Tag Archives: firewall

VCAP-DCA Study guide – 6.5 Troubleshoot vCenter Server and ESX/ESXi Host Management

Knowledge

  • Identify CLI commands and tools used to troubleshoot management issues

Skills and Abilities

  • Troubleshoot vCenter Server service and database connection issues
  • Troubleshoot the ESX Service Console firewall
  • Troubleshoot ESX/ESXi server management and connectivity issues
  • Determine the root cause of vSphere management or connectivity issue

Tools

Identify CLI tools used to troubleshoot management issues

  • vicfg-vswitch
  • vicfg-vmknic
  • vicfg-vswif
  • vpxd.exe -s

There are a few more covered later in this objective for restarting management agents on ESX/i hosts. This VMware article on resolution paths is a great place to start learning about troubleshooting.

Troubleshoot vCenter Server service and database connection issues

  • Check the VMware vCenter service is started and the account it’s configured to run as. Check that account isn’t locked out.
  • Start vCentre using vpxd.exe;
    • ‘vpxd.exe –s’ to start it as an application rather than a service. This will show error messages in plain text rather than the cryptic service codes.
    • ‘vpxd.exe –p’ refreshes the password hash used to connect to the database. Used after replacing the default SSL certificates (VMwareKB1003070)
  • How to set SQL as a service dependency – blog post
  • With a lab setup and SQL Express the database often grows to the 4GB limit, at which point the vCenter service will fail. Follow VMwareKB1025914for details of how to cleardown data in the vCenter database.
  • Check the ODBC connectivity using the ‘Test’ button. Check the SQL security logs to see failed authentication attempts.

image

VMwareKB1003979 gives a good overview of the previous processes.

Continue reading VCAP-DCA Study guide – 6.5 Troubleshoot vCenter Server and ESX/ESXi Host Management

VCAP-DCA Study notes–7.3 vShield Zones

vShield Zones is basically a firewall framework to protect your VMs without requiring external or hardware based firewalls. It requires Advanced or higher licencing. For study I’d suggest going through Eric Siebert’s blogposts (part one, two, and three) to start with (they cover real world issues) and then getting stuck into the official docs – they cover everything on the blueprint. There’s quite a bit to learn making this is one of the larger objectives on the VCAP-DCA blueprint.

NOTE: vShield Zones is NOT the same as vShield App, Edge, and Endpoint so make sure you download the right version. The VCAP-DCA exam only covers v1.0 of vShield Zones (not the most recent v4.1) and doesn’t cover the more feature rich vShield App Suite. See VMware’s product page for more details.

Knowledge

  • Identify vShield Zones components
  • Identify the four CLI command modes

Skills and Abilities

  • Configure vShield Zones
  • Backup and restore vShield Manager Data
  • Backup CLI Configuration
  • Create/Delete Layer 2/3/4 firewall rules using VM Wall
  • Install/Uninstall a vShield manually and from template
  • Configure vShield Manager plug‐in capability
  • Configure VM Flow charts
  • Update vShield Zones
  • Add/Edit/Delete User Accounts
  • Assign rights to a user
  • Add/Delete Application‐Port Pair mapping
  • Execute/Schedule Execution of virtual machine discovery
  • Utilize vShield Zones CLI commands to configure and monitor vShield Zones
  • Analyze traffic using VM Flow to determine root cause of network related issues

Installing vShield Zones

Deployed as an appliance with two components;

  • Setup the vShield Manager appliance
    • Deploy the vShield Manager from OVF
    • Create a port group on the vSwitch which hosts your VM traffic, named vsmgmt and amend the vNIC on the vShield Manager VM to use this network.
    • Power up the VM, login with ‘admin’ and ‘default’, then run ‘setup’ to configure the server.
    • Allocate IP details
    • Upgrade VMtools (you can use the ‘Automatic’ option – being Linux based no reboot is required)
  • Initial install of the vShield Agent
    • Deploy from OVF and then convert to a template. This simply gets the agent ready for deployment.

If you’re wondering whether VMtools make a significant difference to this customised Linux appliance see (the pointless) VMwareKB1011501! You can also find out what’s new in vShield Zones 1.0 Update 1.

Continue reading VCAP-DCA Study notes–7.3 vShield Zones

VCAP-DCA Study notes 7.2– Configure and Maintain the ESX Firewall

A blessedly quick objective this one! Quite why the ESXi Configuration Guide is listed in the blueprint is anyone’s idea as ESXi doesn’t contain a firewall! The blueprint also lists vicfg-firewall which is a typo – they mean esxcfg-firewall, as vicfg-firewall doesn’t exist!

Knowledge

  • Identify vicfg-firewall commands
  • Explain the three firewall security levels
  • Identify ESX firewall architecture with/without vCenter Server

Skills and Abilities

  • Enable/Disable pre‐configured services
  • Configure service behavior automation
  • Open/Close ports in the firewall
  • Create a custom service
  • Set firewall security level

Firewall architecture

The ESX Configuration Guide talks very generally about where to put firewalls to protect traffic. In reality I can’t see much difference in architecture whether you have a vCenter server or not.  These two diagrams are from the ESX Configuration Guide – minimal differences!

The firewall is ESX only (there’s no ESXi firewall as no service console).

imageimage
Firewall security levels

Three firewall security levels (high is default);

  1. High (outbound blocked, limited inbound allowed (902, 443,22,123 and a few other including ICMP).
  2. Medium (outbound allowed, inbound blocked apart from allowed services)
  3. Off

Continue reading VCAP-DCA Study notes 7.2– Configure and Maintain the ESX Firewall