewall +
Monitoring (also displayed as VMsafe Firewall) unless you never want any
security policies to be loaded. In this case, you should opt for VMsafe
Monitoring. If you cannot install with VMsafe because you do not have VMware
4.x, then choose Bridge Firewall + Monitoring.
All three installation methods are described in detail in the following sections.
Follow the section relevant to your environment.
VMsafe Firewall + Monitoring Mode Security Installation
To implement a VMsafe Mode installation, select the VMsafe Firewall +
Monitoring option, and then deploy using the following steps:
1. Install the vGW VMsafe kernel module into the VMware hypervisor.
a. Click the datacenter.
b. Next to the vSphere hosts capable of running VMsafe is a check box.
Select the check box, and click Secure.
Figure 19 shows that vGW Virtual Gateway was never installed on the
second ESX host, which is eligible for VMsafe-based installation because
the appropriate check box is displayed. This process does not
automatically secure VMs on that host as that selection process is
completed later.
CAUTION:
VMware requires that the vSphere host be put into maintenance mode
and rebooted for the kernel module to be properly installed for versions
of vGW Virtual Gateway prior to vGW 4.5 . In this case, the system
prompts you before rebooting to allow you to move VMs to another
vSphere host. If VMotion is active, VMs will move automatically and
the process will continue without need for intervention. If you are
installing vGW Virtual Gateway 4.5 or later you do not need to reboot.
You can safely ignore any warning messages and continue with the
process. The warning messages exist for older versions of the product.

Figure 19 VMsafe Kernel Installation
2. Enter the name for the vGW Security VM when prompted. This VM is
installed on the ESX/vSphere host and will load the kernel module as well
as maintain policy and logging. All connection enforcement occurs in the
vGW VMsafe kernel module, which the vGW Security VM loads
automatically. See Figure 20.
Figure 20 VMsafe Kernel Installation Firewall Parameters

vGW Virtual Gateway
Watch for vGW Virtual Gateway prophets during the installation process. The
vGW Virtual Gateway prompts you if any issues occur or if any VMs need to be
moved from the vSphere host prior to it being put in maintenance mode and
rebooted. See Figure 21.
Figure 21 VMsafe Kernel Install Complete
3. Install the vGW Virtual Gateway on virtual switches, port groups, or
individual VMs after the vGW Security VM and vGW VMsafe kernel module
are properly installed. See Figure 22.
Figure 22 VMsafe Install Options for Individual VMs
4. Select the object or group you want to protect, and then click Secure.

VMsafe Monitoring Mode Security Installation
The installation process for VMsafe Monitoring is the same as the VMsafe
Firewall + Monitoring Mode process. However, the end result is that VMs
selected for protection do not load any security policies. This mode is primarily
intended for evaluation of the product and is available so administrators can
deploy the vGW Virtual Gateway solution and be assured that no incorrect
security policies are loaded on VMs. This installation mode prevents an
administrator from accidentally knocking a VM off the network, because an
errant policy is blocking certain network traffic.
Bridge Mode Security Installation
To implement a Bridge Mode installation, select the Bridge Firewall +
Monitoring option, and then deploy using the following steps:
CAUTION: Before completing the following steps, you
should configure the security policy for your VMs. The default
Global Policy rejects all inbound traffic. If this is too restrictive,
you can create the appropriate policy first, and then move the
systems to the secured network. For more information, see
“Firewall Policy” on page 65.
1. Select the relevant object for security.
Essentially any port group or vSwitch can be selected for security, if you
keep the following constraints in mind:
 Do not move the vGW Security Design VM or Firewall VM into the
protected network (vGW Virtual Gateway controls the traffic to these
components automatically).
 Do not select an entire vSwitch if it includes the vGW Security Design
VM.
 Do not select the VMware vCenter for inclusion in the secured network.
To allow proper traffic, move the vCenter VM into a vGW Virtual
Gateway-protected location using the VMware Infrastructure Client
after a policy is in place. By default, the vGW Virtual Gateway rule base
is configured to reject all inbound traffic.
 The VMware Service Console and VMkernel Port Groups appear
dimmed and unavailable for moving into the secured network.
However, traffic to these networks can still be monitored and
protected through security policies implemented on the VMs.
2. Click Secure. The Firewall VM Parameters dialog box appears.
Complete the options in the dialog box as follows:
a. Enter a Name for the Firewall VM. The vGW Virtual Gateway installer
creates a VM from the vGW-BridgeSVM-Template.ovf with this name.
b. Select either DHCP/Dynamic or Static for the address of the Firewall
VM interface. The Firewall VM uses three interfaces: two interfaces in
bridging mode and one, which communicates with the vGW Security
Design VM, over this dynamically or statically assigned IP address. Do
not enter the IP address of the vGW Security Design VM. Enter a unique
IP address for the Firewall VM interface. This IP address must be
routable to the vGW Security Design VM’s IP address.
c. Select a Port Group for communication between the vGW Security VM
and the vGW Security Design VM.
CAUTION: This port group must allow TCP 443 and TCP 8443 as well as
NTP between the systems without filtering. It should also allow access
to the VirtualCenter/vCenter system.
d. Select a datastore (FC SAN, iSCSI, NAS, or localstore).

vGW Virtual Gateway
NOTE: A local datastore location does not
allow you to VMotion the vGW Security VM,
but this is not required for the solution to
work.
a. Select a hypervisor console communication option, if you want to
monitor traffic to the console with the vGW Virtual Gateway Network
or if you want to use both the Network module and the IDS module to
monitor traffic.
b. Click Secure.
The vGW Virtual Gateway automatically configures the necessary settings to
monitor and protect network traffic. If there are any issues during the
installation process, the vGW Virtual Gateway displays an alert indicating what
happened and providing information for correcting the problem. In most cases
you can select Retry and continue the firewall installation. If no issues arise
during the installation, the vGW Virtual Gateway displays a successful status
message.
Auto Secure VMs tab
You can attach security policies to VMs automatically. You can specify that no
VMs are secured, VMs in a specific group are secured, VMs with a policy or ones
that are in a policy group are secured, or all VMs are secured. When you choose
to secure VMs, you have the option of excluding a group within the selected
group from being automatically secured.
Auto securing VMs streamlines policy application making it very efficient to
ensure security throughout your virtual infrastructure. For example, suppose you
define a Smart Group that watches for any VMs connected to a particular
VMware resource pool (obtained through vi.resourcepool). When any VM is
added to this resource pool by a VM administrator, a security policy is instantly
installed without any intervention by the vGW Virtual Gateway administrator.
Figure 23 and Figure 24 show the definition of a sample Smart Group for this
scenario. They also show the Auto Secure setting, which immediately
implements policies on the VMs in that Smart Group, as well as any new VMs
added to the resource pool and thus becoming members of the Smart Group.
Figure 23 Smart Group Definition Example

Figure 24 Auto Secure Group Selection

vGW Virtual Gateway
IDS Module
The vGW Virtual Gateway solution includes a fully integrated IDS engine that
can be used to monitor all virtual network traffic or selectively monitor a subset
of important VMs or protocols. The vGW Virtual Gateway matches the selected
traffic to the signature database and flags any suspicious activity with high,
medium, or low priority alerts.
The IDS screen has four tabs:
 Top Alerts
 Alert Sources
 Alert Targets
 All Alerts
Figure 25 IDS Screen
IDS Setup Steps
To activate the IDS engine:
1. Enable IDS via Settings -> Security Settings -> IDS Configuration.
2. Enable the signatures relevant to your environment in Settings ->
Security Settings -> IDS Signatures.
3. Create and apply a firewall/security rule that offloads traffic to the IDS
engine. The vGW Virtual Gateway allows you to be very granular about
which traffic is scanned (for example, traffic to/from a certain VM or

traffic using different protocols). In the following example, all traffic is
being inspected.
Figure 1 IDS Rule Activation
After you’ve completed the steps above (and made sure to apply the security
policy rule change in the Apply Policy tab), the IDS engine begins flagging
alerts when suspicious traffic occurs on the virtual network.
To verify that the IDS engine is working properly:
1. Open an http connection to a protected VM and make a request.
For example, enter http://10.10.10.10/php.exe. Assuming the VM is
listening on port 80, this request for php.exe violates Signature ID 1773
(WEB-PHP php.exe access).
2. Click any rule violation posted on your screen to get more information
about the alert.

vGW Virtual Gateway
Top Alerts Tab
The Top Alerts tab shows each of the alerts that have occurred in the given
time period (For example, 24 hours). The alerts are organized as high, medium,
and low with the total number sorting from most frequent to least frequent in
the Total column. You can click the Alert Type column heading to show the
details of each alert. Alert details include a description and signature ID. If you
see an alert and want to know who generated the traffic or where it was
destined, you can click the Alert Sources or Alert Targets text at the top of the
details screen. Furthermore, if you want to change the priority level of an alert or
stop seeing an alert altogether, you can change the settings for the Alert by
editing it in Settings -> Security Settings ->
IDS Signatures.
Alert Sources Tab
The Alert Sources tab shows which systems have generated traffic matching
the IDS signatures in the vGW Virtual Gateway. These systems can be VMs or
physical systems communicating on the virtual network. The columns show
high, medium, and low alert counts as well as a total count. The system with
the highest total count is displayed at the top of the list, but you can also resort
the display by clicking the High, Medium, or Low columns. You can also click an
alert name in the Alert Type column to get information about the specific
attack.
Alert Targets Tab
The Alert Targets tab is similar to Alert Sources tab except this is a listing of the
systems that are receiving the most attacks.
All Alerts Tab
The All Alerts tab shows a complete listing of each alert seen by the system for
the configured Time Interval (by default 24 hours). You can click the alert type
to show details for each alert. By default, the most recent events are displayed
at the top of the screen and older events are shown at the bottom. Alerts are
sorted by the Time column.
TIP: You can search the signatures list by Sig Id in the IDS Signatures settings screen.

Introspection Module
The Introspection screen helps you continuously monitor the software installed
in all the Windows Guest VMs within the virtual infrastructure. Without
installing any agent software into the Guest VMs, the vGW Virtual Gateway
solution can determine which applications are installed, the operating system
type (XP, 2003, and so on.), and applied updates (hotfixes).
The Introspection module currently works with only Windows VMs and relies on
taking a snapshot of the VM and analyzing the snapshot. This methodology
guarantees there is no adverse impact on the running VM during the scan. Once
the scan is complete, the snapshot is immediately deleted. The scan does not
use network packets to probe applications in the VM, similar to nonagent-
based security scanners. Instead, native VMware interfaces are used to
examine the disk contents. This allows the scan to be highly accurate and very
fast. It takes only a few seconds for the vGW Virtual Gateway to analyze the
installed applications.
The ability to determine exactly which applications are installed allows the
security policy for those VMs to be precise and dynamically applied. For
example, you can analyze the VMs to determine which ones are running the
Apache webserver. Then, those and only those VMs can be placed into a Smart
Group with a name such as “webservers.” This policy group can then be
configured to allow communication through HTTP/HTTPS.
In addition, it is possible to understand which applications are installed or not
installed in the environment. For example, you can quickly see which VMs do
not have your AV client software and should thus be quarantined with a
restrictive firewall policy.
Although the Introspection feature is not intended to replace a patch
management solution, you can use the vGW Virtual Gateway capabilities in this
area to determine if certain hotfixes are missing and then quarantine those
hosts until the patch management solution deploys the proper updates.
The vGW Virtual Gateway groups the resulting introspection results by type
(application, operating system, and hotfix) and provides both graphical
summary comparisons as well as detailed statistics about the installed
software in table format.
NOTE: You do not have to use the Firewall -> Install screen to deploy
the vGW Virtual Gateway solution and use Introspection module
capabilities. Introspection occurs through the vGW Security Design VM
and vCenter integration and therefore does not require the deployment
of a vGW Security VM.
TCP Port 902 must be open between the vGW Security Design VM and
the ESX/ESXi hosts for Introspection to work properly
The Introspection screen has four tabs:
 Applications
 VMs
 Scan Status
 Scheduling
Applications Tab
The Applications tab displays the following information about software
currently installed on VMs selected in the VM Tree.

vGW Virtual Gateway
 Pie chart comparing the percentage of each type of operating system
 Bar graph comparing the percentage of each type of application
 Detailed list of each application
The Applications tab is designed to allow administrators to quickly determine
which types of software are installed in the environment without regard to the
exact VMs containing the software. This tab is where you go when you want to
see what percentage of your VMs are running a particular application, service
pack, or operating system. You can use this tab to discover which applications
are installed on VMs or groups of VMs. In addition, this is where you can classify
the software installed throughout the virtual environment. See Figure 26.
NOTE: If you select a group of VMs in the VM tree, the vGW Virtual
Gateway summarizes the data in pie and bar charts. If you select a single
VM, you see only detailed information in table format.
Figure 26 Applications Tab Showing Summary Data for All Machines
You can select one or more applications in the table and click Known,
Unknown, Bad, or Unclassified to categorize applications running in the
system.
This classification system allows you to monitor VM software state to
determine if any VMs are running unauthorized or inappropriate software based
on your designations.
Unknown and Unclassified categories are similar, but you use Unknown when
you see an application but are unsure if it is appropriate. Unclassified should be
used when the application simply hasn’t been examined yet. Newly installed
applications initially show up as Unclassified.
Click Select All to select all applications running in the selected VMs. Select
None to clear all selected applications. Click a column heading in the table to
sort applications by name or vendor. The applications bar graph updates
automatically as you change your selections.

VMs Tab
The VMs tab helps you monitor software installed on a selected VM or group of
VMs. You can choose to display or hide information about the operating system
and applications running in the VM, including details about installed service
packs, and hotfixes.
This tab is useful in determining which VMs have certain types of software
installed. For example, you would use this portion of the product if you want to
see all the VMs that are running the Windows Server 2003 operating system or
all the VMs that have a specific hotfix installed. You can also discover all VMs
running an application such as Kazaa or Skype. Figure 27 shows all VMs that are
not running VMware Tools. In this case, the search found just one VM named
HR-Records.
Figure 27 VM Tab Showing Detail for a Group of VMs

vGW Virtual Gateway
To search for a specific item in the list by name or vendor, click the Name or
Vendor column heading in the detail table, and then type the name of the
software or vendor in the Text filter box. The list refreshes to show entries that
match your text. See Figure 28
Figure 28 Search for VMs by Operating System Name
You can also search the system to find out which VMs contain specific software
and filter by a group setting in the VM Tree. Select the group in the VM Tree, and
then select one or more types of software in the table. For VMs with
presence/absence of select Applications, and then choose All Present, Any
Present, All Absent, Any Absent from the menu. A list of VMs meeting your
criteria appears in the lower table. Figure 29 shows Windows XP is on three
workstations that are part of the Monitored/Secured VMs group. Again,
Introspection scanning does not require that the vGW Virtual Gateway firewall
security is loaded on a VM, because the vGW Virtual Gateway can discover
installed software regardless of firewall settings.

Figure 29 Display Machines Running Microsoft Windows
Scan Status Tab
The Scan Status tab lets you monitor disk scans of one or more VMs. The vGW
Virtual Gateway performs a full analysis of a VM’s disk. If multiple disks exist in
the Guest VM system, each is analyzed. This analysis uncovers installed
applications, the operating system, and the service pack/patch level running on
the VM. As stated previously, the scan technology employed by the vGW Virtual
Gateway is highly accurate—rather than a network probe, the vGW Virtual
Gateway performs an actual read of the disk file from the hypervisor. In
addition, the scan is very fast. A typical VM scan takes less than 5 minutes and
has no impact on the operational state of the VM, because scanning activity
takes place on a snapshot of the system. The snapshot is then removed when
the scan is complete.
You can display current information about all scans (those complete and those
still pending) or only complete or pending scans. You can also run scans
manually or cancel scans in progress. See Figure 30.

vGW Virtual Gateway
Figure 30 Scan Status Tab Showing Successful Scans
Select the radio buttons above the table to list all scans, completed scans, or
pending scans. To run a scan on a selected VM or group of VMs, click Scan
Now. To cancel a scan in progress, click Cancel Pending Scans.
Scheduling Tab
The Scheduling tab lets you define schedules to scan VMs at specified times.
See Figure 31.

Figure 31 Scheduled Scans
To improve performance during peak periods, you can limit the number of
concurrent scans by making a selection in the Max number of concurrent
scans menu. We recommend running no more than two concurrent scans. To
define a scan schedule, click Add, select options for this scan, and then click
Save. See Table 9 and Figure 32.
Table 9 Scan Scheduling Options
Option Choose or Enter
Introspection Scope All Machines or Selected Group, and then choose a group
from the list.
Introspection Event
Schedule
Daily, and then enter the hour and minute you want the scan
to begin.
Weekly, and then choose the day of the week and enter the
hour and minute you want the scan to begin.
Monthly, and then choose day of the month and enter the
hour and minute you want the scan to begin.
Max scan duration A length of time the scan must not exceed. The max scan
duration option can be used to ensure no scans occur out of
a maintenance window. The vGW Virtual Gateway
completes a scan in progress, but will not begin subsequent
scans in the list. Any pending scans are listed in the Scan
Status tab and resume when the next scheduled time
arrives.
If unable to scan… Next scheduled period to continue the scan at the next
scheduled interval.
Next Day to continue the scan at the same time tomorrow.

vGW Virtual Gateway
Figure 32 Defining a Schedule
To delete a schedule, select the schedule in the list and click Delete.

Compliance Module
The Compliance module lets you monitor the compliance of your overall
system with regard to industry best practices. In addition, this module lets you
define your own rules that equate to organizational best practices (self defined
compliance rather than industry defined like PCI, HIPAA, and so on.).
The Compliance module relies on a rule editor that enables an administrator to
use multiple attributes discovered about the VMware infrastructure and
associated VMs to build out criteria for each designed rule.
By using compliance rules to monitor key configuration parameters, vGW
Virtual Gateway administrators can quickly ascertain the overall state of their
virtual security system. For example, a compliance rule can be created that
states no non-administrative VMs can be connected to a specific port group.
Then any violation of the designated rules impact the overall compliance state
and are visible in reports and status screens.
The Compliance screen has two tabs:
 Compliance
 Rules
Compliance Tab
The Compliance tab displays a compliance meter that indicates the current
level of compliance for the VM or group of VMs selected in the VM tree as well
as statistical data that was used to calculate the overall compliance level. The
compliance meter refreshes automatically every 60 seconds to report the
current compliance level.
If you selected a group in the VM tree, the compliance meter shows the overall
compliance percentage for all VMs in the group. The table below the meter lists
each VM by name and shows its individual compliance level. See Figure 33.
Figure 33 Compliance Statistics for a Group

vGW Virtual Gateway
To display the compliance rules associated with this group, click Show Rules. A
table appears listing each rule by name, its weight, the number of VMs it is
applied to, and the compliance status of the rule. See Figure 34.
Figure 34 Compliance Rules
To disable a rule, clear its check box. The compliance meter refreshes indicating
the current level of compliance with the adjusted rule set.
You can double-click a rule in the table to display details
about the rule.
If you selected a single VM in the VM tree, the compliance meter displays the
current compliance of the individual machine plus the rules protecting it.

Rules Tab
The Rules tab is where you create and manage compliance rules. This tab
includes a list of defined rules that includes the name of the rule, its weight, and
any labels associated with it. Labels group rules in categories. See Figure 35.
Figure 35 List of Current Compliance Rules
You can narrow the list of rules displayed by making a selection in the Filter by
menu.
NOTE: There are several pre-built compliance rules and
templates included in the vGW Virtual Gateway solution that are
useful in understanding how the Compliance module works. The
predefined rule named VMware Tools is a good starting point.

vGW Virtual Gateway
To create a rule:
1. Click Add. The Add Rule dialog box opens as shown in Figure 36.
Figure 36 Add Rule Dialog Box
2. Define the rule. The available options are described in Table 10.
Table 10 Compliance Rule Creation Parameters
Option Do This
Compliance
Scope
Select All Machines or Selected Group, and then choose a
group from the list
Name Enter a name for the rule. Rule names can contain characters and
numbers and should be descriptive, yet simple. You can describe
the rule in more detail in the Comment field, if needed.
Comment Enter a description of the rule or any notes about it that might be
helpful to someone who might use the rule.
Weight Enter a weight to be used when calculating the compliance level.
Generate Alert
when
compliance
state changes
Select to have the vGW Virtual Gateway post a warning when the
compliance level changes.
Compliance
Groupings
Click Edit, move one or more labels to the Selected Labels list,
and then click Apply.
Tip: To define additional labels, enter a name in the Add Labels
box and click Add.

Option Do This
Create Groups
For
Create groups comprised of members who meet or violate the
designated match criteria (defined in the Matches field). You are
not required to create groups, but if you do select one of the two
options, you will by default create a nonpolicy, Smart Group. This
group can be changed to a Policy group through Settings ->
Security Settings -> Groups. The benefit to automatically
creating a compliance-based group is that you can easily find
VMs in the VM Tree using this criterion and use the group
throughout the vGW Virtual Gateway solution.
Select Compliant VMs if you want to create a group for the VMs
meeting the designated criteria.
Select Non-Compliant VMs to create a group for the VMs
violating the designated match criteria.
Matches Select All if the VM must meet all criteria defined in field below or
Any if the VM can meet any of the criteria defined in the field
below, and then choose an attribute, choose an operator, and
enter a value. (For example, vi.datacenter Equals HQ)
Click + to add another criterion to the rule
Click - to remove a criterion from the rule
Advanced Enter a selection query rather than define rules using the vGW
Virtual Gateway user interface. For information about query
syntax, see “Smart Groups” on page 69.
3. Click Test.
The vGW checks your criteria and posts a message in the Edit Rule dialog
box indicating which VMs are included in the group (if any), given the
criteria you specified.
4. Click Save.
NOTE: In addition to the items described in Table 10, you also have the
option to disconnect VMs from the network on a compliance check. By
default this option is hidden because if it is used incorrectly it can
cause serious unintended network downtime. For example, if you
incorrectly created a compliance rule with this action, you could knock
all VMs offline including vCenter. To enable this compliance action,
execute the following from within the web interface of the vGW
Security Design VM. Once executed you will see a selection box called
“Disconnect from the network when non compliant”.
http://<center_url>/compDisconnect?disconnect=true (or false)
Example 1 – Defining a Basic Compliance Rule
Suppose you want to create a compliance rule that states all webserver VMs
should have version Apache 2.x installed because of known security issues in
versions 1.x. You can set the vGW Virtual Gateway to trigger an alert when any
webserver currently in production or brought online in the future has a version of
Apache that is prior to 2.x.
1. Create a Smart Group that contains all webservers and is capable of
having policy installed on it. (Select Settings -> Groups -> Add Smart
Group.) In this example, the group has two members: corp-www-1 and
corp-www-2. See Figure 37.

V gw admin_guide_45sp3

Recommended

Recommended

More Related Content

Similar to V gw admin_guide_45sp3

Similar to V gw admin_guide_45sp3 (20)

Recently uploaded

Recently uploaded (9)

V gw admin_guide_45sp3