VMware VSHIELD MANAGER 4.1.0 UPDATE 1 - API Uživatelský manuál stáhnout pdf (Strana 51)

VMware, Inc. 51

YoucanconfigurevShieldAppfirewallrulesandsyslogservicebyusingRESTAPIcalls.

Thischapterincludesthefollowingtopics:

 “ConfiguringFirewallRulesforavCenterContainer”onpage 51

 “ManagingSecurityGroups”onpage 56

 “ConfiguringSyslogServiceforavShieldApp”onpage 59

Configuring Firewall Rules for a vCenter Container

TheprimaryfunctionofavShieldAppistoprovidefirewallprotectiononanESXhostbyinspectingeach

sessionandreturningdetailstothevShieldManager.Trafficdetailsincludesources,destinations,directionof

sessions,applications,andportsbeingused.Trafficdetailscanbeusedtocreatefirewallallowordeny

rules.

InthevShieldManageruserinterfaceorvSphereClientplug‐in,theAppFirewalltabcontainsthefirewall

rulesenforcedbyvShieldAppinstances.YoucanmanageAppFirewallrulesatthedatacenter,cluster,and

portgrouplevelstoprovideaconsistentsetofrulesacrossmultiplevShieldApp

instancesunderthese

containers.Asmembershipinthesecontainerscanchangedynamically,AppFirewallmaintainsthestateof

existingsessionswithoutrequiringreconfigurationoffirewallrules.Inthisway,AppFirewa lleffectivelyhas

acontinuousfootprintoneachESXhostunderthemanagedcontainers.

WhencreatingAppFirewallrules,youcan

creategeneralrulesbasedon incomingoroutgoingtrafficatthe

containerlev el.Forexample,youcancreatearuletodenyanytrafficfromout si de ofadatacenterthattargetsa

destinationwithinthedatacenter.Youcancreatearuletodenyanyincomingtrafficthatisnottaggedwith

a

VLANID.

Allfirew allrulesconfiguredbyusingRESTrequestsappearundertheAppFirewalltabfortheapprop ria te 

containerinthevShieldManageruserinterfaceandvSphereClientplug‐in.

ForthecompletefirewallXMLschema,see“vShieldAppFirewallSchema”onpage 69.

View All Firewall Rules for a Container

Youcanviewallofthefirewallrulesforaspecificcontainer—datacenter,cluster,orportgroup—andanychild

containersbyidentifyingtheMOREFID(container-moref-id)ofthecontainer.Forexample,ifyourequest

therulesetatthedatacenterlevel,theresponseincludestherulesfortheclustersandport

groupswithinthat

datacenter.

Itisgoodpracticetoviewthecurrentfirewallrulesetbeforepostingneworupdatedrules.

vShield App Management

IMPORTANTAllvShieldRESTrequestsrequireauthorization.Youcanusethefollowingbasicauthorization:

Authorization: Basic YWRtaW46ZGVmYXVsdA==

YWRtaW46ZGVmYXVsdA==representstheBase64encodingofthevShieldManagerdefaultlogincredentials

(admin:default).

1 2 ... 46 47 48 49 50 51 52 53 54 55 56 ... 89 90

Žádné komentáře

VMware VSHIELD MANAGER 4.1.0 UPDATE 1 - API Uživatelský manuál Strana 51