NSFOCUS WAF (VM) User Guide

Similar documents
If you re not using VMware vsphere Client 5.1, your screens may vary.

VMware ESX ESXi and vsphere. Installation Guide

Cisco IMC Supervisor Installation Guide for VMware vsphere and Microsoft Hyper-V, Release 2.0


SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

Installing Your System Using Manual Deployment

Deploy the ExtraHop Discover Appliance with VMware

VMware vfabric Data Director Installation Guide

KEMP360 Central - VMware vsphere. KEMP360 Central using VMware vsphere. Installation Guide

Deploy the ExtraHop Discover Appliance with VMware

SRA Virtual Appliance Getting Started Guide

VMware vfabric Data Director Installation Guide

Virtual Appliance User s Guide

Quick Start Guide. VMware vsphere / vsphere Hypervisor. Router Mode (Out-of-Path Deployment) Before You Begin


HiveManager Virtual Appliance QuickStart

Installing and Configuring vcenter Support Assistant

Installing and Configuring vcloud Connector

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

If you re not using VMware vsphere Client 4.1, your screens may vary. ITEM Example s Values Your Values

KEMP 360 Central for vsphere. Installation Guide

Installation of Cisco Business Edition 6000H/M

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline Collector 2.0

vsphere Replication for Disaster Recovery to Cloud

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 8.1

Scrutinizer Virtual Appliance Deployment Guide Page i. Scrutinizer Virtual Appliance Deployment Guide. plixer

Hitachi WAN Optimizer VMware vsphere Setup Guide

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 6.5

Gnostice StarDocs On-Premises API Virtual Appliance

Getting Started with ESXi Embedded

SonicWall SMA 8200v. Getting Started Guide

Dell Storage Compellent Integration Tools for VMware

VMware vcenter AppSpeed Installation and Upgrade Guide AppSpeed 1.2

Getting Started Guide

akkadian Provisioning Manager Express

McAfee Network Security Platform 8.3

Getting Started Guide

How to Deploy a Barracuda NG Vx using Barracuda NG Install on a VMware Hypervisor

Deploy the ExtraHop Trace Appliance with VMware


Emulator Virtual Appliance Installation and Configuration Guide

Security Gateway Virtual Edition

ECDS MDE 100XVB Installation Guide on ISR G2 UCS-E and VMWare vsphere Hypervisor (ESXi)

Installing and Configuring vcloud Connector

Global Management System (GMS) Virtual Appliance 6.0 Getting Started Guide

Dell Storage Compellent Integration Tools for VMware

Installing and Configuring vcenter Multi-Hypervisor Manager

ITCorporation HOW DO I INSTALL A FRESH INSTANCE OF ANALYZER? DESCRIPTION RESOLUTION. Knowledge Database KNOWLEDGE DATABASE

Dell Storage Integration Tools for VMware

McAfee Boot Attestation Service 3.5.0

Creating Application Containers

Installing the Cisco IOS XRv 9000 Router in VMware ESXi Environments

vsphere Host Profiles 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

FileCruiser VM Quick Configuration Guide For Trial Version V1.0

UDP Director Virtual Edition

Developing and Deploying vsphere Solutions, vservices, and ESX Agents

Installing and Upgrading Cisco Network Registrar Virtual Appliance

Developing and Deploying vsphere Solutions, vservices, and ESX Agents

IBM Single Sign On for Bluemix Version December Identity Bridge Configuration topics

VMware vrealize Log Insight Getting Started Guide

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Cisco IMC Supervisor Installation Guide for VMware vsphere and Microsoft Hyper-V, Release 2.1

Preparing Virtual Machines for Cisco APIC-EM

Preparing Virtual Machines for Cisco APIC-EM

RealPresence Platform Director

Basic Configuration Installation Guide

Quick Start Guide ViPR Controller & ViPR SolutionPack

VMware vcenter Log Insight Administration Guide

OpenManage Integration for VMware vcenter Quick Install Guide for vsphere Client, Version 2.3.1

Quick Start Guide ViPR Controller & ViPR SolutionPack

Developing and Deploying vsphere Solutions, vservices, and ESX Agents. 17 APR 2018 vsphere Web Services SDK 6.7 vcenter Server 6.7 VMware ESXi 6.

Installing the Cisco CSR 1000v in VMware ESXi Environments

Creating Application Containers

Securing Containers Using a PNSC and a Cisco VSG

Developing and Deploying vsphere Solutions, vservices, and ESX Agents

OneSign Virtual Appliance Guide

Boot Attestation Service 3.0.0

Cyberoam Virtual Security Appliance - Installation Guide for VMware Player. Version 10

Configure HyperFlex Hardware Acceleration Cards

Videoscape Distribution Suite Software Installation Guide

Install ISE on a VMware Virtual Machine

Cisco Prime Service Catalog Virtual Appliance Quick Start Guide 2

Configuring the SMA 500v Virtual Appliance

Online Help StruxureWare Central

Free Download: Quick Start Guide

Product Version 1.1 Document Version 1.0-A

Deploying Silver Peak Velocity with Dell Compellent Remote Instant Replay. November 2012

EventTracker: Virtual Appliance

QUICK START GUIDE Cisco Virtual Network Management Center 2.0 Quick Start Guide

Version 1.26 Installation Guide for On-Premise Uila Deployment

Getting Started Guide for SmartZone 3.4

Cisco VDS Service Broker Software Installation Guide for UCS Platforms

Backup and Restore System

Install and Configure FindIT Network Manager and FindIT Network Probe on a VMware Virtual Machine

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Managing Virtual Machines

Cisco Stealthwatch. Installation and Configuration Guide 7.0

Resiliency Replication Appliance Installation Guide Version 7.2

Transcription:

NSFOCUS WAF (VM) User Guide Version: V6.0R05F01 (2016-03-30) 2016 NSFOCUS

Copyright 2016 NSFOCUS Technologies, Inc. All rights reserved. Unless otherwise stated, NSFOCUS Technologies, Inc. holds the copyright for the content of this document, including but not limited to the layout, figures, photos, methods, and procedures, which are protected under the intellectual property and copyright laws. No part of this publication may be reproduced or quoted, in any form or by any means, without prior written permission of NSFOCUS Technologies, Inc.

Contents Preface... 1 Scope... 1 Audience... 1 Organization... 1 Conventions... 1 Customer Support... 2 1 Basics... 3 1.1 Configuration Requirements... 3 1.2 Installation... 4 1.2.1 Local Installation... 4 1.2.2 Remote Installation... 4 2 Local Installation... 5 2.1 Preparations... 5 2.2 Installation Procedure... 5 2.3 Uninstallation Procedure... 8 2.4 In-Path Deployment... 9 2.4.1 Usage Scenario... 9 2.4.2 Configuration Preparations... 9 2.4.3 Configuration Roadmap... 9 2.4.4 Configuration Procedure... 10 3 Remote Installation... 13 3.1 Preparations... 13 3.2 Installation Procedure... 13 3.3 Uninstallation Procedure... 21 3.4 In-Path Deployment... 22 3.4.1 Usage Scenario... 22 3.4.2 Configuration Preparations... 22 3.4.3 Configuration Roadmap... 22 3.4.4 Configuration Procedure... 22 4 License... 27 4.1 Importing the License... 27 4.1.1 Cloud Authorization... 27 Copyright NSFOCUS i V6.0R05F01 (2016-03-30)

4.1.2 Centralized Authorization... 30 4.2 Exporting the License... 32 4.3 Device Getting Offline... 32 4.3.1 Device Under Cloud Authorization Getting Offline... 32 4.3.2 Device Under Centralized Authorization Getting Offline... 34 5 Functional Differences... 37 5.1 Deleted Functions... 37 5.2 Modified Functions... 37 5.3 Login to the Console... 38 A Default Parameters... 46 A.1 Management Interface... 46 A.2 Default Administrator Accounts... 46 A.2.1 Web-based Manager Administrator... 46 A.2.2 Default Web Auditor Account... 46 A.2.3 Default Account of the Console Administrator... 46 Copyright NSFOCUS ii V6.0R05F01 (2016-03-30)

Figures Figure 2-1 Deployment of the WAF VM on the KVM host in in-path mode... 9 Figure 2-2 Login page of the web-based manager... 11 Figure 2-3 Editing interface settings... 12 Figure 3-1 VMware vsphere Client login page... 14 Figure 3-2 ESXi host... 15 Figure 3-3 Source page... 16 Figure 3-4 Disk Format page... 17 Figure 3-5 Deployment progress bar... 18 Figure 3-6 WAF VM operation page... 18 Figure 3-7 VM properties... 19 Figure 3-8 Example of hardware configuration... 20 Figure 3-9 Console login window... 21 Figure 3-10 Deployment of the WAF VM on the ESXi host in in-path mode... 22 Figure 3-11 Networking configuration... 23 Figure 3-12 Wizard for adding a network... 24 Figure 3-13 Virtual switch selection... 25 Figure 3-14 Network adapter configuration... 26 Figure 4-1 Message prompting you to configure the authorization mode... 28 Figure 4-2 License page... 28 Figure 4-3 Basic settings of ESPC... 29 Figure 4-4 Authorization Control area... 29 Figure 4-5 Cloud authorization success... 30 Figure 4-6 Running Mode page... 30 Figure 4-7 Centralized authorization... 31 Figure 4-8 Centralized authorization success... 32 Figure 4-9 Offline Status-1 of the device under cloud authorization... 33 Figure 4-10 Offline Status-2 of the device under cloud authorization... 34 Copyright NSFOCUS iii V6.0R05F01 (2016-03-30)

Figure 4-11 Offline Status-1 of device under authorization... 35 Figure 4-12 Offline Status-2 for centralized authorization... 36 Figure 5-1 VMware vsphere Client... 39 Figure 5-2 Security warning... 40 Figure 5-3 Home page of the host... 40 Figure 5-4 Inventory... 41 Figure 5-5 Selecting a WAF VM... 42 Figure 5-6 Console tab page... 43 Figure 5-7 Login to the console-based manager... 44 Figure 5-8 Console-based manager... 45 Copyright NSFOCUS iv V6.0R05F01 (2016-03-30)

Tables Table 1-1 Reference configuration of the host... 3 Table 1-2 VM configuration requirements... 3 Table 2-1 Preparations to be made for local installation... 5 Table 3-1 Preparations to be made for remote installation... 13 Table 5-1 Deleted functions... 37 Table 5-2 Modified functions... 37 Table 5-3 Login parameters of the WAF VM host... 39 Copyright NSFOCUS v V6.0R05F01 (2016-03-30)

Preface Scope This document describes methods of installing the virtual machine (VM) of NSFOCUS Web Application Firewall (WAF) V6.0 and its main differences from hardware editions in functionality. This document is provided for reference only. It may slightly differ from the actual product due to version upgrade or other reasons. Audience This document is intended for the following users: Installation engineers Engineering staff Users who wish to know installation methods and main functions of the VM edition. Organization Chapter Description 1 Basics Describes configuration requirements of the WAF VM host and its typical installation methods. 2 Local Installation Describes how to install the WAF VM locally 3 Remote Installation Describes how to install the WAF VM remotely. 4 License Describes how to import a license to the WAF VM and how to export a license from the WAF VM. 5 Functional Differences Describes main differences between the VM edition and hardware editions of WAF. A Default Parameters Describes default parameters of the WAF VM. Conventions Convention Bold font Description Keywords, names of screen elements like buttons, drop-down lists or fields, and Copyright NSFOCUS 1 V6.0R05F01 (2016-03-30)

Convention Italic font Description user-entered text appear in bold font. Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. Reminds users to take note. Indicates a tip to make your operations easier. Indicates a situation in which you might perform an action that could result in equipment damage or loss of data. Indicates a situation in which you might perform an action that could result in bodily injury. A > B Indicates selection of menu options. Customer Support Email: support@nsfocusglobal.com Portal: https://nsfocus.desk.com/ Contacts: USA: +1-844-673-6287 or +1-844-NSFOCUS UK: +44 808 164 0673 or +44 808 164 0NSF Australia: +61 2 8599 0673 or +61 2 8599 0NSF Netherlands: +31 85 208 2673 or +31 85 208 2NSF Brazil: +55 13 4042 1673 or +55 13 4042 1NSF Japan: +81 3-4510-8673 or +81 3-4510-8NSF Singapore: +65 3158 3757 Hong Kong +852 5803 2673 or +852 5803 2NSF Middle East: +973 1619 7607 Copyright NSFOCUS 2 V6.0R05F01 (2016-03-30)

1 Basics This chapter describes configuration requirements of the WAF VM host and its installation methods. It contains the following sections: Section Configuration Requirements Installation Description Describes software and hardware requirements of the VM host. Describes typical installation methods of the WAF VM. 1.1 Configuration Requirements The WAF VM should be running on a host with VM software installed. Make sure that the host meets all configuration requirements listed in Table 1-1 and the VM meets those listed in Table 1-2. Table 1-1 Reference configuration of the host Item CPU Memory Hard disk Reference Configuration Intel(R) Xeon(R) CPU E5-2680V2 @ 2.8.0 GHz 132 GB 1 TB NIC 6 Table 1-2 VM configuration requirements Item NX3-V300A NX3-V600A NX3-V1000A vcpu (total number of processor cores) 2 2 4 Memory 4 GB 4 GB 4 GB Storage (Min/Max) 80 GB/1 TB 80 GB/1 TB 80 GB/1 TB Hypervisor support QEMU KVM 1.2.8 VMware vsphere ESXi 5.0/5.5/6.0 Copyright NSFOCUS 3 V6.0R05F01 (2016-03-30)

Running multiple VMs on the host machine will degrade the performance of the WAF VM. Therefore, you are advised to shut down unused VMs. If the host configuration does not match the VM configuration, the WAF VM will be unable to perform as expected. Therefore, to make the WAF VM work to the best effect, you should use a host whose hardware configuration matches the VM configuration. 1.2 Installation 1.2.1 Local Installation This section describes how to install the WAF VM. You can, by using Linux commands, install the WAF VM on a local computer on which the Kernel-based Virtual Machine (KVM) has been installed. 1.2.2 Remote Installation After VMware vsphere is installed on a local host and a remote one, you can log in to the remote ESXi host or the vcenter Server system from vsphere Client and then install the WAF VM on the remote host. Copyright NSFOCUS 4 V6.0R05F01 (2016-03-30)

2 Local Installation This chapter describes how to install the WAF VM by using Linux commands. It contains the following sections: Section Preparations Installation Procedure Uninstallation Procedure In-Path Deployment Description Describes preparations to be made before installing the WAF VM locally. Describes how to install the WAF VM locally. Describes how to delete the WAF VM from the host. Describes how to deploy the WAF VM in in-path mode. 2.1 Preparations Before installing the WAF VM locally, you must make preparations listed in Table 2-1. Table 2-1 Preparations to be made for local installation Item Description Host IP address Check network connectivity. Account KVM Obtain administrative privileges. Install KVM on the host. WAF VM Image file Create two image files: vmwaf.qcow2 and vmwaf.xml. IP address Obtain IP addresses of management interfaces and working interfaces. 2.2 Installation Procedure To install the WAF VM by using Linux commands, follow these steps: Copyright NSFOCUS 5 V6.0R05F01 (2016-03-30)

The following illustrates how to install the WAF VM. The text in italic indicates a variable to which you may supply a value as required. Step 1 Open the terminal on the host. Step 2 Add network bridges to a physical network interface adapter (NIC). Step 3 Copy WAF's image files to the specified directories of the VM host. a. Create the home/test directory on the host: mkdir -p home/test # Creates the home/test directory in the current directory. b. Copy WAF's image files to the corresponding directories: cp /root/ vmwaf.qcow2 home/test # Copies the hardware parameter file to home/test. cp /root/ vmwaf.xml /etc/libvirt/qemu # Copies the configuration file to /etc/libvirt/qemu. Step 4 Edit the vmwaf.xml file. a. Start the virsh interactive terminal. virsh # Starts the virsh interactive terminal. virsh define /etc/libvirt/qemu/vmwaf.xml # Defines a VM that is not in use. virsh edit vmwaf # Edits the vmwaf.xml file. b. Change the directory of the vmwaf.qcow2 file. # Changes the directory of vmwaf.qcow2 to home/test. c. Edit interfaces of the WAF VM. # Edit interfaces. Copyright NSFOCUS 6 V6.0R05F01 (2016-03-30)

d. Modify the related Qemu Guest Agent (QGA) setting as follows: Step 5 Start the WAF VM. After the WAF VM is started, the Dynamic Host Configuration Protocol (DHCP) function is enabled and the related IP address is obtained (if a DHCP server is available) automatically. If no IP address is obtained or no DHCP server is available, proceed to step 6. virsh start vmwaf # Starts the WAF VM. Step 6 (Optional) Configure the WAF VM. If the IP address fails to be obtained, perform this step. Perform the following configuration on the host: virsh qemu-agent-command vmwaf '{"execute":"guest-login-set-user","arguments":{"username":"admin","passwd":"12 345"}}' # Configure the password for admin. virsh qemu-agent-command vmwaf'{"execute":"guest-network-set-gateway","arguments":{"ip-address":"10.67.2 55.254"}}' # Configure the gateway. virsh qemu-agent-command vmwaf '{ "execute": "guest-network-set-interfaces", "arguments":{"name":"eth0","hardware-address" :"72:74:70:75:4f:7e","ip-addres ses":[{"ip-address":"10.67.0.210","ip-address-type":"ipv4","prefix":16}]}}' Copyright NSFOCUS 7 V6.0R05F01 (2016-03-30)

# Configure the management interface. The MAC address configured here must be consistent with that in vmwaf.xml. virsh qemu-agent-command vmwaf'{"execute":"guest-set-uuid","arguments":{"uuid":"de56b644-159a-43c3-9ada- 0a3ebffbf6bb"}}' virsh qemu-agent-command # Configure the UUID, which must be consistent with that in vmwaf.xml. vmwaf'{"execute":"guest-set-espc","arguments":{"host":"1.1.1.1","inuse":"yes"}} ' # Configure ESPC. virsh qemu-agent-command vmwaf '{"execute":"guest-set-sc","arguments":{"url":"url of the console"}} # Configure the console. Perform the configuration via the console. a. Connect to the console. console vmwaf # Connect to the console of the WAF VM. b. Type the user name and password (both are conadmin) to access the console of the WAF VM. c. Choose English > Maintenance Tools > Set IP&Route. d. Configure the IP address, subnet mask, and gateway address for the management interface. e. Press Enter to save the settings and close the current window. Step 7 View the IP address, subnet mask, and gateway address of WAF. a. Connect to the console. console vmwaf # Connects to the console of the WAF VM. b. Type the user name and password (both are conadmin) to access the console of the WAF VM. c. Choose English > Maintenance Tools > Set IP&Route. d. View the IP address, subnet mask, and gateway address of the management interface. e. Press Enter to save the settings and close the current window. ----End 2.3 Uninstallation Procedure To delete the WAF VM from the host, follow these steps: Step 1 Open the terminal on the host. Step 2 Start the virsh interactive terminal. virsh # Start the virsh interactive terminal. Step 3 Shut down the WAF VM. virsh shutdown vmwaf # Shut down the WAF VM. Step 4 Undefine the WAF VM. virsh undefine vmwaf # Nullify vmwaf.xml. Step 5 Destroy the WAF VM. Copyright NSFOCUS 8 V6.0R05F01 (2016-03-30)

virsh destroy vmwaf # Shut down the WAF VM ungracefully. This will completely delete the WAF VM from the data storage. ----End 2.4 In-Path Deployment 2.4.1 Usage Scenario In the network environment shown in Figure 2-1, WAF connects to the switch in in-path mode. The management interface of WAF connects to physical NIC 1 of the host via a network bridge. Figure 2-1 Deployment of the WAF VM on the KVM host in in-path mode Customer's server External user V1 Switch V2006 V1 V2006 172.16.128.207 GW: 172.16.128.1 Virtual platform Physical NIC 1 br0 Mgmt inf Virtual WAN Virtual LAN br1 Physical NIC 2 WAN: 172.16.127.1 LAN: 172.16.128.1 2.4.2 Configuration Preparations Configure an IP address, for example, 172.16.127.1, for the WAN interface of the WAF VM. Configure an IP address, for example, 172.16.128.1, for the LAN interface of the WAF VM. Connect the management interface of the WAF VM to br0. 2.4.3 Configuration Roadmap 1. Install the WAF VM, which requires addition of two bridges to a physical NIC of the host. 2. Log in to the web-based manager of the WAF VM to configure necessary interfaces. Copyright NSFOCUS 9 V6.0R05F01 (2016-03-30)

2.4.4 Configuration Procedure To configure the WAF VM, follow these steps: Step 1 Open the terminal on the host. Step 2 Add two network bridges to a physical NIC. Step 3 Perform steps 3 to 5 in section 2.2. You should configure at least three interfaces, that is, one management interface and two working interfaces. Step 4 Configure the WAF VM as follows: virsh qemu-agent-command vmwaf '{"execute":"guest-login-set-user","arguments":{"username":"admin","passwd":"12345" }}' virsh qemu-agent-command # Configure the password for admin. vmwaf'{"execute":"guest-network-set-gateway","arguments":{"ip-address":"10.67.255.2 54"}}' # Configure the gateway. virsh qemu-agent-command vmwaf '{ "execute": "guest-network-set-interfaces", "arguments":{"name":"eth0","hardware-address" :"72:74:70:75:4f:7e","ip-addresses" :[{"ip-address":"172.16.127.160","ip-address-type":"ipv4","prefix":16}]}}' # Configure the management interface. The MAC address configured here must be consistent with that in vmwaf.xml. virsh qemu-agent-command vmwaf'{"execute":"guest-set-uuid","arguments":{"uuid":"de56b644-159a-43c3-9ada-0a3e bffbf6bb"}}' virsh qemu-agent-command # Configure the UUID, which must be consistent with that in vmwaf.xml. vmwaf'{"execute":"guest-set-espc","arguments":{"host":"1.1.1.1","inuse":"yes"}}' # Configure ESPC. virsh qemu-agent-command vmwaf '{"execute":"guest-set-sc","arguments":{"url":"www.sc.com"}} # Configure the console. Step 5 Configure working interfaces. a. Type https://ip address of the management interface in the address bar to access the web-based manager of the WAF VM. Figure 2-2 shows the login page. Copyright NSFOCUS 10 V6.0R05F01 (2016-03-30)

Figure 2-2 Login page of the web-based manager b. Type the default user name and password (both are admin) and then click Login. During the first login, you will be prompted to change the default password. You can continue to use the system only after configuring a new password. c. Choose System Management> Network Configuration. d. Create a work group, add a WAN interface and LAN interface to this group, and bind the next-hop MAC address to the LAN interface. For details, refer to NSFOCUS WAF User Guide (V6.0). Copyright NSFOCUS 11 V6.0R05F01 (2016-03-30)

Figure 2-3 Editing interface settings ----End Copyright NSFOCUS 12 V6.0R05F01 (2016-03-30)

3 Remote Installation This chapter describes how to install the WAF VM on a remote host via VMware vsphere Client, from which you must log in to ESXi or vcenter Server system. It contains the following sections: Section Preparations Installation Procedure Uninstallation Procedure In-Path Deployment Description Describes preparations to be made before installing the WAF VM remotely. Describes how to install the WAF VM on the ESXi host remotely. Describes how to delete the WAF VM from the ESXi host. Describes how to deploy the WAF VM in in-path mode. 3.1 Preparations Before installing the WAF VM remotely, you must make preparations listed in Table 3-1. Table 3-1 Preparations to be made for remote installation Item Description Host IP address Check network connectivity. Account VMware vsphere Obtain administrative privileges. Install vsphere ESXi on the host. Client VMware vsphere Install vsphere Client on the client machine. vmwaf Image file Create an image file, vmwaf.ova. IP address Configure IP addresses for working interfaces of the WAF VM. 3.2 Installation Procedure To install the WAF VM remotely on the ESXi host, follow these steps: Step 1 Log in to the ESXi host from vsphere Client. a. On the client machine, start vsphere Client. Copyright NSFOCUS 13 V6.0R05F01 (2016-03-30)

Figure 3-1 VMware vsphere Client login page b. Type the IP address of the ESXi host as well as the user name and password. c. Click Login. Copyright NSFOCUS 14 V6.0R05F01 (2016-03-30)

Figure 3-2 ESXi host Step 2 On the ESXI host, deploy the WAF VM. a. Choose File > Deploy OVF Template. On the Source page shown in Figure 3-3, click Browse and select the image file of the WAF VM. Copyright NSFOCUS 15 V6.0R05F01 (2016-03-30)

Figure 3-3 Source page b. Click Next to open the OVF Template Details page. c. After confirming that the selected image file is correct, click Next. On the Name and Location page, type the name of the WAF VM. d. Click Next. On the Resource Pool page, select a path to store the WAF VM. e. Click Next. On the Disk Format page, click Thick Provision Eager Zeroed. The differences between the three disk formats are as follows for the WAF VM: Thin Provision: To deploy the WAF VM, 80 GB of space needs to be allocated for this type of virtual disk. With the increase of data stored, more space will be required. Therefore, the virtual disk can grow to the maximum capacity (500 GB) allocated to it. Thick Provision Lazy Zeroed: To deploy the WAF VM, 500 GB of disk space needs to be allocated for this type of virtual disk. Specifically, the required space is allocated when the virtual disk is created. However, at the time of creation, only 80 GB of blocks on the physical storage device are formatted. Then data remaining on the physical storage device is zeroed out on demand at a later time on first write from the WAF VM. Thick Provision Eager Zeroed (recommended for the WAF VM): To deploy the WAF VM, 500 GB of disk space needs to be allocated for this type of virtual disk. Specifically, the required space (500 GB) is allocated and formatted when the virtual Copyright NSFOCUS 16 V6.0R05F01 (2016-03-30)

disk is created. Creating a virtual disk in this format may take a longer time than creating other types of disks. Figure 3-4 Disk Format page f. Click Next. On the Network Mapping page, select a network that the WAF VM must use. g. Click Next to open the Ready to Complete page. On the Ready to Complete page, do not select the Power on after deployment check box. h. Click Finish and wait for the WAF VM to complete deployment. A dialog box appears, as shown in Figure 3-5, indicating the status and time pending for the deployment to complete. Copyright NSFOCUS 17 V6.0R05F01 (2016-03-30)

Figure 3-5 Deployment progress bar Step 3 Set hardware parameters. a. Select the WAF VM from the navigation tree in the left pane. Then you can perform operations regarding this VM in the right pane, as shown in Figure 3-6. Figure 3-6 WAF VM operation page b. Click Edit virtual machine settings. The Virtual Machine Properties dialog box appears, as shown in Figure 3-7. Copyright NSFOCUS 18 V6.0R05F01 (2016-03-30)

Figure 3-7 VM properties c. Configure hardware settings as required in Table 1-2. Copyright NSFOCUS 19 V6.0R05F01 (2016-03-30)

Figure 3-8 Example of hardware configuration d. Click OK to save the settings. Step 4 Start the WAF VM. a. Select the WAF VM from the navigation tree in the left pane. b. In the right pane, click Power on the virtual machine to start the WAF VM. This process takes several minutes. After the WAF VM is started, the DHCP function is enabled and the related IP address is obtained (if a DHCP server is available) automatically. If no IP address is obtained or no DHCP server is available, proceed to step 5. Step 5 (Optional) Configure the WAF VM. If the IP address fails to be obtained, perform this step. a. Click the Console tab. After a while, the console login window of the WAF VM appears, as shown in Figure 3-9. Copyright NSFOCUS 20 V6.0R05F01 (2016-03-30)

Figure 3-9 Console login window b. Type the user name and password (both are conadmin) to access the console of the WAF VM. c. Choose English > Maintenance Tools > Set IP&Route. d. Configure the IP address, subnet mask, and gateway address for the management interface. Step 6 View settings of the WAF VM. a. Click the Console tab. b. In the console login window, type the user name and password (both are conadmin). c. Choose English > Maintenance Tools > Set IP&Route. d. View the IP address, subnet mask, and gateway address of the management interface. ----End 3.3 Uninstallation Procedure To delete the WAF VM from the ESXi host, follow these steps: Step 1 Select the WAF VM from the navigation tree in the left pane. Step 2 Choose Inventory > Virtual Machine > Power > Power Off to shut down the WAF VM. Step 3 Choose Inventory > Virtual Machine > Delete from Disk to delete the WAF VM. This will completely delete the WAF VM from the data storage. Copyright NSFOCUS 21 V6.0R05F01 (2016-03-30)

----End 3.4 In-Path Deployment 3.4.1 Usage Scenario In the network environment shown in Figure 3-10, WAF connects to the virtual switch in in-path mode. Figure 3-10 Deployment of the WAF VM on the ESXi host in in-path mode Control IP: 10.67.203.113 Client IP: 172.16.205.113 Client V2003 V2004 Virtual switch 172.16.205.1 V2003 V2004 Virtual WAN Virtual LAN Server Control IP: 10.67.203.114 Server IP: 172.16.206.114 172.16.206.1 Management interface 3.4.2 Configuration Preparations Configure an IP address, for example, 172.16.205.1 for the WAN interface of the WAF VM. Configure an IP address, for example, 172.16.206.1, for the LAN interface of the WAF VM. Connect the management interface of the WAF VM to the virtual switch. 3.4.3 Configuration Roadmap 1. Create two VM port groups on the virtual switch. 2. Install the WAF VM, which requires editing of network adapters for two working interfaces. 3. Log in to the web-based manager of the WAF VM to configure working interfaces. 3.4.4 Configuration Procedure To configure the WAF VM, follow these steps: Copyright NSFOCUS 22 V6.0R05F01 (2016-03-30)

Step 1 Perform step 1 in section 3.2 Installation Procedure to access the ESXi host from vsphere Client. Step 2 Configure the virtual switch. a. Click the Configuration tab and, in the Hardware section, click Networking. Figure 3-11 Networking configuration b. Click the Add Networking link. Copyright NSFOCUS 23 V6.0R05F01 (2016-03-30)

Figure 3-12 Wizard for adding a network c. Select Virtual Machine as the connection type and click Next. d. Select a virtual switch according to the connection to the trunk port of the physical switch. Here vswitch0 and vmnic0 are selected, as shown in Figure 3-13. e. Click Next to open the Connection Settings page. Copyright NSFOCUS 24 V6.0R05F01 (2016-03-30)

Figure 3-13 Virtual switch selection f. Set the network label to V2003 and VLAN ID to 2003. Click Next to open the Summary page. g. Click Finish to complete the operation. h. Repeat step 2e and create another VM port group with the network label of V2004 and VLAN ID of 2004. Step 3 Perform step 2 in section 3.2 Installation Procedure to deploy the WAF VM. Step 4 Set hardware parameters for the WAF VM. a. Select the WAF VM from the navigation tree in the left pane. b. Click Edit virtual machine settings. c. In the left navigation bar, click Network adapter 2/3 and, in the right pane, set the network label to V2003/V2004. Copyright NSFOCUS 25 V6.0R05F01 (2016-03-30)

Figure 3-14 Network adapter configuration d. Click OK to complete the configuration of network adapters. Step 5 Perform step 4 in section 3.2 Installation Procedure to start the WAF VM. Step 6 Perform step 6 in section 3.2 Installation Procedure to view the configuration of the WAF VM. ----End Copyright NSFOCUS 26 V6.0R05F01 (2016-03-30)

4 License License management includes the following: Importing the License Exporting the License 4.1 Importing the License The WAF VM can work properly only upon an authorization in the form of a license. You can import a license for the WAF VM using either of the following methods: Cloud authorization If this mode of authorization is adopted, the WAF VM will regularly instruct the cloud center to verify the validity of the license. Centralized authorization 4.1.1 Cloud Authorization This mode of authorization applies to devices managed by NSFOCUS ESPC V6.1R05F01 SP03. To put the WAF VM under cloud authorization, follow these steps: Step 1 Log in to the web-based manager of the WAF VM by typing https://ip address of the management interface in the address bar. Step 2 Open the License page. For initial login: After you log in and change the password, a dialog box appears, as shown in Figure 4-1. Clicking OK in the dialog box displays the License page, as shown in Figure 4-2. Copyright NSFOCUS 27 V6.0R05F01 (2016-03-30)

Figure 4-1 Message prompting you to configure the authorization mode Figure 4-2 License page For subsequent login: Choose System Management > System Tools > License. The License page appears, as shown in Figure 4-2. Step 3 (Optional) Configure the local IP address of the WAF VM. This step is required after the IP address of the management interface is changed. a. Choose Security Management > ESPC. The ESPC page appears, as shown in Figure 4-3. Copyright NSFOCUS 28 V6.0R05F01 (2016-03-30)

Figure 4-3 Basic settings of ESPC b. In the Basic Settings area, set Local IP to the IP address of the management interface. c. Click OK. Step 4 In the Authorization Control area, set Authorized by to Cloud. Figure 4-4 Authorization Control area Step 5 Browse to the license file and then click OK. The system automatically authenticates the WAF VM. Step 6 Wait for about 1 minute and refresh the page. If the authentication succeeds, Authorization Status is displayed as Authorized. Copyright NSFOCUS 29 V6.0R05F01 (2016-03-30)

Figure 4-5 Cloud authorization success Step 7 (Optional) Configure the protection mode. This step is required if is displayed to the right of the authorization status. a. Choose System Management > System Deployment > Running Mode. Figure 4-6 Running Mode page b. Set Mode Configuration to Protection Mode and click OK. ----End The engine status is displayed in green, indicating that the WAF VM can work properly. 4.1.2 Centralized Authorization To put the WAF VM under centralized authorization, follow these steps: Step 1 Log in to the web-based manager of the WAF VM by typing https://ip address of the management interface in the address bar. Step 2 Open the License page. For initial login: After you log in and change the password, a dialog box appears, as shown in Figure 4-1. Clicking OK in the dialog box displays the License page, as shown in Figure 4-2. Copyright NSFOCUS 30 V6.0R05F01 (2016-03-30)

For subsequent login: Choose System Management > System Tools > License. The License page appears, as shown in Figure 4-2. Step 3 (Optional) Configure the local IP address of the WAF VM. This step is required after the IP address of the management interface is changed. a. Choose Security Management > ESPC. The ESPC page appears, as shown in Figure 4-3. b. In the Basic Settings area, set Local IP to the IP address of the management interface. c. Click OK. Step 4 In the Authorization Control area, set Authorized by to Centralized mgmt.platform. Figure 4-7 Centralized authorization Step 5 Set Address of Authorization Center and click OK. Authorization Status is displayed as No license. Step 6 Authorize the WAF VM on ESPC. Only this step is performed on ESPC. For a detailed configuration procedure, refer to NSFOCUS ESPC User Guide Centralized Authorization. a. Add the WAF VM and then restart the service. b. Open the page for centralized authorization and issue a license to the WAF VM. Step 7 After a successful authorization, manually refresh the page. Authorization Status is displayed as Authorized. Copyright NSFOCUS 31 V6.0R05F01 (2016-03-30)

Figure 4-8 Centralized authorization success Step 8 (Optional) Configure the protection mode. This step is required if is displayed to the right of the authorization status. a. Choose System Management > System Deployment > Running Mode. The Running Mode page appears, as shown in Figure 4-6. b. Set Mode Configuration to Protection Mode and click OK. The engine status is displayed in green, indicating that the WAF VM can work properly. ----End 4.2 Exporting the License In Figure 4-8, click in the Export column to export the license to a local disk drive with the name of VMWAF_license HASH.lic. 4.3 Device Getting Offline The WAF VM is offline after it disconnects from the cloud or centralized authorization platform. 4.3.1 Device Under Cloud Authorization Getting Offline 4.3.1.1 Offline Status-1 If Authorization Status is displayed as Authorized, the WAF VM will be periodically authenticated by the cloud. After a successful authentication, the device is available. Otherwise, Authorization Status is displayed as Offline Status-1 or Offline Status-2. If the device fails to be authenticated within 2 to 7x24 hours, Authorization Status is displayed as Offline Status-1 and the system prompts a message in the lower-right corner of the page, as shown in Figure 4-9. In this case, websites, website groups, and policies cannot be configured on the web-based manager, but the engine can still provide protection. Copyright NSFOCUS 32 V6.0R05F01 (2016-03-30)

Figure 4-9 Offline Status-1 of the device under cloud authorization 4.3.1.2 Offline Status-2 To troubleshoot the WAF VM's disconnection from the cloud, do as follows: Network environment: Incorrect network configuration leads to an authentication timeout. Solution: Check and make sure that the network configuration is correct. Local IP address: The local IP address is not updated after the IP address of the management interface is changed, which leads to an authentication timeout. Solution: Choose System Management > ESPC. In the Basic Settings area, set Local IP and then click OK. After the WAF VM reconnects to the cloud, Authorization Status is displayed as Authorized. If the device authentication exceeds 7x24 hours or authentication fails, Authorization Status is displayed as Offline Status-2 and the system prompts a message in the lower-right corner of the page, as shown in Figure 4-10. If Authorization Status is displayed as Offline Status-2, the device engine no longer provides protection and its status is displayed in red. Copyright NSFOCUS 33 V6.0R05F01 (2016-03-30)

Figure 4-10 Offline Status-2 of the device under cloud authorization In this case, you can choose Logs & Reports > System Running Logs to view the corresponding running log for troubleshooting. Solutions are as follows: If the cloud authentication has exceeded 7x24 hours, restore the connection to the cloud and reupload the license. If the cloud authentication fails, check the cause and try reuploading the license, so that Authorization Status will be restored to Authorized. 4.3.2 Device Under Centralized Authorization Getting Offline 4.3.2.1 Offline Status-1 If Authorization Status is displayed as Authorized, the WAF VM will by periodically authenticated by the centralized authorization client. After a successful authentication, the device is available. Otherwise, Authorization Status is displayed as Offline Status-1 or Offline Status-2. If the device authentication fails to be authenticated within 2 to 7x24 hours, Authorization Status is displayed as Offline Status-1 and the system prompts a message in the lower-right corner of the page, as shown in Figure 4-11. In this case, websites, website groups, and policies cannot be configured on the web-based manager, but the engine still can provide protection. Copyright NSFOCUS 34 V6.0R05F01 (2016-03-30)

Figure 4-11 Offline Status-1 of device under authorization 4.3.2.2 Offline Status-2 To troubleshoot WAF VM's disconnection from the centralized authorization client, do as follows: Network environment: Incorrect network configuration causes an authentication timeout. Solution: Check and make sure that the network configuration is correct. Local IP address: The local IP address is not updated after the IP address of the management interface is changed, which leads to an authentication timeout. Solution: Choose System Management > ESPC. In the Basic Settings area, set Local IP and then click OK. After the WAF VM reconnects to the centralized authorization client, Authorization Status is displayed as Authorized. If the device authentication exceeds 7x24 hours or authentication fails, Authorization Status is displayed as Offline Status-2 and the system prompts a message in the lower-right corner of the page, as shown in Figure 4-12. If Authorization Status is displayed as Offline Status-2, the device engine no longer provides protection and its status is displayed in red. Copyright NSFOCUS 35 V6.0R05F01 (2016-03-30)

Figure 4-12 Offline Status-2 for centralized authorization In this case, you can choose Logs & Reports > System Running Logs to view the corresponding running log for troubleshooting. Solutions are as follows: If the authentication timeout has exceeded 7x24 hours, do as follows: Cancel the device authorization on the centralized authorization platform. Restore the connection between the device and the centralized authorization platform. Reissue the license to the device from the centralized authorization platform for authorization. If the authentication fails, do as follows: Cancel the device authentication on the centralized authorization platform. Check the reason why the device authentication fails. Reissue the license to the device from the centralized authorization platform for authorization, so that Authorization Status will be restored to Authorized. Copyright NSFOCUS 36 V6.0R05F01 (2016-03-30)

5 Functional Differences This chapter describes functional differences between the WAF VM and hardware editions of WAF, including the deleted and modified functions and how to perform related operations. For other functions same as the hardware editions of WAF, refer to NSFOCUS WAF User Guide (V6.0). 5.1 Deleted Functions Table 5-1 describes the functions deleted from the WAF VM. Table 5-1 Deleted functions Function Out-of-path and mirroring modes Built-in and external bypass functions Description The WAF VM can be deployed only in in-path or reverse proxy mode. For the functions in out-of-path and mirroring modes, refer to NSFOCUS WAF User Guide (V6.0). The WAF VM does not support built-in and external bypass functions. 5.2 Modified Functions Table 5-2 describes the functions modified in the WAF VM. Table 5-2 Modified functions Function Console port Work group management Description On the console-based manager of the WAF VM, such functions as the bypass, product model configuration, and firmware restoration are unavailable. Other functions are the same as those in the hardware WAF. After initialization, the number of default work groups is as follows: In in-path mode, no default work group is available. In reverse proxy mode, there is one work group by default. You can manage work groups as required. For how to manage work Copyright NSFOCUS 37 V6.0R05F01 (2016-03-30)

Function License Description groups, refer to NSFOCUS WAF User Guide (V6.0). You can import a license for the WAF VM using either of the following methods: Cloud authorization: If this mode of authorization is adopted, the WAF VM will regularly instruct the cloud center to verify the validity of the license. The hash value of the device is changed to that of the license imported. Centralized authorization: The license is provided by the centralized authorization platform. The hash value of the device is changed to that of the A interface for communication. For how to import a license, see section 4.1 Importing the License. The WAF VM supports export of the license. For how to export the license, see section 4.2 Exporting the License. Prompt message indicating mode configuration Login to the console After the license is successfully imported for the first time, Authorization Status is displayed as Authorized, followed by a question mark ( ). Pointing to displays "Currently, Mode Configuration is Forwarding Mode, which should be changed to Protection Mode". For details, see section 5.3 Login to the Console. 5.3 Login to the Console To log in to the WAF VM via the console, you must first install the VMware vsphere Client software (for how to install this software, refer to the related VMware user guide). Step 1 Double-click the icon of VMware vsphere Client. Copyright NSFOCUS 38 V6.0R05F01 (2016-03-30)

Figure 5-1 VMware vsphere Client Step 2 Configure login parameters in the VMware vsphere Client dialog box. Table 5-3 Login parameters of the WAF VM host Parameter IP address / Name User name Password Description Specifies the IP address or name of the WAF VM host. Specifies the user name of the WAF VM host, which is root by default. Specifies the password of the WAF VM host, which is nsfocus by default. Step 3 Click Login. A security warning appears, as shown in Figure 5-2. Copyright NSFOCUS 39 V6.0R05F01 (2016-03-30)

Figure 5-2 Security warning Step 4 Click Ignore. Figure 5-3 Home page of the host Step 5 Click Inventory. Copyright NSFOCUS 40 V6.0R05F01 (2016-03-30)

Figure 5-4 Inventory Step 6 In the left pane, click next to the host IP address and then next to WAF, and then select a WAF VM. Here, VMWAF-10.67.214.106 is taken as an example. Copyright NSFOCUS 41 V6.0R05F01 (2016-03-30)

Figure 5-5 Selecting a WAF VM Step 7 Click the Console tab. Copyright NSFOCUS 42 V6.0R05F01 (2016-03-30)

Figure 5-6 Console tab page Step 8 Press Enter. Copyright NSFOCUS 43 V6.0R05F01 (2016-03-30)

Figure 5-7 Login to the console-based manager Step 9 Type the user name and password (both are conadmin by default) and then press Enter. Copyright NSFOCUS 44 V6.0R05F01 (2016-03-30)

Figure 5-8 Console-based manager ----End Copyright NSFOCUS 45 V6.0R05F01 (2016-03-30)

A Default Parameters A.1 Management Interface IP Address eth0/m: 192.168.0.1 Subnet Mask 255.255.255.0 A.2 Default Administrator Accounts A.2.1 Web-based Manager Administrator User Name Password admin admin A.2.2 Default Web Auditor Account User Name Password auditor auditor A.2.3 Default Account of the Console Administrator User Name Password conadmin conadmin Copyright NSFOCUS 46 V6.0R05F01 (2016-03-30)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback