7.11. VM Firewall¶
7.11.1. Available Features¶
|VM Firewall||A feature that controls communication among targeted Virtual Machines.|
7.11.2. VM Firewall¶
|Action Type||Specifies whether to “Allow” or “Deny” the passage of IP packets that match the conditions set by the following items.|
|Direction||Specifies whether the IP packets were sent from the targeted virtual machine (“Outgoing”) or are incoming IP packets (“Incoming”).|
|Frame Types||Specifies either “IP,” “ARP,” or “Other.”|
|Protocol||For IP packet protocol, you can specify either “ICMP,” “TCP” or “UDP.”|
|Source IP Address||
Specifies the source IP address of IP packets by IP address and subnet mask.
You can specify multiple IP addresses or IP address ranges.
|Source port number||Specifies the source port number of IP packets.|
|Destination IP address||
Specifies the destination IP address of IP packets by IP address and subnet mask.
You can specify multiple IP addresses or IP address ranges.
|Destination port number||Specifies the destination port number of IP packets.|
- There are some rules which must be set allow permission in VM Firewall. Please refer to VM Firewall parameter sheet.
7.11.3. Important Points¶Virtual Machine System Requirements
|Memory Capacity||512 MB or greater|
|Disk Capacity||1 GB or greater|
|OS||The OSs listed in “Supported OS List of VM Anti-Virus, VM Virtual Patch, and VM Firewall” of the available OSs in Enterprise Cloud|
- When using Linux, it is necessary to confirm the kernel version.
- Please set IPv6 to ON or OFF correctly on Guest OS when using VM Firewall.
- You cannot use the VM Firewall at the same time as other anti-virus software than VM Anti-Virus. Before installing VM Firewall agent software, always make sure to uninstall other virus protection software.
- Do not upload agents by mounting ISO image files or CD/DVD drives, when uploading it to the VMs.
- For the virtual server on which the agent software is installed, time needs to be synchronized by using NTP, etc. If the time is not synchronized, activation of the agent software may fail.
- The port 4118 port is used as the standby port for the agent software. This port number cannot be changed so that be sure to confirm that the same number is not used in other application in the virtual server where agent software is installed.
- The network interface stops while installing the agent software and it takes a few seconds to restore. New request is generated while using DHCP so that different IP address may be assigned to the recovered connection. See the following Web site for details.
- We ask you to install the agent software on the Virtual Machine.
- It is necessary to log in to the target host as the administrator when installing the agent software.
|OS||Default Install Location|
|Windows||C:\Program Files\Trend Micro\Deep Security Agent|
|Red Hat Enterprise Linux||
System files：/opt/ds_agent, /var/opt/ds_agent
Startup scripts：/etc/init.d/ds_agent, /etc/init.d/ds_filter
Communication channel between user and kernel mode components:/dev/dsa, /dev/dsa_ssl, /proc/driver/dsa
- You can change where it is installed. Also, the install location might change due to agent software version updates, etc.
- Please set the routing from the Virtual Machine to vFirewall/Integrated Network Appliance using either of the following methods.
- Set the Virtual Machine default gateway to vFirewall/Integrated Network Appliance
- Set vFirewall/Integrated Network Appliance as the static route gateway for communication addressed to the Manager administered by NTT Communications
- If the Virtual Machine that uses VM Firewall is connected to a Server Segment that is not directly connected to vFirewall/Integrated Network Appliance, additional Server Segment is required to directly connect the vFirewall/Integrated Network Appliance and the Virtual Machine.
The rule names for the VM Firewall are set automatically. You cannot change the settings.
Traffic below is blocked in any mode settings.
TCP connections over 100,000
UDP connections over 100,000
- Unusual traffic which is not based on RFC or suspected to be inaccurate.No IP headerSource IP and Destination IP are the sameText which is not available for URIUsing character “/” over 100Using ”../../” above routeAnd there will be blocking resulting from the shortage of compute resource.
We ask you to assume responsibility for monitoring agent software (checking to make sure it is activated at all times).
- If you use a Private Catalog to create a template of the Virtual Machine image and store it, please do it before installing the VM Firewall agent software.If a template is created and saved from the Virtual Machine image of a Virtual Machine where VM Firewall agent software is installed, or installation and activation (registration to the Manager administered by NTT Communications) is complete, when a Virtual Machine is created using that template, VM Firewall can no longer be used with the Virtual Machine used for creating the template and the newly-built Virtual Machine. The same applies when used for image backup.
VM Firewall does not guarantee that the provided VM Firewall feature has integrity or accuracy, or is suitable for your use.
The following information might be provided to the developers or distributors of the devices making up the VM Firewall feature.
- Configuration information obtained from providing VM Firewall
- Configuration information obtained from controlling VM Firewall
We cannot guarantee recovery from failures that might occur due to incompatibility between the VM Firewall feature and your environment, or failures that occur due to your operations other than those specified by NTT Communications.
There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.
Note for Enterprise Cloud 2.0 Host based Security user, if you have inquiry about that menu, please use ticket system in Enterprise Cloud 2.0.