Brief hiatus…

You may have noticed there’s been a much longer break than normal since my last update on the VCP-NV study guide. There are a number of reasons for this.

  • Section 8.3 is the most difficult one to find the information for so far
  • I had a competition with my band at the weekend (we came 2nd and I won the soloist prize!)
  • We’re having a re-organisation at work, and all have to apply for jobs in the new structure, for mine this entails a number of things including a group session and a formal interview including a presentation.

I’m hoping to continue updating the study guide alongside this, but it may take a little while longer to get the next update out, please bear with me 🙂

Advertisements

Objective 8.2 – Describe NSX Automation

Knowledge

  • Identify API-only functionality
    • Integration with Cloud Management Platforms
    • Updating the MoId of the resource pool, datastore, or dvPortGroup using a REST API call, when an NSX Edge needs to be redeployed and one of the original resource pool, datastore or dvPortGroup is no longer valid.
  • Explain how REST APIs work
    • REST, an acronym for REpresentational State Transfer, is a term that has been widely employed to describe an architectural style characteristic of programs that rely on the inherent properties of hypermedia to create and modify the state of an object that is accessible at a URL.
    • Once a URL of such an object is known to a client, the client can use an HTTP GET request to discover the properties of the object. These properties are typically communicated in a structured document with an HTTP Content-Type of XML that provides a representation of the state of the object. In a RESTful workflow, documents (representations of object state) are passed back and forth (transferred) between a client and a service with the explicit assumption that neither party need know anything about an entity other than what is presented in a single request or response. The URLs at which these documents are available are often “sticky,” in that they persist beyond the lifetime of the request or response that includes them. The other content of the documents is nominally valid until the expiration date noted in the HTTP Expires header.
  • Describe how to use the NSX API in a supported browser
    • To use the REST API in Firefox
      • Locate the RESTClient Mozilla add-on, and add it to Firefox.
      • Click Tools > REST Client to start the add-on.
      • Click Login and enter the NSX login credentials, which then appear encoded in the Request Header.
      • Select a method such as GET, POST, or PUT, and type the URL of a REST API. You might be asked to accept or ignore the lack of SSL certificate. Click Send. Response Header, Response Body, and Rendered HTML appear in the bottom window.
    • To use the REST API in Chrome
      • Search the Web to find the Simple REST Client, and add it to Chrome.
      • Click its globe-like icon to start it in a tab.
      • The Simple REST Client provides no certificate-checking interface, so use another Chrome tab to accept or ignore the lack of SSL certificate.
      • Type the URL of a REST API, and select a method such as GET, POST, or PUT.
      • In the Headers field, type the basic authorization line, as in the Important note above. Click Send. Status, Headers, and Data appear in the Response window.
  • Identify port requirements for the NSX API
    • The NSX Manager requires port 443/TCP for REST API requests.
  • Describe common use cases for VMware NSX API
    • Integration with Cloud Management Platforms:
      • Creating new Logical Switches
      • Creating new Logical Routers
      • Attaching VMs to Logical Switches
      • Configuring Load Balancers
      • Updating Firewall rules
  • Explain how to access the VMware NSX API
    • You have several choices for programming the NSX REST API: using Firefox, Chrome, or cURL. To make XML responses more legible, you can copy and paste them into an XML friendly editor such as xmlcopyeditor or pspad.
  • Modify an existing API workflow

Tools

  • NSX vSphere API Guide
  • NSX API

Objective 8.1 – Configure Roles, Permissions, and Scopes

Knowledge

  • Identify default roles
    • Enterprise Administrator
      NSX operations and security.
    • NSX Administrator
      NSX operations only: for example, install virtual appliances, configure port groups.
    • Security Administrator
      NSX security only: for example, define data security policies, create port groups, create reports for NSX modules.
    • Auditor
      Read only.

      There are also two scopes available:

    • No restriction
      Access to entire NSX system.
    • Limit access scope
      Access to a specified Edge.
  • Explain Single Sign-On (SSO) integration
    • NSX supports Single Sign On (SSO), which enables NSX to authenticate users from other identity services such as Active Directory, NIS, and LDAP. User management in the vSphere Web Client is separate from user management in the CLI of any NSX component.
    • Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP. With SSO, NSX supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source via REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions.
  • Assign a role to a vCenter Server user
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click Users.
    • Click Add. The Assign Role window opens.
    • Click Specify a vCenter user or Specify a vCenter group.
    • Type the vCenter User or Group name for the user. NOTE If the vCenter user is from a domain (such as a SSO user), then you must enter a fully qualified windows domain path. This will allow the default NSX Manager user (admin) as well as the SSO default user (admin) to login to NSX Manager. This user name is for login to the NSX Manager user interface, and cannot be used to access NSX Manager CLIs.
    • Click Next.
    • Select the role for the user and click Next. For more information on the available roles, see “Managing User Rights,” on page 20.
    • Select the scope for the user and click Finish. The user account appears in the Users table.
  • Assign objects to a user
    After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same permissions at one time on multiple objects by moving the objects to a folder and setting the permissions on the folder.

    • Browse to the object in the vSphere Web Client object navigator.
    • Click the Manage tab and select Permissions.
    • Click Add Permission.
    • Click Add.
    • Identify the user or group to assign to this role.
      • Select the domain where the user or group is located from the Domain drop-down menu.
      • Type a name in the Search box or select a name from the list. The system searches user names, group names, and descriptions.
      • Select the user and click Add. The name is added to either the Users or Groups list.
      • (Optional) Click Check Names to verify that the user or group exists in the database.
      • Click OK.
    • Select a role from the Assigned Role drop-down menu. The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title.
    • (Optional) Deselect the Propagate to Child Objects check box. The role is applied only to the selected object and does not propagate to the child objects.
    • Verify that the users and groups are assigned to the appropriate permissions and click OK. The server adds the permission to the list of permissions for the object. The list of permissions references all users and groups that have roles assigned to the object and indicates where in the vCenter Server hierarchy the role is assigned.
  • Configure SSO
    • Log in to the NSX Manager virtual appliance.
    • Under Appliance Management, click Manage Settings.
    • Click NSX Management Service.
    • Click Edit next to Lookup Service.
    • Type the name or IP address of the host that has the lookup service.
    • Change the port number if required. The default port is 7444. The Lookup Service URL is displayed based on the specified host and port.
    • Type the vCenter administrator user name and password (for example, administrator@vsphere.local). This enables NSX Manager to register itself with the Security Token Service server.
    • Click OK.

      Confirm that the Lookup Service status is Connected.

  • Enable/Disable a user account
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click Users.
    • Select a user account.
    • Click the Enable or Disable icon.
  • Edit/Delete a user account
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click Users.
    • Edit:
      • Select the user you want to edit.
      • Click Edit.
      • Make changes as necessary.
      • Click Finish to save your changes.
    • Delete:
    • Select a user account.
      • Click Delete.
      • Click OK to confirm deletion. If you delete a vCenter user account, only the role assignment for NSX Manager is deleted. The user account on vCenter is not deleted.

Tools

  • NSX Administration Guide
  • vSphere Web Client

Objective 7.3 – Configure and Manage Service Composer

  • Identify assets that can be used with a Security Group
    Security groups may be static (including specific virtual machines) or dynamic where membership may be defined in one or more of the following ways:

    • vCenter containers (clusters, port groups, or datacenters)
    • Security tags, IPset, MACset, or even other security groups. For example, you may include a criteria to add all members tagged with the specified security tag (such as AntiVirus.virusFound) to the security group.
    • Directory Groups (if NSX Manager is registered with Active Directory)
    • Regular expressions such as virtual machines with name VM

      Note that security group membership changes constantly. For example, a virtual machine tagged with the AntiVirus.virusFound tag is moved into the Quarantine security group. When the virus is cleaned and this tag is removed from the virtual machine, it again moves out of the Quarantine security group

  • Identify services contained in a Security Policy A security policy is a collection of the following service configurations.
    • Firewall rules Rules that define the traffic to be allowed to, from, or within the security group. Applies to vNIC
    • Endpoint service Data Security or third party solution provider services such as anti-virus or vulnerability management services. Applies to virtual machines
    • Network introspection services Services that monitor your network such as IPS. Applies to virtual machines
  • Identify common Service Composer use cases
    • Orchestrating security between multiple services
    • Deploying security services on demand
    • Quarantining Infected VMs
    • Quarantining vulnerable VMs
  • Differentiate Security Groups and Security Policies
    A Security Group is what you want to protect, a Security Policy is how you want to protect it.
  • Create/Edit a Security Group in Service Composer
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Service Composer.
    • Click the Security Groups tab and then click the Add Security Group icon.
    • Type a name and description for the security group and click Next.
    • On the Dynamic Membership page, define the criteria that an object must meet for it to be added to the security group you are creating.

      For example, you may include a criteria to add all members tagged with the specified security tag (such as AntiVirus.virusFound) to the security group. Security tags are case sensitive.

      NOTE If you define a security group by virtual machines that have a certain security tag applied to them, you can create a dynamic or conditional workflow. The moment the tag is applied to a virtual machine, the virtual machine is automatically added to that security group.

      Or you can add all virtual machines containing the name W2008 AND virtual machines that are in the logical switch global_wire to the security group.

    • Click Next.
    • On the Select objects to include page, select the tab for the resource you want to add and select one or more resource to add to the security group. You can include the following objects in a security group.
      • Other security groups to nest within the security group you are creating.
      • Cluster
      • Virtual wire
      • Network
      • Virtual App
      • Datacenter
      • IP sets
      • AD groups
        NOTE The AD configuration for NSX security groups is different from the AD configuration for vSphere SSO. NSX AD group configuration is for end users accessing guest virtual machines while vSphere SSO is for administrators using vSphere and NSX.
      • MAC Sets
      • Security tag
      • vNIC
      • Virtual Machine
      • Resource Pool
      • Distributed Virtual Port Group
        The objects selected here are always included in the security group regardless of whether or not they match the dynamic criteria. When you add a resource to a security group, all associated resources are automatically added. For example, when you select a virtual machine, the associated vNIC is automatically added to the security group.
    • Click Next and select the objects that you want to exclude from the security group.
      The objects selected here are always excluded from the security group even if they match the dynamic criteria or are selected in the include list.
    • Click Finish.

      Membership of a security group is determined as follows:
      {Expression result (derived from step 4) + Inclusions (specified in step 6} – Exclusion (specified in step 7) which means that inclusion items are first added to the expression result. Exclusion items are then subtracted from the combined result.

  • Create/Edit/Delete a Security Policy
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Service Composer.
    • Click the Security Policies tab.
    • Click the Create Security Policy icon.
    • In the Add Security Policy dialog box, type a name for the security policy.
    • Type a description for the security policy.

      NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.
      Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.

    • Select Inherit security policy from specified policy if you want the policy that you are creating to receive services from another security policy. Select the parent policy.
      All services from the parent policy are inherited by the new policy.
    • Click Next.
    • In the Endpoint Services page, click the Add Endpoint Service “+” icon.
      (This is “Guest Introspection Services in NSX 6.1)

      • In the Add Endpoint Service dialog box, type a name and description for the service.
      • Specify whether you want to apply the service or block it. When you inherit a security policy, you may choose to block a service from the parent policy.
      • Select the type of service. If you select Data Security, you must have a data security policy in place. See Chapter 12, “Data Security,” on page 139.
      • If you chose to apply the Endpoint service, select the service name and service configuration. Service configuration refers to vendor templates. These configurations are defined in third party consoles and are registered along with partner services. Tagging and untagging of virtual machines depends on the service configuration selected for the security policy.
      • In State, specify whether you want to enable the selected Endpoint service or disable it. You can add Endpoint services as placeholders for services to be enabled at a later time. This is especially useful for cases where services need to be applied on-demand (for example, new applications).
      • Select whether the Endpoint service is to be enforced (i.e. it cannot be overridden). If you enforce an Endpoint service in a security policy, other policies that inherit this security policy would require that this policy be applied before the other child policies. If this service is not enforced, an inheritance selection would add the parent policy after the child policies are applied.
      • Click OK.

        You can add additional Endpoint services by following the above steps. You can manage the Endpoint services through the icons above the service table. You can export or copy the services on this page by clicking the icon on the bottom right side of the Endpoint Services page.

    • Click Next.
    • On the Firewall page, click the Add Firewall Rule “+” icon. Here, you are defining firewall rules for the security groups(s) that this security policy will be applied to.
      • Type a name and description for the firewall rule you are adding.
      • Select Allow or Block to indicate whether the rule needs to allow or block traffic to the selected destination.
      • Select the source for the rule. By default, the rule applies to traffic coming from the security groups to which this policy gets applied to. To change the default source, click Change and select the appropriate security groups.
      • Select the destination for the rule.

        NOTE Either the Source or Destination (or both) must be security groups to which this policy gets applied to.

        Say you create a rule with the default Source, specify the Destination as Payroll, and select Negate Destination. You then apply this security policy to security group Engineering. This would result in Engineering being able to access everything except for the Payroll server.

      • Select the services and/or service groups to which the rule applies to.
      • Select Enabled or Disabled to specify the rule state.
      • Select Log to log sessions matching this rule. Enabling logging may affect performance.
      • Click OK.

        You can add additional firewall rules by following the above steps. You can manage the firewall rules through the icons above the firewall table. You can export or copy the rules on this page by clicking the export icon on the bottom right side of the Firewall page.
        The firewall rules you add here are displayed on the Firewall table. VMware recommends that you do not edit Service Composer rules in the firewall table. If you must do so for an emergency troubleshooting, you must re-synchronize Service Composer rules with firewall rules by selecting Synchronize Firewall Rules from the Actions menu in the Security Policies tab.

      • Click Next.
        The Network Introspection Services page displays NetX services that you have integrated with your VMware virtual environment.
      • Click the Add Network Introspection Service “+ icon.
        • In the Add Network Introspection Service dialog box, type a name and description for the service you are adding.
        • Select whether or not to redirect to service.
        • Select the service name and profile.
        • Select the source and destination
        • Select the protocol.
          You can specify the protocol type, source port advanced options, and destination port.
        • Select whether to enable or disable the service.
        • Select Log to log sessions matching this rule.
        • Click OK.

          You can add additional network introspection services by following the above steps. You can manage the network introspection services through the icons above the service table. You can export or copy the services on this page by clicking the icon on the bottom right side of the Network Introspection Service page.

      • Click Finish.

        The security policy is added to the policies table. You can click the policy name and select the appropriate tab to view a summary of the services associated with the policy, view service errors, or edit a service.

  • Map a Security Policy to a Security Group
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Service Composer.
    • Click the Security Policy tab.
    • Select a security policy and click the Apply Security Policy icon.
    • Select the security group that you want to apply the policy to.

      If you select a security group defined by virtual machines that have a certain security tag applied to them, you can create a dynamic or conditional workflow. The moment the tag is applied to a virtual machine, the virtual machine is automatically added to that security group.

    • Click the Preview Service Status icon to see the services that cannot be applied to the selected security group and the reason for the failure.

      For example, the security group may include a virtual machine that belongs to a cluster on which one of the policy services has not been installed. You must install that service on the appropriate cluster for the security policy to work as intended.

    • Click OK.
  • Add/Edit/Delete a Security Tag
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click the Security Tags tab.
    • Add:
      • Click the New Security Tag “+” icon.
      • Type a name and description for the tag and click OK.
    • Edit:
      • Select a security tag and click the Edit Security Tag (Pencil) icon.
      • Make the appropriate changes and click OK.
    • Delete:
      • Select a security tag and click the Delete Security Tag “X” icon.
  • Assign and view a Security Tag
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click the Security Tags tab.
    • Assign:
      • Select a security tag and click the Assign Security Tag “+” icon.
      • Select one or more virtual machines and click OK.
    • View:
      • A list of tags applied in your environment is displayed along with details about the virtual machines to which those tags have been applied. Note down the exact tag name if you plan on adding a security group to include virtual machines with a specific tag.
      • Click the number in the VM Count column to view the virtual machines to which that tag in that row has been applied.

Tools

  • NSX Administration Guide
  • vSphere Web Client

Objective 7.2 – Configure Distributed Firewall Services

Knowledge

  • Differentiate between Layer 2 and Layer 3 rules
    • Layer 2 rules are between VMs on the same logical switch, and are based on the contents of the Ethernet packet header rather than the IP packet header. Packets are filtered based on the MAC address, rather than the IP address. L2 rules are mapped to L2 OSI model: only MAC addresses can be used in the source and destination fields – and only L2 protocols can be used in the service fields (like ARP for instance).
    • Layer 3 rules are between IP addresses or IP address ranges. Packets are filtered on the IP header and potentially also the TCP or UDP header. L3/L4 rules are mapped to L3/L4 OSI model: policy rules can be written using IP addresses and TCP/UDP ports.
      It is important to remember that L2 rules are always enforced before L3/L4 rules. As a concrete example, if the L2 default policy rule is modified to ‘block’, then all L3/L4 traffic will be blocked as well by DFW (no more ping work for example)
  • Differentiate between entity-based and identity-based rules
    • Entity based rules are based on VMware vCenter objects like datacenters and clusters and virtual machine names; network constructs like IP or IPSet addresses, VLAN (DVS port-groups), VXLAN (logical switches), security groups.
    • Identity based rules are based on user or group identity from Active Directory. Administrators can enforce access control based on the user’s group membership as defined in the enterprise Active Directory. Here are some scenarios where identity-based firewall rules can be used:
      • User accessing virtual applications using a laptop or mobile device where AD is used for user authentication
      • User accessing virtual applications using VDI infrastructure where the virtual machines are Microsoft Windows based
  • Identify firewall rule entities
    • VMware vCenter objects like datacenters and clusters and virtual machine names;
    • Network constructs like IP or IPSet addresses, VLAN (DVS port-groups), VXLAN (logical switches), security groups.
  • Explain rule processing order
    • L2 rules are always enforced before L3/L4 rules
    • User-defined pre rules have the highest priority and are enforced in top-to-bottom ordering with a per-virtual NIC level precedence.
    • Next Auto-plumbed rules.
    • Then Local rules defined at an NSX Edge level.
    • Then Service Composer rules – a separate section for each policy. You cannot edit these rules in the Firewall table, but you can add rules at the top of a security policy firewall rules section. If you do so, you must re-synchronize the rules in Service Composer. For more information, see Service Composer.
    • Finally Default Distributed Firewall rule
  • Explain rule segregation
    • You can add a section to segregate firewall rules. For example, you might want to have the rules for sales and engineering departments in separate sections.
  • Add/Delete a Distributed Firewall rule
    • Add:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.
      • Ensure that you are in the General tab to add an L3 rule. Click the Ethernet tab to add an L2 rule.
      • In the section in which you add a rule, click Add rule (add icon) icon.
      • A new any any allow rule is added at the top of the section. If the system-defined rule is the only rule in the section, the new rule is added above the default rule.
      • If you want to add a rule at a specific place in a section, select a rule. In the No. column, click edit and select Add Above or Add Below.
      • Point to the Name cell of the new rule and click [+]
      • Type a name for the new rule.
      • Point to the Source cell of the new rule and click [+] or [IP]
      • If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify source as an object other than a specific IP address.
        • In View, select a container from which the communication originated. Objects for the selected container are displayed.
        • Select one or more objects and click You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a source port, click Advance options and type the port number or range.
        • Select Negate Source to exclude this source port from the rule. If Negate Source is selected, the rule applied to traffic coming from all sources except for the source you specified in the previous step. If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.
      • Click OK.
    • Point to the Destination cell of the new rule and click [+] or [IP].
      •  If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify destination as an object other than a specific IP address.
        • In View, select a container which the communication is targeting Objects for the selected container are displayed.
        • Select one or more objects and click You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a destination port, click Advance options and type the port number or range.
        • Select Negate Destination to exclude this destination port from the rule. If Negate Destination is selected, the rule applied to traffic going to all destinations except the destination you specified in the previous step. If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.
      • Click OK.
    • Point to the Service cell of the new rule and click [+] or [∩]
      • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column. Click OK
      • If you clicked [∩] , select the service protocol. Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC. Type the port number and click OK
    • Point to the Action cell of the new rule and click [+] Make appropriate selections as described in the list below and click OK.
      • Allow Allows traffic from or to the specified source(s), destination(s), and service(s).
      • Block Blocks traffic from or to the specified source(s), destination(s), and service(s).
      • Reject Sends reject message for unaccepted packets. RST packets are sent for TCP connections. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.
      • Log Logs all sessions matching this rule. Enabling logging can affect performance.
      • Do not log Does not log sessions.
    • Click Publish Changes to push the new rule to the NSX Edge instance.
  • Configure Source/Destination/Service/Action rule components
    • Point to the Source cell of the rule and click [+] or [IP]
      • If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify source as an object other than a specific IP address.
        • In View, select a container from which the communication originated. Objects for the selected container are displayed.
        • Select one or more objects and click Add. You can create a new security group or IPSet. Once you create the new object, it is added to the source column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a source port, click Advance options and type the port number or range.
        • Select Negate Source to exclude this source port from the rule. If Negate Source is selected, the rule applied to traffic coming from all sources except for the source you specified in the previous step. If Negate Source is not selected, the rule applies to traffic coming from the source you specified in the previous step.
        • Click OK.
    • Point to the Destination cell of the rule and click [+] or [IP].
      • If you clicked [IP], select the IP address format (IPv4/v6) and type an IP address.
      • To specify destination as an object other than a specific IP address.
        • In View, select a container which the communication is targeting Objects for the selected container are displayed.
        • Select one or more objects and click You can create a new security group or IPSet. Once you create the new object, it is added to the Destination column by default. For information on creating a new security group or IPSet, see Network and Security Objects.
        • To specify a destination port, click Advance options and type the port number or range.
        • Select Negate Destination to exclude this destination port from the rule. If Negate Destination is selected, the rule applied to traffic going to all destinations except the destination you specified in the previous step. If Negate Destination is not selected, the rule applies to traffic going to the destination you specified in the previous step.
        • Click OK.
    • Point to the Service cell of the rule and click [+] or [∩]
      • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column. Click OK
      • If you clicked [∩] , select the service protocol. Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC. Type the port number and click OK
    • Point to the Action cell of the rule and click [+] Make appropriate selections as described in the list below and click OK.
      • Allow
        Allows traffic from or to the specified source(s), destination(s), and service(s).
      • Block
        Blocks traffic from or to the specified source(s), destination(s), and service(s).
      • Reject
        Sends reject message for unaccepted packets. RST packets are sent for TCP connections. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections.
      • Log
        Logs all sessions matching this rule. Enabling logging can affect performance.
      • Do not log
        Does not log sessions.
  • Change the order of a Distributed Firewall rule
    • In the vSphere Web Client, navigate to Networking & Security > Firewall.
    • Select the rule that you want to move.
    • Click the Move rule up or Move rule down icon.
    • Click Publish Changes.
  • Add/Merge/Delete a Distributed Firewall rule section
    • Add:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.Ensure that you are in the General tab to add a section for L3 rules. Click the Ethernet tab to add a section for L2 rules.
      • Click the Add Section icon.
      • Type a name for the section and specify the position for the new section. Section names must be unique within NSX Manager.
      • Click OK.
    • Merge:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.
      • For the section you want to merge, click the Merge icon and specify whether you want to merge this section with the section above or below.
      • Rules from both sections are merged. The new section keeps the name of the section with which the other section is merged.
      • Click Publish Changes.
    • Delete:
      • In the vSphere Web Client, navigate to Networking & Security > Firewall.
      • Ensure that you are in the General tab to delete a section for L3 rules. Click the Ethernet tab to delete a section for L2 rules.
      • Click the Delete section (X) icon for the section you want to delete.
      • Click OK and then click Publish Changes.
        The section, as well as all rules in that section, is deleted.
  • Determine publishing requirements for rules in a given NSX implementation
    • The Applied To column can be used to define the scope of rule publishing User can decide to publish policy rule to all clusters where DFW was enabled or restrict publication to a specific object as listed below:
      • Cluster
        Selecting Cluster will push the rule down to all VM/vNIC on the ESXi cluster.
      • Datacenter
        Selecting Datacenter will push the rule down to all VM/vNIC on the Datacenter.
      • Distributed Port Group
        Selecting DVS port-group will push the rule down to all VM/vNIC on the Datacenter.
      • Host
        Selecting Host will push the rule down to all VM/vNIC on the ESXi host.
      • Legacy port group
        Selecting Legacy port group will push the rule down to all VM/vNIC on the VSS port-group.
      • Logical Switch
        Selecting Logical Switch will push the rule down to all VM/vNIC connected on this Logical Switch (or VXLAN) segment .
      • Security Group
        Selecting Security Group will push the rule down to all VM/vNIC defined within the Security Group.
      • Virtual Machine
        Selecting Virtual Machine will push the rule down to all vNIC of this VM.
      • vNIC
        Selecting vNIC will push the rule down to this particular vNIC instance.
  • Import/Export Distributed Firewall Configuration
    • Import
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click Firewall.
      • Click the Firewall tab.
      • Click the Saved Configurations tab.
      • Click the Import configuration icon.
      • Click Browse and select the file containing the configuration that you want to import.Rules are imported based on the rule names. During the import, Firewall ensures that each object referenced in the rule exists in your environment. If an object is not found, the rule is marked as invalid.
        If a rule referenced a dynamic security group, the dynamic security group is created in NSX Manager during the import.
    • Export
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click Firewall.
      • Click the Export configuration icon.
      • To save the firewall configuration as an XML file, click Download.
      • Select the directory where you want to save the file and click Save.
        Your firewall configuration (both L2 and L3) is saved in the specified directory.
  • Load Distributed Firewall configuration
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Firewall.
    • Ensure that you are in the General tab to load an L3 firewall configuration. Click the Ethernet tab to load an L2 firewall configuration.
    • Click the Load configuration icon.
    • Select the configuration to load and click OK.
      The current configuration is replaced by the selected configuration.
  • Determine need for excluding virtual machines from distributed firewall protection
    • You can exclude a set of virtual machines from firewall protection. If a virtual machine has multiple vNICs, all of them are excluded from protection.
    • NSX Manager and service virtual machines are automatically excluded from firewall protection. In addition, you should exclude the vCenter server and partner service virtual machines to allow traffic to flow freely.
    • Excluding virtual machines from firewall protection is useful for instances where vCenter Server resides in the same cluster where firewall is being utilized. After enabling this feature, no traffic from excluded virtual machines will go through the Firewall.
      NOTE vCenter Server can be moved to a cluster that is protected by firewall, but it must already exist in the exclusion list to avoid any connection issues.
  • Configure and manage SpoofGuard
    • Create a SpoofGuard policy
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click SpoofGuard.
      • Click the Add icon.
      • Type a name for the policy.
      • Select Enabled or Disabled to indicate whether the policy is enabled.
      • For Operation Mode, select one of the following:
        • Automatically Trust IP Assignments on Their First Use Select this option to trust all IP assignments upon initial registration with the NSX Manager.
        • Manually Inspect and Approve All IP Assignments Before Use Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.
      • Click “Allow local address as valid address in this namespace” to allow local IP addresses in your setup. When you power on a virtual machine but it is unable to connect to the DHCP server, a local IP address is assigned to it. This local IP address is considered valid only if the SpoofGuard mode is set to Allow local address as valid address in this namespace. Otherwise, the local IP address is ignored.
      • Click Next.
      • To specify the scope for the policy, click Add and select the networks, distributed port groups, or
      • logical switches that this policy should apply to.
        A port group or logical switch can belong to only one SpoofGuard policy.
      • Click OK and then click Finish.
    • Approve IP addresses
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click SpoofGuard.
      • Select a policy.
        Policy details are displayed below the policy table.
      • In View, click one of the option links.
        • Active Virtual NICs
          List of all validated IP addresses
        • Active Virtual NICs Since Last Published
          List of IP addresses that have been validated since the policy was last updated
        • Virtual NICs IP Required Approval
          IP address changes that require approval before traffic can flow to or from these virtual machines
        • Virtual NICs with Duplicate IP
          IP addresses that are duplicates of an existing assigned IP address within the selected datacenter
        • Inactive Virtual NICs
          List of IP addresses where the current IP address does not match the published IP address
        • Unpublished Virtual NICs IP
          List of virtual machines for which you have edited the IP address assignment but have not yet published
      • Do one of the following.
        • To approve a single IP address, click Approve next to the IP address.
        • To approve multiple IP addresses, select the appropriate vNICs and then click Approve Detected IP(s).
    • Edit/Clear IP addresses
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click SpoofGuard.
      • Select a policy.
        Policy details are displayed below the policy table.
      • In View, click one of the option links.
        • Active Virtual NICs
          List of all validated IP addresses
        • Active Virtual NICs Since Last Published
          List of IP addresses that have been validated since the policy was last updated
        • Virtual NICs IP Required Approval
          IP address changes that require approval before traffic can flow to or from these virtual machines
        • Virtual NICs with Duplicate IP
          IP addresses that are duplicates of an existing assigned IP address within the selected datacenter
        • Inactive Virtual NICs
          List of IP addresses where the current IP address does not match the published IP address
        • Unpublished Virtual NICs
          IP List of virtual machines for which you have edited the IP address assignment but have not yet published
      • To Edit, for the appropriate vNIC, click the Edit icon and make appropriate changes.
      • To clear a single IP address, click Clear next to the IP address.
      • To clear multiple IP addresses, select the appropriate vNICs and then click “Clear Approved IP(s)”.
      • Click OK.

Tools

  • NSX Administration Guide
  • vSphere Web Client

Objective 7.1 – Configure and Administer Logical Firewall Services

Knowledge

  • Add/Edit/Delete an Edge Firewall rule
    7.1.Edge Firewall

    • Add:
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the Firewall tab.
      • Do one of the following.
      • To add a rule at a specific place in the firewall table
        • Select a rule.
        • In the No. column, click the Pencil icon and select Add Above or Add Below.
        • A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.
      • To add a rule by copying a rule
        • Select a rule.
        • Click the Copy icon.
        • Select a rule.
        • In the No. column, click and select Paste Above or Paste Below.
      • To add a rule anywhere in the firewall table
        • Click the Add “+” icon.
        • A new any any allow rule is added below the selected rule. If the system defined rule is the only rule in the firewall table, the new rule is added above the default rule.The new rule is enabled by default.
        • Point to the Name cell of the new rule and click [+]
        • Type a name for the new rule.
        • Point to the Source cell of the new rule and click [+] or [IP]
        • If you clicked [IP], type an IP address.
          • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
          • Click OK
      • Point to the Destination cell of the new rule and click [+] or [IP].
        • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic going to any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
        • Click OK.
      • Point to the Service cell of the new rule and click [+] or [∩]
        • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column.
        • If you clicked [∩] , select a protocol. You can specify the source port by clicking the arrow next to Advance options. VMware recommends that you avoid specifying the source port from release 5.1 onwards. Instead, you can create a service for a protocol-port combination.NOTE NSX Edge only supports services defined with L3 protocols
      • Point to the Action cell of the new rule and click [+]
        • Click Deny to block traffic from or to the specified source and destination.
        • Click Log to log all sessions matching this rule. Enabling logging can affect performance.
        • Type comments if required.
        • Click [>] next to Advance options.
        • To apply the rule to the translated IP address and services for a NAT rule, select Translated IP for Match on.
        • Click Enable Rule Direction and select Incoming or Outgoing. VMware does not recommend specifying the direction for firewall rules.
        • Click OK
      • Click Publish Changes to push the new rule to the NSX Edge instance.
    • Edit:
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the Firewall tab.
      • Select the rule to edit
        NOTE You cannot change an auto-generated rule or the default rule, except for changing the Action on the default rule.
      • Make the desired changes and click OK.
      • Click Publish Changes.
    • Delete:
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Monitor tab and then click the Firewall tab.
      • Select the rule to delete
        NOTE You cannot delete an auto-generated rule or the default rule.
      • Click Delete “X” and click OK.
      • Click Publish Changes.
  • Configure Source/Destination/Service/Action rule components
    • Configure Source:
      • Point to the Source cell of the rule and click [+] or [IP]
      • If you clicked [IP], type an IP address.
        • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic coming from any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
        • Click OK
    • Configure Destination:
      • Point to the Destination cell of the rule and click [+] or [IP].
        • Select an object from the drop-down and then make the appropriate selections. If you select vNIC Group, and then select vse, the rule applies to traffic generated by the NSX Edge. If you select internal or external, the rule applies to traffic going to any internal or uplink interface of the selected NSX Edge instance. The rule is automatically updated when you configure additional interfaces. If you select IP Sets, you can create a new IP address group. Once you create the new group, it is automatically added to the source column.
        • Click OK.
    • Configure Service:
      • Point to the Service cell of the rule and click [+] or [∩]
        • If you clicked [+] , select a service. To create a new service or service group, click New. Once you create the new service, it is automatically added to the Service column. For more information on creating a new service, see “Create a Service,” on page 30.
        • If you clicked [∩] , select a protocol. You can specify the source port by clicking the arrow next to Advance options. VMware recommends that you avoid specifying the source port from release 5.1 onwards. Instead, you can create a service for a protocol-port combination.NOTE NSX Edge only supports services defined with L3 protocols.
    • Configure Action:
      • Point to the Action cell of the rule and click [+]
      • Click Deny to block traffic from or to the specified source and destination.
      • Click Log to log all sessions matching this rule. Enabling logging can affect performance.
      • Type comments if required.
      • Click [>] next to Advance options.
      • To apply the rule to the translated IP address and services for a NAT rule, select Translated IP for Match on.
      • Click Enable Rule Direction and select Incoming or Outgoing. VMware does not recommend specifying the direction for firewall rules.
      • Click OK
    • Click Publish Changes to push the updated rule to the NSX Edge instance.
  • Change the order of an Edge Firewall rule
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Edges.
    • Double-click an NSX Edge.
    • Click the Monitor tab and then click the Firewall tab.
    • Select the rule for which you want to change the priority.
      NOTE You cannot change the priority of auto-generated rules or the default rule.
    • Click the “Move Up” or “Move Down” icon.
    • Click OK.
    • Click Publish Changes.
  • Change the priority of an Edge Firewall rule
    • Changing the priority means the same thing as changing the order.

Tools

NSX Administration Guide
vSphere Web Client

Objective 6.4 – Configure and Manage Edge Services High Availability

Knowledge

  • Describe NSX Edge High Availability
    • High Availability (HA) ensures that an NSX Edge appliance is always available by installing an active pair of Edges on your virtualized infrastructure. You can enable HA either when installing NSX Edge or on an installed NSX Edge instance.
    • The primary NSX Edge appliance is in the active state and the secondary appliance is in the standby state. NSX Edge replicates the configuration of the primary appliance for the standby appliance or you can manually add two appliances.
  • Explain Edge High Availability best practices
    • VMware recommends that you create the primary and secondary appliances on separate resource pools and datastores. If you create the primary and secondary appliances on the same datastore, the datastore must be shared across all hosts in the cluster for the HA appliance pair to be deployed on different ESX hosts.
      • This seems to conflict with the statement “Two virtual machines are deployed on vCenter in the same resource pool and datastore as the appliance you configured”
  • Describe service availability during an Edge High Availability failover
    • If a heartbeat is not received from the primary appliance within the specified time (default value is 15 seconds), the primary appliance is declared dead. The standby appliance moves to the active state, takes over the interface configuration of the primary appliance, and starts the NSX Edge services that were running on the primary appliance. When the switch over takes place, a system event is displayed in the System Events tab of Settings & Reports. Load Balancer and VPN services need to re-establish TCP connection with NSX Edge, so service is disrupted for a short while. Virtual wire connections and firewall sessions are synched between the primary and standby appliances, so there is no service disruption during switch over.
  • Differentiate NSX Edge High Availability and vSphere High Availability
    • NSX Edge High Availability is stateful, and uses 2 running VMs. In the event of failure of the host server where the Primary VM is running, the Secondary VM takes over the service.
    • vSphere High Availability monitors for a host failure and restarts any lost VMs on other hosts in the cluster. This is used to restart the original Primary VM in the event of a host failure, so that an NSX Edge HA pair still remains in the event of a further failure.
  • Configure NSX Edge High Availability
    • Configure heartbeat settings
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the Settings tab.
      • In the HA Configuration panel, click Change.
      • In the Change HA Configuration dialog box, enter the “Declare Dead Time” The default is 15 seconds.
      • Click OK.
    • Configure management IP addresses
      • Log in to the vSphere Web Client.
      • Click Networking & Security and then click NSX Edges.
      • Double-click an NSX Edge.
      • Click the Manage tab and then click the Settings tab.
      • In the HA Configuration panel, click Change.
      • In the Change HA Configuration dialog box, choose the appropriate vNIC, and enter the Management IPs
      • Click OK.
  • Modify an existing Edge High Availability deployment
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Edges.
    • Double-click an NSX Edge.
    • Click the Manage tab and then click the Settings tab.
    • In the HA Configuration panel, click Change.
    • In the Change HA Configuration dialog box, make changes as appropriate.
    • Click OK.
  • Determine resource pool requirements for a given Edge High Availability configuration
    • For high availability, verify that the resource pool has enough capacity for both HA virtual machines to be deployed.

Tools

  • NSX Administration Guide
  • NSX Manager

vSphere Web Client