NSX for vSphere

Advanced Training
Lab Exercises – Day 2

Confidential
© 2010 VMware Inc. All rights reserved

NSX Distributed Firewall Lab Exercises

2

Confidential

NSX vSphere Training – Logical Topology and Security-Groups

Control Center

SG-WEB
Web-Tier-01
172.16.10.0/24

Websv-01a

.11

Websv-02a

.12
DBsv-01a

.1
.1

.11

.1
Ap-Tier-01

Appsv-01a

172.16.20.0/24

Distributed Logical
Router

.11
Logical Switch

3

SG-APP

Confidential

SG-DB

DB-Tier-01
172.16.30.0/24

1 Distributed Logical Router .16.20.0/24 .11 .30.16.16.11 Logical Switch SG-APP Default rule set to block action 4 MySQL Confidential SG-DB DB-Tier-01 172.0/24 DBsv-01a .12 SSH TCP-8443 Ap-Tier-01 NSX Edge GW Appsv-01a 172.0/24 Websv-01a .10.11 HTTP HTTPS Websv-02a .NSX vSphere Training – Allowed Traffic (Inter-Tier and Intra-Tier) Control Center HTTP Web-Tier-01 172.1 .1 .

§  Step 3 – Create and Allocate S-G TAG to Web Servers.Lab Exercise 10 – NSX Distributed Firewall This LAB consists of the following steps: §  Step 1: Logical Topology and Connectivity Check. §  Step 7 – Reject Action. §  Step 2 – Create Security-Groups. §  Step 9 – CPU/Memory/CPS Threshold. §  Step 8 – Advanced Rules Filtering UI. 5 Confidential . §  Step 4 – Create DFW policy rules. §  Step 5 – Check DFW rules configuration with Applied to S-G. §  Step 6 – Check DFW rules work properly.

Lab Exercise 10 – NSX Distributed Firewall Step 1 Step objective: before starting the lab. 6 Confidential . Type the following commands to test ping reachability: # ping 172. Select db-sv-01a and check it is connected to DB-Tier-01 LS.30.12 (web-sv-02a) # ping 172.16.10. let’s make sure we got the right logical topology and connectivity works as expected.11) Use root / VMware1! to log into the server. Select web-sv-01a and check it is connected to Web-Tier-01 LS.16.10. open a SSH session to web-sv-01a (172.16.1 (default GW) Verify all ping are successfuls.10.16.11 (db-sv-01a) # ping 172. §  Check VMs are connected on the right logical switches: Using vSphere web client (root / VMware1!) click on Hosts and Clusters. Select app-sv-01a and check it is connected to App-Tier-01 LS. Select web-sv-02a and check it is connected to Web-Tier-01 LS. §  Verify web-sv-01a can ping everything: Using PUTTY.20.16.11 (app-sv-01a) # ping 172.

Lab Exercise 10 – NSX Distributed Firewall Step 1 §  Verify web-sv-01a can SSH to all other VMs: From the PUTTY session.11 ssh should succeed.20.11 ssh should succeed.16. From the PUTTY session. SSH to db-sv-01a using the following command: # ssh 172. Type exit to come back to web-sv-01a.30.10. §  Verify web-sv-01a can send HTTP request to web-sv-02a : From the PUTTY session.12 You should be able to see response from web-sv-02a. SSH to app-sv-01a using the following command: # ssh 172.16. send a HTTP request to web-sv-02a using the following command: # curl http://172. Type exit to come back to web-sv-01a.16. 7 Confidential .

16. open a SSH session to app-sv-01a Use root / VMware1! to log into the server.11 -p Type VMware1! when system prompt for password.30. 8 Confidential . try to connect to SQL server (db-sv-01a) using the following command: # mysql –u root –h 172. You should be able to see the same message as displayed on the screenshot. From the console.Lab Exercise 10 – NSX Distributed Firewall Step 1 §  Verify app-sv-01a can send SQL request to db-sv-01a: Using PUTTY.

Lab Exercise 10 – NSX Distributed Firewall Step 1 §  Verify Control Center can access ABC Medical APP – OneArm web page: Open a new tab on FIREFOX. You should be able to see the web page: At this point of time. 9 Confidential . Click on ABC Medial App – OneArm shortcut. everything should work fine as there is no DFW rule blocking traffic (DFW default rule set to allow).

Lab Exercise 10 – NSX Distributed Firewall Step 2 Step objective: to create Security-Group to group web servers. app servers and DB servers into their respective containers. Select Security Groups tab. Security-Groups will then be used as objects in DFW policy rules. §  Create Security-Group SG-WEB using dynamic inclusion with S-G TAG: Using vSphere web client. We will leverage dynamic inclusion using VM name and SecurityGroup Tag mechanisms. 10 Confidential . go to NSX home and then click on Service Composer. Click on new Security Group icon and create SG-WEB using the following characteristics: Name: SG-WEB Dynamic Membership: Security Tag Contains SG-TAG-WEB Click on finish after configuring dynamic membership.

Lab Exercise 10 – NSX Distributed Firewall Step 2 §  Create Security-Group SG-APP using dynamic inclusion with VM name: Click on new Security Group icon and create SG-APP using the following characteristics: Name: SG-APP Dynamic Membership: VM Name Contains ‘app’ Click on finish after configuring dynamic membership. §  Create Security-Group SG-DB using dynamic inclusion with VM name: Click on new Security Group icon and create SG-DB using the following characteristics Name: SG-DB Dynamic Membership: VM Name Contains ‘db’ Click on finish after configuring dynamic membership. 11 Confidential .

Lab Exercise 10 – NSX Distributed Firewall Step 2 §  Verify you obtain the same window as displayed below: SG-APP and SG-DB show respectively 1 VM and 1 VM. Clicking on the number (link) will show the VM name: 12 Confidential . SG-WEB does not show anything as S-G TAG SG-TAG-WEB has not been allocated yet to web servers.

look for Security Tags table. §  Create SG-TAG-WEB and associate it to web-sv-01a: Using vSphere web client. In the summary window. expand Compute Cluster A then click on web-sv-01a. go to Hosts and Clusters. Click on Manage within the table: 13 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 3 Step objective: create S-G TAG SG-TAG-WEB and then associate it to all Web Servers in order to populate correctly Security Groups SG-WEB.

SG TAG to VM allocation window re-appears one more time.Lab Exercise 10 – NSX Distributed Firewall Step 3 §  Create SG-TAG-WEB and associate it to web-sv-01a (cont’d): A New window appears. Select SG-TAG-WEB and then click on OK. Use the following information to create the new SG TAG: Name: SG-TAG-WEB Description: Tag allocated for WEB servers Click on OK. 14 Confidential . Click on + button.

Lab Exercise 10 – NSX Distributed Firewall Step 3 §  Web-sv-01a summary window should display SG-TAB-WEB in the Security Tags table as shown below: §  Associate the same tag SG-TAB-WEB to web-sv-02a now: Repeat the previous actions to assign the S-G TAG to web-sv-02a. 15 Confidential .

Lab Exercise 10 – NSX Distributed Firewall Step 3 §  Check Security-Group SG-WEB is now correctly populated: Go to NSX Home and click on Service Composer menu. 16 Confidential . Select Security Groups tab. You should be able to see now the 2 WEB servers part of Security-Group SG-WEB.

We are going to use now the Positive Security Model where allowed traffic needs to be explicitly configured 17 Confidential . Expand Default Section (Layer3).Lab Exercise 10 – NSX Distributed Firewall Step 4 Step objective: to create DFW policy rules to enforce application access control for intra-tier traffic and inter-tier traffic. Click on Publish Changes to enforce the modification (check you get Last Publish Operation Succeeded message after the publish). Change Default Rule action from Allow to Block. §  Change default rule from Allow to Block: Go to NSX Home and then click on Firewall menu.

18 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 4 §  Create intra-tier policy rules: Add a new section on top of default section and name it INTRA-TIER ACCESS CONTROL. Add the following policy rule in this new section: Name Source Destination Service Action Applied to Log WEB to WEB SG-WEB SG-WEB HTTP Allow SG-WEB Log Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded message after the publish).

we will check its application.1. In the next step. 19 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 4 §  Create intra-tier policy rules (cont’d): You should obtain the following window: Note that “Applied To” to a Security-Group object is a new feature provided by NSX 6.

20 Confidential . Add the following policy rules in the section (click on + button on the section raw to add rules inside the section): Name Source Destination Service Action Applied to Log ANY to WEB ANY SG-WEB HTTP HTTPS Allow SG-WEB Log WEB to APP SG-WEB SG-APP SSH TCP-8443 Allow SG-WEB SG-APP Log APP to DB SG-APP SG-DB MYSQL Allow SG-APP SG-DB Log Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded message after the publish).Lab Exercise 10 – NSX Distributed Firewall Step 4 §  Create inter-tier policy rules: Add a new section on top of default section and name it INTER-TIER ACCESS CONTROL.

1.Lab Exercise 10 – NSX Distributed Firewall Step 4 §  Create inter-tier policy rules (cont’d): You should obtain the following window: Note that “Applied To” to a Security-Group object is a new feature provided by NSX 6. 21 Confidential . In the next step. we will check its application.

110.168. 22 Confidential . Add the following policy rules in the section (click on + button on the section raw to add rules inside the section): Name Source Destination Service Action Applied to Log SSH to VM 192. 10 web-sv-01a web-sv-02a app-sv-01a SSH Allow web-sv-01a web-sv-02a app-sv-01a Log Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded message after the publish).Lab Exercise 10 – NSX Distributed Firewall Step 4 §  Create management policy rules: Add a new section on top of default section and name it MANAGEMENT.

168.110.10). 23 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 4 §  Create management policy rules (cont’d): You should obtain the following window: Management rules will allow SSH connectivity to WEB and APP VMs from Control Center (IP 192.

§  Check DFW configuration for web-sv-01a: Open a PUTTY session on esxcomp-01a. Use root / VMware1! to log into the ESXi host.2 Note: vNIC 2 slot filter name may vary based on vPOD Type the following command to see DFW configuration for web-sv-01a: # vsipioctl getrules -f nic-682809-eth0-vmware-sfw.Lab Exercise 10 – NSX Distributed Firewall Step 5 Step objective: to check that DFW rules are properly downloaded to VM based on the “Applied To” field application. Type the following command to see all VM filter names: # summarize-dvfilter Retrieve vNIC 2 slot filter name for web-sv-01a and app-sv-01a: web-sv-01a : nic-682809-eth0-vmware-sfw.2 24 Confidential .2 # vsipioctl getaddrsets -f nic-682809-eth0-vmware-sfw.

2 Type the following command to see DFW configuration for app-sv-01a: # vsipioctl getrules -f nic-683322-eth0-vmware-sfw. Use root / VMware1! to log into the ESXi host.Lab Exercise 10 – NSX Distributed Firewall Step 5 Step objective: to check that DFW rules are properly downloaded to VM based on the “Applied To” field application. Type the following command to see all VM filter names: # summarize-dvfilter Retrieve vNIC 2 slot filter name for web-sv-01a and app-sv-01a: app-sv-01a : nic-683322-eth0-vmware-sfw. §  Check DFW configuration for app-sv-01a and db-sv-01a: Open a PUTTY session on esxcomp-02a.2 db-sv-01a: nic-745011-eth0-vmware-sfw.2 25 Confidential .2 # vsipioctl getaddrsets -f nic-683322-eth0-vmware-sfw.

Check DFW configuration for web-sv-02a using the same previous actions.2 # vsipioctl getaddrsets -f nic-745011-eth0-vmware-sfw. 26 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 5 §  Check DFW configuration for app-sv-01a and db-sv-01a (cont’d): Type the following command to see DFW configuration for db-sv-01a: # vsipioctl getrules -f nic-745011-eth0-vmware-sfw.2 Verify that each VM gets only the DFW policy rules that strictly applied to itself: Using “Applied To” with Security-Group object allows to restrict the scope of DFW rule publishing to members of the S-G only ! §  Check DFW configuration for web-sv-02a: Open a putty session on esxcomp-01b.

12 (web-sv-02a) # ping 172. §  Connectivity and application access check from web-sv-01a: Open (or re-use) a PUTTY session on web-sv-01a (root / VMware1!) Test ping connectivity to other VMs (web-sv-02a.10.16.16.11 SSH should work as DFW policy rule inside INTER-TIER ACCESS CONTROL section allows it.11 (app-sv-01a) # ping 172.16. Initiate a SSH session to app-sv-01a using the command: # ssh 172.12 You should see a response from web-sv-02a as DFW policy rule inside INTRA-TIER ACCESS CONTROL section allows it.10.20.11 (db-sv-01a) # ping 172. Send a HTTP request to web-sv-02a using the following command: # curl http://172.1 (default GW) All ping should fails as there is no policy rule allowing it.16.Lab Exercise 10 – NSX Distributed Firewall Step 6 Step objective: let’s check that DFW rules are working properly meaning intra-tier and inter-tier application access control are enforced as expected.16.20. app-sv-01a.30.10. 27 Confidential .16. db-sv-01a) using the following commands: # ping 172.

Simulate a MySQL request to db-sv-01a using the following command: # mysql –u root –h 172.16. web-sv-02a.12 (web-sv-02a) # ping 172.11 (db-sv-01a) # ping 172.1 (default GW) All ping should fails as there is no policy rule allowing it.16.16.11 –p Type VMware1! when system prompt for password.10.16. You should see a response from db-sv-01a as DFW policy rule inside INTRA-TIER ACCESS CONTROL section allows it. db-sv-01a) using the following commands: # ping 172. 28 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 6 §  Connectivity and application access check from app-sv-01a: Open (or re-use) a PUTTY session on app-sv-01a (root / VMware1!) Test ping connectivity to other VMs (web-sv-01a.16.11 (web-sv-01a) # ping 172.20.10.30.30.

You should be able to see the web page: 29 Confidential . Click on ABC Medial App – OneArm shortcut.Lab Exercise 10 – NSX Distributed Firewall Step 6 §  Verify Control Center can still access ABC Medical APP – OneArm web page: Open a new tab on FIREFOX.

Enable Log for Default Rule. §  You should have the same window as shown below: 30 Confidential . Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded message after the publish). Select Default Rule and change the action field from Block to Reject. Expand the default section Layer3. §  Change default rule action from Block to Reject: Go to NSX Home and click on Firewall menu.Lab Exercise 10 – NSX Distributed Firewall Step 7 Step objective: to check the behavior of Reject Action (versus Block Action).

2 You should see the Reject keyword in the default rule (rule 1002) 31 Confidential . Type the following command to see updated DFW configuration applied on VM (web-sv-01a here): # vsipioctl getrules -f nic-682809-eth0-vmware-sfw.Lab Exercise 10 – NSX Distributed Firewall Step 7 §  Check DFW configuration at VM layer: Open (or re-use) a PUTTY session on esxcomp-01a (root / VMware1!).

20.Lab Exercise 10 – NSX Distributed Firewall Step 7 §  Test ping connectivity from web-sv-01a: Open (or re-use) a console session on web-sv-01a (root / VMware1!).16. app-sv-01a. db-sv-01a) using the following commands: # ping 172.11 (app-sv-01a) # ping 172. RST packets for TCP connections §  You should obtain the following output: 32 Confidential .11 (db-sv-01a) # ping 172. Test ping connectivity to other VMs (web-sv-02a.16.1 (default GW) Reject action will send back to initiator: ICMP unreachable with network administratively prohibited code for UDP.12 (web-sv-02a) # ping 172. ICMP and other IP connections.16.16.30.10.10.

log §  You should obtain this type of output: 33 Confidential . Type the following command to see DFW packets logs on the ESXi host: # tail -f /var/log/dfwpktlogs.Lab Exercise 10 – NSX Distributed Firewall Step 7 §  Check DFW packet log on ESXi host: Open (or re-use) a PUTTY session on esxcomp-01a (root / VMware1!).

Lab Exercise 10 – NSX Distributed Firewall Step 7 §  Change intra-tier policy rule (WEB to WEB) from Allow to Reject: Select rule Web to Web. Change Action field from Allow to Reject. Double check Log is enabled for this rule. §  You should have the same window as shown below: 34 Confidential . Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded message after the publish).

12 Reject action will send back to initiator: ICMP unreachable with network administratively prohibited code for UDP. Simulate HTTP request using the following command: # curl http://172. Type the following command to see DFW packets logs on the ESXi host: # tail -f /var/log/dfwpktlogs. RST packets for TCP connections You should obtain this type of output: §  Check DFW packet log on ESXi host: Open (or re-use) a PUTTY session on esxcomp-01a.log You should be able to see the log entries for HTTP request as shown here: 35 Confidential . ICMP and other IP connections.10.16.Lab Exercise 10 – NSX Distributed Firewall Step 7 §  Check HTTP request from web-sv-01a: Open (or re-use) a console session on web-sv-01a.

Lab Exercise 10 – NSX Distributed Firewall Step 7 §  Modify DFW configuration for next steps: Select rule Web to Web and modify Action field from Reject to Allow. §  You should have the same window as shown below: 36 Confidential . Click on Publish Changes to enforce the new policy rules (check you get a Last Publish Operation Succeeded message after the publish).

Only rules matching this condition will be displayed on the DFW policy rule table.11 and then click on Apply. enter IP address of web-sv-01a which is 172. In Source field.10. 37 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 8 Step objective: to see capabilities provided by advanced rules filtering UI. §  Advanced Rules Filtering UI capabilities: Go to NSX Home and click on Firewall menu.16. Click on Apply Filter button.

select VM app-sv-01a and then click on Apply. 38 Confidential . Only rules matching this condition will be displayed on the DFW policy rule table.Lab Exercise 10 – NSX Distributed Firewall Step 8 §  Advanced Rules Filtering UI capabilities (cont’d): Click on Apply Filter button. In Source field.

39 Confidential . select Action equal Reject and then click on Apply.Lab Exercise 10 – NSX Distributed Firewall Step 8 §  Advanced Rules Filtering UI capabilities (cont’d): Click on Apply Filter button. Only rules matching this condition will be displayed on the DFW policy rule table. Delete Source field content.

Lab Exercise 10 – NSX Distributed Firewall Step 8 §  Advanced Rules Filtering UI capabilities (cont’d): Click on Apply Filter button. Only rules matching this condition will be displayed on the DFW policy rule table. 40 Confidential . Then click on Apply. Change Action to Any and type ‘WEB’ in the Name field.

Lab Exercise 10 – NSX Distributed Firewall Step 8
§  Advanced Rules Filtering UI capabilities (cont’d):
Click on Apply Filter button.
Delete Name field content and select HTTP in Specify Service field . Then click on Apply.
Only rules matching this condition will be displayed on the DFW policy rule table.

Click on Removed Applied Filter button to see again all DFW rules:

41

Confidential

Lab Exercise 10 – NSX Distributed Firewall Step 9
Step objective: to configure and verify CPU/Memory/CPS Threshold function.

§  Retrieving Threshold values using REST API:
Click on RESTClient icon inside FIREFOX.
Select Headers -> Custom Header. Use Name = Content-Type and Value = application/xml. Click on OK.
Select Authentication -> Basic Authentication. Use Username = admin and Password = VMware1! . Click on OK.
Select Method = GET and enter the following URL information:
https://192.168.110.42/api/4.0/firewall/stats/eventthresholds

Click on SEND.

42

Confidential

Lab Exercise 10 – NSX Distributed Firewall Step 9

§  You should obtain the following window:

43

Confidential

Enter the following command to retrieve CPU/Memory/CPS threshold set on the host: # vsipioctl getthresholds You should obtain this result: 44 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 9 §  Retrieving Threshold values on ESXi host using CLI: Open (or re-use) a PUTTY session on esxcomp-01a ( use root / VMware1! ).

42/api/4. 45 Confidential .168. Check that success is displayed in the Response section.0/firewall/stats/eventthresholds In the Body section.Lab Exercise 10 – NSX Distributed Firewall Step 9 §  Setting Threshold values using REST API (RESTClient UI): Select Method -> PUT. enter the following information: <eventThresholds> <cpu> <percentValue>1</percentValue> </cpu> <memory> <percentValue>1</percentValue> </memory> <connectionsPerSecond> <value>1</value> </connectionsPerSecond> </eventThresholds> Click on SEND button. Enter the following URL information: https://192.110.

Lab Exercise 10 – NSX Distributed Firewall Step 9 §  Generate Traffic to trigger threshold crossing: Open a console session on web-sv-02a ( use root / VMware1! ).16. Type the following command: # vsipioctl getthresholds You should be able to see current usage values exceed threshold configuration 46 Confidential . Enter the following command to send high number of HTTP request to web-sv-01a: # ab2 –n 6000000 –c 100 –w http://172.10.11/ (don’t forget the / at the end of the URL otherwise the command will not work) §  Check on ESXi host real time CPU/Memory/CPS value: Open (or re-use) a PUTTY session on esxcomp-01a.

Lab Exercise 10 – NSX Distributed Firewall Step 9 §  Check alarms raised in NSX Manager – System Events window: Go to NSX Home -> NSX Managers. Click on NSX Manager IP address (192.42) and select Monitor -> System Events.110.168. You should be able to see alarms related to DFW CPU/Memory/CPS threshold crossed: 47 Confidential .

log You should be able to see the following messages: §  Stop ab2 command running on web-sv-02a. 48 Confidential .Lab Exercise 10 – NSX Distributed Firewall Step 9 §  Check logs on ESXi host: Open (or re-use) a PUTTY session on esxcomp-01a. Go to /var/log using the following command: # cd /var/log Type the following command to see syslogs related to CPU/Memory/CPS threshold alerts: /var/log # grep threshold vsfwd.

NSX Service Composer Lab Exercises 49 Confidential .

1)  First as we changed the DFW default rule to Block in the previous exercise we will now allow certain traffic for future lab exercises. We will be using AV and IPS features of Trend Micro. Refer to the NSX Admin Guide on the desktop for details on where to configure an exclusion 2)  Create 2 DFW rules at the top of the Default Section to allow inbound and outbound access for VM: av-win7-01a 3)  Then power on Virtual Machine: sec-mgr-01a in the Management and Edge Cluster 4)  Once the Windows VM has finished booting •  Click to open a new tab in Firefox on the ControlCenter •  Click on the Trend Micro Deep Security bookmark •  Login to Trend Micro Deep Security Manager •  Login with username = admin •  Password = VMware1! •  Click Sign In 50 Confidential . Add sec-mgr-01a and big-iq-01a to the NSX DFW Exclusion List to ensure it is not blocked by the firewall rules defined in the previous lab exercise.Lab Exercise 11 – Deploy/Apply/Automate w/Service Composer Goal : Demonstrate TrendMicro Deep Security integration with Guest & Network introspection services and NSX Service Composer.

On the Computers tab.Lab Exercise 11 – Service Insertion The first step is to insert the Trend Micro service into the NSX platform. 4)  After logging in. 5)  Click on Computers. you will see the Trend Micro Deep Security dashboard as shown below. click on New -> Add VMware vCenter 6)  Complete the registration for both vCenter & NSX to insert service into NSX (accept any certificates) and click Finish 51 Confidential .

Lab Exercise 11 – Service Insertion Verify Service Insertion is successful by going to the Service Defintions pane in the vSphere Web Client Also verify that you can see all VMs and ESXi hosts in the Computers tab of the Trend Micro console 52 Confidential .

Under Networking & Security-> Installation-> Service Deployments. Use the following values: 1 •  Datacenter: ABC Medical •  Cluster: Compute Cluster B •  Datastore: ds-site-a-nfs02 •  Network: Compute_VDS . click the green Add and choose Guest Introspection while leaving the default schedule as Deploy Now.Mgmt 2 •  IP assignment: DHCP 3 4 53 Confidential .Lab Exercise 11 – Deploy Guest Introspection Service The next step is to deploy Guest Introspection Service as we have already completed successful Host Preparation.

Lab Exercise 11 – Deploy Guest Introspection Service Deployment and status update will take several minutes. Review USVM progress and check for Guest Introspection VMs under ESX Agents Resource Pool. Each ESXi host in the cluster you have selected for Service deployment will have a dedicated USVM 54 Confidential . so after some time verify successful Guest Introspection Service Deployment Status has changed from Warning to Up: This process deploys a USVM – Universal Services VM per Host in the prepared Cluster.

Mgmt •  IP assignment: DHCP 55 Confidential . •  Datacenter: ABC Medical •  Cluster: Compute Cluster B •  Datastore: ds-site-a-nfs02 •  Network: Compute_VDS . Under Networking & Security->Installation > Service Deployments.Lab Exercise 11 – Deploy Trend Micro Deep Security Service The Next step is to deploy the TrendMicro Service VM. select Add and choose Trend Micro Deep Security Service. The deployment steps are similar to Guest Introspection Service.

Lab Exercise 11 – Deploy Trend Micro Deep Security Service This will also take several minutes to complete .verify that the Trend Micro Deep Security Service deployment is successful: This process deploys a Trend Micro SVM – Service VM per Host in the prepared Cluster. Each ESXi host in the cluster you have selected for Service deployment will have a dedicated Trend Micro SVM 56 Confidential .

Lab Exercise 11 – Prepare Trend Micro §  We are going to run tests on win7-av. The first step is to power it on §  Notice the eicar. Right click on the VM.win7-av.local. The VM is available in cluster B (as av-win7-01a).corp.corp.com executable on the desktop – see if you are able to run it §  No activate the VM in TrendMicro’s console . click Actions -> Activate/Reactivate.local to run security tests §  Click on the Computer tab. §  Verify that the VM is activated and the status changes from unmanaged to managed 57 Confidential . click on the vCenter and search for the VM.

Navigate to Service Composer-> Security Groups §  Create and define the SG-Protected Security Group that includes the Virtual Machine av-win7-01a 58 Confidential .Lab Exercise 11 – Service Composer Now a Security Group is needed to group the VMs protected by the Trend Micro Deep Security service.

000 §  Under Guest Introspection Services Add a service with: •  Name: Antivirus Scan •  Action: Apply •  Service Name: Trend Micro Deep Security •  Service Profile: Trend Micro Deep Security_Deep Security Profile •  State: Enabled •  Enforce: Yes §  Then click Finish to add the security policy 59 Confidential .Lab Exercise 11 – Service Composer Now we will create the Security Policy Object for the SG-Protected SG under Service Composer-> Security Policies §  Create a Security Policy with a name of AV Protection Security Policy and a Weight of 50.

Lab Exercise 11 – Service Composer Next add a Security Group that will be used to Isolate Servers and restrict all network access if a vulnerability or Virus is found by the Symantec Security Appliances.threat=high 60 Confidential .VirusFound. Again navigate to Service Composer-> Security Groups §  Create and define the Quarantine-Prod Security Group to include Dynamic Membership defined by Security Tag ANTI_VIRUS.

  Any Any Block Policies Security Groups §  Then click Finish 61 Service Action Confidential .000 and add the following 2 Firewall rules: Source Destination 1.  Policies Security Groups Any Any Block 2.Lab Exercise 11 – Service Composer Now add the corresponding Security Policy Object for the Quarantine-Prod Security Group Create the Quarantine-Prod SPO Security Policy with a Weight of 51.

Lab Exercise 11 – Service Composer Assign the AV Protection Security Policy Security Policy to the SG-Protected Security Group Open the Service Composer-> Canvas tab and confirm the av-win7-01a VM is a member of the SG-Protected Security Group 62 Confidential .

Lab Exercise 11 – Service Composer Also assign the Quarantine-Prod SPO Security Policy to the Quarantine-Prod Security Group And check the Service Composer Canvas to confirm there are no Virtual Machines in the Quarantine-Prod Security Group 63 Confidential .

then assign Default Manual Scan Configuration configuration §  Click Save §  In the lab exercise we will not configure a Real-Time Scan to allow the process to be observed (rather than having infected files cleaned up automatically).Lab Exercise 11 – AV Enforcement with DFW Test 1. Open the Trend Micro console and double click on the av-win7-01a VM 2. although in production you would typically use real time scanning 64 Confidential . Click on the Anti-Malware link on the left pane §  Select Anti-Malware and on the General tab. change the Anti-Malware Configuration to On §  Now on the Manual Scan section. uncheck Inherited check box.

Go to the NSX Security Tagging section. Select ANTI_VIRUS. Click Save and then Close the window. Click on Advanced tab. 65 Confidential . 5.Lab Exercise 11 – AV Enforcement with DFW Test 4.threat=high in the NSX Security tag. Uncheck Inherited and Apply NSX Security Tag only if remediation action fails.VirusFound. 7. 6.

Right-click on the VM avwin7-01a in the Trend Micro console and then click on Actions > Full Scan for Malware to start the scan 6.Lab Exercise 11 – AV Enforcement with DFW Test 4. Take a short break as the scan will take several minutes complete 66 Confidential . Open a cmd window on the Control Center and run a continuous ping test to the avwin7-01a VM to verify it is accessible 5.

Lab Exercise 11 – AV Enforcement with DFW Test §  After the scan completed. check the VM Summary screen to see we have two SG memberships and the security tag is applied §  Go to Service Composer -> Canvas View and verify the VM membership of the Quarantine Prod security group 67 Confidential .

Lab Exercise 11 – AV Enforcement with DFW Test §  Verify that the ping test running on the VM now shows connectivity lost §  This quarantine process allows the NSX/security administrator to investigate the VM and ensure there are no other issues. before network connectivity is restored §  While dynamic detection and enforcement of security policy highlights the flexibility of NSX Service Composer and one of the available 3rd party integration solutions 68 Confidential .

threat=high” Security Tag and click OK.VirusFound.Cleanup §  Before proceeding to the next test.Lab Exercise 11 . 69 Confidential . update the Security Tag on avwin7-01a virtual machine manually. From Summary Tab of the avwin7-01a virtual machine in the Security Tags Pane select Manage. §  Uncheck the “ANTI_VIRUS.

Lab Exercise 11 – IPS Enforcement §  First test that we can use the search function of the Admin Portal by accessing the admin page again and enter the following into the search input: google §  This should return the same string as a search result 70 Confidential .

Lab Exercise 11 – IPS Enforcement §  Now we will update the AV Protection Security Policy Security Policy with IPS rules. 71 Confidential . §  Navigate to Service Composer-> Security Policies and edit the AV Protection Security Policy.

•  Redirect Outbound Traffic to Trend Micro •  Redirect Inbound Traffic to Trend Micro 72 Confidential .Lab Exercise 11 – IPS Enforcement §  Add 2 new rules in the Network Introspection tab.

Lab Exercise 11 – IPS Enforcement §  Click Finish to update the security policy with network introspection rules. 73 Confidential .

74 Confidential .Lab Exercise 11 – IPS Enforcement §  Since the security policy is already applied to a security group. §  Go to Canvas View and click on the security group SG Protected. §  Verify you see the rules that you created. verify that the new rules are reflected in the security group.

1. 2.Lab Exercise 11 – IPS Enforcement Lets create the test signature that we would like to block. select configuration to On 3. section Intrusion Prevention.  In the General tab. Click on the Intrusion Prevention link on the left pane.  Open the Trend Micro console and double click on the avwin7-01a VM.  Select on Assign / Unassign in the Assign Intrusion Prevention rule section to open a new window 75 Confidential .

Lab Exercise 11 – IPS Enforcement §  We will create a specific IPS signature for our test. Click on New . Change the rule name in the General tab to Test IPS Select Application Type as Web Client Internet Explorer In the Rules tab add google as a signature and the Option tab select schedule as Every Day All Day 76 Confidential .> New Intrusion Prevention Rule in the IPS Rules window.

Lab Exercise 11 – IPS Enforcement §  Click Save to apply the IPS rule to the VM and to apply the policy 77 Confidential .

then open IE again and test searching §  Again using the string: google §  This time the page should be blocked by the Trend IPS 78 Confidential .Lab Exercise 11 – IPS Enforcement §  Wait till the policy is applied.

click on Get Events at the bottom of the screen 2.Lab Exercise 11 – IPS Enforcement From the Trend Micro Deep Security console again double click on the avwin7-01a VM and access the Intrusion Prevention menu 1.  You have now completed the Service Composer lab exercises 79 Confidential .  This should return a match for the Test IPS rule where the connection that matched the google pattern was Reset 3.  Double Click on the Event tab to retrieve detailed information on the traffic which was redirected by NSX to the Trend IPS 4. section Intrusion Prevention.  In the Events tab.

NSX F5 Integration Lab Exercises 80 Confidential .

203 NSX Controller Node 3 F5 BIG-IQ .202 NSX Controller Node 2 .22 Mgmt Site B: 192.NSX vSphere Training – Management Components Control Center vCenter Server A .60 Mgmt: 192.42 NSX Controller Node 1 .0/24 .2 .2 vPod Router .79 Log Insight .0/24 .75 vCenter Orchestrator NSX Manager .0/24 81 Confidential .168.168.111.210.91 .85 Trend Deep Security F5-Mgmt: 192.22 .168.91 Storage Appliance .10 .201 .110.2 vCenter Server B .

111.10.0/29 . VPN Services) Pool .0/24 Mgmt_Edge_VDS-HQ_Uplink 192.10 Control Center 192.106/109 Pool .12 DB -Tier-01 172.168.0/24 App-Tier-01 172.6 (BGP) .16. NAT.110.16. FW.0/24 .3 Perimeter NSX Edge .0/24 web-sv-01a .1 Web-Tier-01 172.16.11 db-sv-01a .0/24 app-sv-01a . LB.110.10.0/24 .2 Dynamic Routing (BGP) .1 Distributed Logical Router .30.2 F5-Mgmt 192.1 .NSX vSphere Training – Logical View .168.11 82 web-sv-02a .11 Confidential Distributed Firewall .20.106/109 Dynamic Routing (BGP) Pool .168.168.1 (HA.0/24 Mgt 192.106/109 F5 BIG-IP VE (LB) .168.106/109 5 Transit-Network-01 192.1 Pool .100.

  Validation of readiness of the environment 2.  F5 BIG-IP VE Auto-Deployment 4.  NSX/F5 ADC configuration 83 Confidential .  NSX/F5 Registration 3.Lab Exercise 12 – F5 NSX Integration 1.

  Validation of readiness of the environment 2.  NSX/F5 Registration 3.Lab Exercise 12 – F5 NSX Integration Step 1 1.  F5 BIG-IP VE Auto-Deployment 4.  NSX/F5 ADC configuration 84 Confidential .

Lab Exercise 12 – F5 NSX Integration Step 1 §  Update BIG-IQ NIC interfaces with VDS Note: Those port groups should have been created during Day1 on Mgmt_Edge_VDS. If not created yet. Create New Distributed Port Group 85 Confidential . create them: From vCenter Home -> Networking.

5.60/BIGIP-11.168.Lab Exercise 12 – F5 NSX Integration Step 1 §  Validate the BIG-IP VE OVF is accessible To verify the BIG-IP OVF file is accessible.0.ovf Note: The web server hosting the BIG-IP VE OVF file is the storage server 86 Confidential .110.110-ide.0. open a browser and enter the following URL: http://192.1.

0.110.168.255.0 192.0 # netstat -rn Genmask Flags 0.0.168.111.0 192.255.2 Mask:255.168.0.Lab Exercise 12 – F5 NSX Integration Step 1 §  Validate BIG-IQ IP configuration •  BIG-IQ Management interface and default gateway: This is the interface connected to F5 Management [root@big-iq-01a:Active] config # ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:50:56:8E:32:9E inet addr:192.0.0.111.0 UG UG MSS Window 0 0 0 0 irtt Iface 0 internal 0 eth0 •  Once these details are verified you can proceed with configuration of the F5 NSX Integration 87 Confidential .0.111.168.2 0.0.0.255 [root@big-iq-01a:Active] config Kernel IP routing table Destination Gateway <snip> 0.91 Bcast:192.0 0.

  NSX/F5 ADC configuration 88 Confidential .  F5 BIG-IP VE Auto-Deployment 4.  NSX/F5 Registration 3.Lab Exercise 12 – F5 NSX Integration Step 2 1.  Validation of readiness of the environment 2.

click on + and follow the screenshots below Password for all inputs is: VMware1! 89 Confidential .Lab Exercise 12 – F5 NSX Integration Step 2 §  [BIG-IQ] Create BIG-IQ connector From BIG-IQ Cloud -> Connectors.

Lab Exercise 12 – F5 NSX Integration Step 2 §  [BIG-IQ] Create BIG-IQ connector Validation: •  From NSX Home -> Service Definitions 90 Confidential .

Lab Exercise 12 – F5 NSX Integration Step 2 §  [BIG-IQ] Create BIG-IQ Tenant From BIG-IQ Cloud -> Tenants. click on + 91 Confidential .

  NSX/F5 Registration 3.  F5 BIG-IP VE Auto-Deployment 4.  Validation of readiness of the environment 2.  NSX/F5 ADC configuration 92 Confidential .Lab Exercise 12 – F5 NSX Integration Step 3 1.

and click + The Future BIG-IP VE will use the following IP Addresses: HQ_Uplink 192.Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Create F5 IP Pools From NSX Home -> NSX Managers.110.105-109/24 93 Confidential Web-Tier-01 192.110.105-109/24 F5-Mgt 192.110.168.110. access Manage -> Grouping Objects -> IP Pools.105-109/24 . click on NSX Manager.105-109/24 Mgt 192.168.168.168.

double-click on Edge. •  Service Configuration: F5 ADC – Make a BIG-IP VE Note: Currently the only option available (will be enhanced once BIG-IP physical appliances will be supported) 94 Confidential .Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Enable Load Balancing with Service Insertion From NSX Home -> NSX Edges. and click Edit •  Enable Load Balancer: Checked •  Enable Service Insertion: Checked •  Service Insertion: F5-NSX Connector Note: This is the name of the NSX/F5 connector. access Manage -> Load Balancer.

Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Enable Load Balancing with Service Insertion Cont. do not add or delete interfaces. : •  Service Instance Runtime Configuration •  Modify the BIG-IP VE interfaces as follow: Note1: Currently you must use IP allocation Mode of IP Pool. only modify the existing 4 Interfaces to match the screenshot above Note3: Do not use spaces in the interface name 95 Confidential . Note2: The interface order is important.

Lab Exercise 12 – F5 NSX Integration Step 3

§  [NSX] Enable Load Balancing with Service Insertion
Cont. :

•  Service Instance Runtime Configuration
•  Modify the BIG-IP VE interfaces as follow – cont. :
1.  F5-Mgt (this is the BIG-IP VE management interface)
2.  HQ-Uplink (this is the BIG-IP VE external interface)
3.  Web-Tier01 (this is the BIG-IP VE interface where the load balanced servers are)
4.  Mgt (this is the BIG-IP VE HA interface)
Note: BIG-IP VE HA is not currently supported. This interface is currently used for
mgt access.
Follow the order above precisely and edit interfaces to match the portgroup & IP
configuration with the screenshot on the previous page, rather than trying to
delete & adding new interfaces

96

Confidential

Lab Exercise 12 – F5 NSX Integration Step 3

§  [NSX] Enable Load Balancing with Service Insertion
Cont. :

•  Required Service Configuration Parameter
•  Leave blank

97

Confidential

Lab Exercise 12 – F5 NSX Integration Step 3

§  [NSX] Enable Load Balancing with Service Insertion
Cont. :

•  Typed Service Configuration Parameters
•  Modify the options as follow:
•  Make a new F5 BIG-IP VE?: yes
• 
• 
• 
• 
98

This is to deploy a new F5 BIG-IP VE. This should always be “yes”.
Fully qualified host name of BIG-IP VE?: big-ip-01a.corp.local
Name of BIG-IP node template: BIG-IP-VE-11.5.1
If not provided then one will be randomly selected.
HTTP URL of BIG-IP OVF file?: http://192.168.110.60/BIGIP-11.5.1.0.0.110-ide.ovf
Note: The first time it’s required, as you must specify where to find the BIG-IP-VE
OVF. If not specified it will use the last one specified.
Admin password of BIG-IP VE?: VMware1!
Confidential

Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Enable Load Balancing with Service Insertion Cont. •  Log Level: Info This option doesn’t apply with Service Insertion 99 Confidential . •  Logging: Unchecked This option doesn’t apply with Service Insertion. : •  Enable Acceleration: Unchecked This option doesn’t apply with Service Insertion.

select All Users’ Tasks 100 Confidential . the BIG-IP-VE should be deploying From NSX Home. on the far right Recent Tasks.Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Enable Load Balancing with Service Insertion Validation: •  Validate the deployment of BIG-IP-VE Few seconds later.

0.Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Enable Load Balancing with Service Insertion Validation – cont.3.168. : •  Validate the BIG-IP-VE gets its final Management IP configured via NSX Once booted and the VMware Tools running.1.245” •  to “IP received by DHCP server” •  to “final IP configured from NSX” Note: Each step can take a couple of minutes (especially the last step) From vCenter Home -> Hosts and Clusters. click on BIG-IP VE 101 Confidential .0” •  to “192. the F5 BIG-IP VE IP moves •  from “127.

Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Enable Load Balancing with Service Insertion Validation – cont. : •  Validate the BIG-IP-VE gets added in BIG-IQ From BIG-IQ Cloud -> Devices The state “Pending” lasts for approximately 20 minutes ! This will be improved in a future BIG-IQ maintenance release 102 Confidential .

: •  Verify configuration is pushed to the BIG-IP VE From BIG-IQ Cloud -> Devices: Also verify the Service Insertion Status is: In Service via the vSphere Web Client 103 Confidential .Lab Exercise 12 – F5 NSX Integration Step 3 §  [NSX] Enable Load Balancing with Service Insertion Validation – cont.

click on + 104 Confidential .Lab Exercise 12 – F5 NSX Integration Step 3 §  [BIG-IQ] Create a BIG-IQ Catalog •  Simple From BIG-IQ Cloud ->Catalog.

click on + •  Advanced 105 Confidential .Lab Exercise 12 – F5 NSX Integration Step 3 §  [BIG-IQ] Create a BIG-IQ Catalog •  From BIG-IQ Cloud ->Catalog.

double-click on BIG-IQ Connector. Manage > Profile Configurations 106 Confidential .Lab Exercise 12 – F5 NSX Integration Step 3 §  [BIG-IQ] Create a BIG-IQ Catalog •  Validate F5 Catalogs are well created on NSX From NSX Home -> Service Definitions.

  NSX/F5 Registration 3.  F5 BIG-IP VE Auto-Deployment 4.Lab Exercise 12 – F5 NSX Integration Step 4 1.  Validation of readiness of the environment 2.  NSX/F5 ADC configuration 107 Confidential .

0/24 app-sv-01a .0/24 Pool-01 108 web-sv-01a .106 Distributed Logical Router .11 Distributed Fire . FW.3 Perimeter NSX Edge .10.30.20.168.110.12 App-Tier-01 172.2 Dynamic Routing (BGP) . LB.168.0/24 .0/29 . NAT.10 Control Center 192.1 (HA.16.110/111 F5 BIG-IP VE (LB) .6 (BGP) .106 .1 . VPN Services) VIP .11 Confidential DB -Tier-01 172.0/24 .11 web-sv-02a .2 Mgmt_Edge_VDS-HQ_Uplink 192.1 Dynamic Routing (BGP) 5 Transit-Network-01 192.0/24 db-sv-01a .16.1 Web-Tier-01 172.Lab Exercise 12 – F5 NSX Integration Step 4 §  [NSX] Configure Pool and VIP .168.10.1 .16.100.

Lab Exercise 12 – F5 NSX Integration Step 4 §  [NSX] Configure Pool From NSX Home -> NSX Edges. 109 Confidential . double-click on Edge. go under Manage -> Load Balancer -> Pools Note: The fields Algorithm. Monitors. Transparent can be left as default since they are not used (information is taken from BIG-IQ Catalog). Algorithm Parameters.

Lab Exercise 12 – F5 NSX Integration Step 4 §  [NSX] Configure VIP simple From NSX Home -> NSX Edges. Port. go under Manage -> Load Balancer -> Virtual Servers Note: The fields Protocol. 110 Confidential . Connection Rate Limit can be left as default since they are not used (information is taken from BIG-IQ Catalog). Connection Limit. double-click on Edge.

Lab Exercise 12 – F5 NSX Integration Step 4 §  [NSX] Configure VIP advanced From NSX Home -> NSX Edges. go under Manage -> Load Balancer -> Virtual Servers Note: The fields Protocol. 111 Confidential . double-click on Edge. Connection Rate Limit can be left as default since they are not used (information is taken from BIG-IQ Catalog). Connection Limit. Port.

Lab Exercise 12 – F5 NSX Integration Step 4 §  [NSX] Configure VIP advanced •  Validate the Applications creation in BIG-IQ: From BIG-IQ Cloud -> Applications 112 Confidential .

100.html 113 Confidential .Lab Exercise 12 – F5 NSX Integration Step 4 §  [NSX] Configure VIP advanced •  Validate access to the VIP: From Control Center: http://192.110/finance/data.168.