Step 4: Configuring the VMware Components

In This Section: Adding the vCenter IP Address to the Runtime Settings Preparing the ESXi Cluster for CloudGuard Service Deployment NSX Grouping Objects vMotion

Before you start these procedures, install and configure the required VMware component. You can install more than one ESXi.

Adding the vCenter IP Address to the Runtime Settings

To use VMware, you must add the vCenter IP address to the Runtime Settings tab on the vCenter Server Setting page.

To add the vCenter IP address:

1. In the vSphere Web Client, click vCenter > vCenter Servers and select the server.
2. Click Manage > Settings > General > Runtime settings.
3. Click vCenter Server managed address > Edit > Runtime settings.
4. In the Virtual Center Server managed address field, enter the vCenter server IP address.

Preparing the ESXi Cluster for CloudGuard Service Deployment

The sections below describe how to configure an ESXi cluster.

Adding an ESXi to an ESXi Cluster

To add a new ESXi to a cluster:

1. In the vSphere Web Client, right-click the ESXi cluster object and select Add Host.
2. Configure the Agent VM setting for the new host.

   If there is CloudGuard Service deployed on the cluster, CloudGuard Gateway automatically installs on the new host.

3. If you do not use an IP address pool or Automatic Provisioning, manually activate the CloudGuard Gateway and then configure it.

Configuring Agent VM Host Settings

To configure Agent VM settings for each ESXi server:

1. In the vSphere Web Client, go to the ESXi server and select the Configure tab for each ESXi server.
2. Go to Agent VM settings > Edit.
3. In the Agent VM Settings window, select the datastore to hold the files for the CloudGuard Gateway Service Virtual Machine.

   Best Practice - Deploy the CloudGuard Gateway on ESXi server local storage and not on external storage.

4. In the Agent VM Settings window, select the Port Group network that connects to the CloudGuard Gateway Service VM by default.

   This Port Group is used for communication with the CloudGuard Controller.

5. Install the NSX VIB on all hosts before you deploy it.

To install the NSX VIB on all ESXi:

1. Log in to the vSphere Web Client.
2. Select Networking and Security > Installation > Host Preparation.
3. Click Install for all clusters where you install NSX.

Removing an ESXi Server from an ESXi Cluster

To remove a host from a cluster:

1. In the vSphere Web Client, go to Hosts and Clusters.
2. Select the ESXi server and click Actions > Maintenance Mode > Enter Maintenance Mode.
3. Move the ESXi server from the cluster to a Data Center.
4. Select the host and click Actions > Exit Maintenance Mode.
5. Reboot the ESXi server.

   If you did not enable Automatic Provisioning, remove the Cluster Member in SmartConsole.

NSX Grouping Objects

With the Grouping feature, you can create custom containers and assign resources, such as Virtual Machines and network adapters, for CloudGuard Service protection. After a group is defined, you can add the group as source or destination to a firewall rule.

Creating a Security Group

To create a Security Group:

1. In the vSphere Web Client, go to Networking and Security > Service Composer > Security Groups.
2. Click the New Security Group icon.

   The New Security Group wizard opens.

3. Enter a name and description for the new Security Group.
4. Click Next.
5. Define dynamic memberships and objects.

   Select objects in the Select objects to include and Select objects to exclude pages.

   Objects that you select are always included in the Security Group, even if these objects do not match the dynamic membership specifications.

   Note - You can include other Security Groups in your new Security Group.

Creating a CloudGuard Gateway IP Address Pool

Best Practice - Create an IP address pool to automatically assign management interface IP addresses.

To create an IP address pool:

1. Log in to the vSphere Web Client.
2. Click Networking & Security > NSX Managers.
3. In Name, click the NSX Manager.
4. Click Manage.
5. Click Grouping Objects > IP Pool.
6. Click Add New IP Pool.
7. Enter a name for the IP pool and its default gateway.
8. Enter the primary and secondary DNS, DNS suffix and prefix length.
9. Enter the IP address ranges to include in the pool.
10. Click OK.

Creating an IP Set

To create an IP Set:

1. Log in to the vSphere Web Client.
2. Click Networking & Security > NSX Managers.
3. In Name, click the NSX Manager.
4. Click Grouping Objects > IP Sets.
5. Click Add new IP Set (+).
6. In the Add IP Addresses window, enter a name, description and IP address for the new Security Group.

   This IP address is redirected to the CloudGuard Gateway.

7. Add the new IP Set to the Security Group.

vMotion

vMotion lets you migrate active Virtual Machines between ESXi servers.

Configure network interfaces on source and target ESXi servers. Configure each ESXi server with at least one network interface for vMotion traffic. To secure data transfer, make sure only trusted parties access the vMotion network. Additional bandwidth significantly improves vMotion performance. When you migrate a Virtual Machine with vMotion without using shared storage, the virtual disk contents are also transferred over the network.

Configure the Virtual Networks on vMotion enabled ESXi server:

• On each ESXi server, configure a VMkernel port group for vMotion.
• Make sure the Virtual Machines can access the same subnets on source and destination ESXi server.
• If you use standard switches for networking, make sure the Virtual Machine port group network labels are consistent across ESXi servers. During a vMotion migration, the vCenter server assigns Virtual Machines to port groups based on matching network labels.
• If you use vSphere Distributed Switches for networking, make sure source and destination ESXi server are members of all vSphere Distributed Switches used by Virtual Machines.

For minimum impact on connectivity, applications, and security:

• The VMware distributed firewall on the target ESXi server handles existing connections until they are closed or reset.
• The CloudGuard service that runs on the target ESXi server secures new connections to and from the migrated Virtual Machine.

Important -

The HTTPS connection and the Control connection must be initialized again after vMotion. Initialize the sessions of existing connections that need a control channel, in addition to the data channel.