SSL Certificate Management
The Networking software in the Cyfuture Cloud Console environment provides the ability to use Secure Sockets Layer (SSL) certificates with the SSL VPN-Plus and IPsec VPN tunnels you configure for your edge gateways.
The edge gateways in your Cyfuture Cloud Console environment support self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA. Yyou can generate certificate signing requests (CSRs), import the certificates, manage the imported certificates, and create certificate revocation lists (CRLs).
About Using Certificates with Your Organization Virtual Data Center
You can manage certificates for the following networking areas in your Cyfuture Cloud Console organization virtual data center.
n IPsec VPN tunnels between an organization virtual data center network and a remote network.
n SSL VPN-Plus connections between remote users to private networks and web resources in your organization virtual data center.
n An L2 VPN tunnel between two Networking edge gateways.
n The virtual servers and pools servers configured for load balancing in your organization virtual data center
How to Use Client Certificates
You can create a client certificate through a CAI command or REST call. You can then distribute this certificate to your remote users, who can install the certificate on their web browser.
The main benefit of implementing client certificates is that a reference client certificate for each remote user can be stored and checked against the client certificate presented by the remote user. To prevent future connections from a certain user, you can delete the reference certificate from the security server list of client certificates. Deleting the certificate denies connections from that user.
Generate a Certificate Signing Request for an Edge Gateway
Before you can order a signed certificate from a CA or create a self-signed certificate, you must generate a Certificate Signing Request (CSR) for your edge gateway.
A CSR is an encoded file that you need to generate on an Networking edge gateway which requires an SSL certificate. Using a CSR standardizes the way that companies send their public keys together with information that identifies their company names and domain names.
You generate a CSR with a matching private-key file that must remain on the edge gateway.
The CSR contains the matching public key and other information such as the name, location, and domain name of your organization.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the Certificates tab.
3 On the Certificates tab, click CSR.
4 Configure the following options for the CSR:
|
Option |
Description |
|
Common Name |
Enter the fully qualified domain name (FQDN) for the organization that you will be using the certificate for (for example, www.example.com). Do not include the http:// or https:// prefixes in your common name. |
|
Organization Unit |
Use this field to differentiate between divisions within your Cyfuture Cloud Console organization with which this certificate is associated. For example, Engineering or Sales. |
|
Organization Name |
Enter the name under which your company is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. |
|
Locality |
Enter the city or locality where your company is legally registered. |
|
State or Province Name |
Enter the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered. |
|
Country Code |
Enter the country name where your company is legally registered. |
|
Private Key Algorithm |
Type the key type, either RSA or DSA, for the certificate. RSA is typically used. The key type defines the encryption algorithm for communication between the hosts. |
|
|
Note SSL VPN-Plus supports RSA certificates only. |
|
|
|
|
Key Size |
Enter the key size in bits. The minimum is 2048 bits. |
|
Description |
(Optional) Enter a description for the certificate. |
5 Click Keep.
The system generates the CSR and adds a new entry with type CSR to the on-screen list.
Results
In the on-screen list, when you select an entry with type CSR, the CSR details are displayed in the screen. You can copy the displayed PEM formatted data of the CSR and submit it to a certificate authority (CA) to obtain a CA-signed certificate.
What to do next
Use the CSR to create a service certificate using one of these two options:
n Transmit the CSR to a CA to obtain a CA-signed certificate. When the CA sends you the signed certificate, import the signed certificate into the system. See Import the CA-Signed Certificate Corresponding to the CSR Generated for an Edge Gateway.
n Use the CSR to create a self-signed certificate. See Configure a Self-Signed Service Certificate.
Import the CA-Signed Certificate Corresponding to the CSR Generated for an Edge Gateway
After you generate a Certificate Signing Request (CSR) and obtain the CA-signed certificate based on that CSR, you can import the CA-signed certificate to use it by your edge gateway.
Prerequisites
Verify that you obtained the CA-signed certificate that corresponds to the CSR. If the private key in the CA-signed certificate does not match the one for the selected CSR, the import process fails.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the Certificates tab.
3 Select the CSR in the on-screen table for which you are importing the CA-signed certificate.
4 Import the signed certificate.
a Click Signed certificate generated for CSR.
b Provide the PEM data of the CA-signed certificate.
■ If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
■ If you can copy and paste the PEM data, paste it into the Signed Certificate (PEM format) field.
Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
lines.
c (Optional) Type a description.
d Click Keep.
Note- If the private key in the CA-signed certificate does not match the one for the CSR you selected on the Certificates screen, the import process fails.
Results
The CA-signed certificate with type Service Certificate appears in the on-screen list.
What to do next
Attach the CA-signed certificate to your SSL VPN-Plus or IPsec VPN tunnels as required. See Configure SSL VPN Server Settings and Specify Global IPsec VPN Settings.
Configure a Self-Signed Service Certificate
You can configure self-signed service certificates with your edge gateways, to use in their VPN- related capabilities. You can create, install, and manage self-signed certificates.
If the service certificate is available on the Certificates screen, you can specify that service certificate when you configure the VPN-related settings of the edge gateway. The VPN presents the specified service certificate to the clients accessing the VPN.
Prerequisites
Verify that at least one CSR is available on the Certificates screen for the edge gateway. See- Generate a Certificate Signing Request for an Edge Gateway.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the Certificates tab.
3 Select the CSR in the list that you want to use for this self-signed certificate and click Self-sign CSR.
4 Type the number of days that the self-signed certificate is valid for.
5 Click Keep.
The system generates the self-signed certificate and adds a new entry with type Service Certificate to the on-screen list.
Results
The self-signed certificate is available on the edge gateway. In the on-screen list, when you select an entry with type Service Certificate, its details are displayed in the screen.
Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification
Adding a CA certificate to an edge gateway enables trust verification of SSL certificates that are presented to the edge gateway for authentication, typically the client certificates used in VPN connections to the edge gateway.
You usually add the root certificate of your company or organization as a CA certificate. A typical use is for SSL VPN, where you want to authenticate VPN clients using certificates. Client certificates can be distributed to the VPN clients and when the VPN clients connect, their client certificates are validated against the CA certificate.
Note When adding a CA certificate, you typically configure a relevant Certificate Revocation List (CRL). The CRL protects against clients that present revoked certificates. See Add a Certificate Revocation List to an Edge Gateway.
Prerequisites
Verify that you have the CA certificate data in PEM format. In the user interface, you can either paste in the PEM data of the CA certificate or browse to a file that contains the data and is available in your network from your local system.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways. b Select the edge gateway that you want to edit and click Services.
2 Click the Certificates tab.
3 Click CA certificate.
4 Provide the CA certificate data.
■ If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
■ If you can copy and paste the PEM data, paste it into the CA Certificate (PEM format)
field.
Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE lines.
5 (Optional) Type a description.
6 Click Keep.
Results
The CA certificate with type CA Certificate appears in the on-screen list. This CA certificate is now available for you to specify when you configure the VPN-related settings of the edge gateway.
Add a Certificate Revocation List to an Edge Gateway
A Certificate Revocation List (CRL) is a list of digital certificates that the issuing Certificate Authority (CA) claims to be revoked, so that systems can be updated not to trust users that present those revoked certificates. You can add CRLs to the edge gateway.
As described in the Networking Administration Guide, the CRL contains the following items:
n The revoked certificates and the reasons for revocation
n The dates that the certificates are issued
n The entities that issued the certificates
n A proposed date for the next release
When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways. b Select the edge gateway that you want to edit and click Services.
2 Click the Certificates tab.
3 Click CRL.
4 Provide the CRL data.
■ If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
■ If you can copy and paste the PEM data, paste it into the CRL (PEM format) field. Include the -----BEGIN X509 CRL----- and -----END X509 CRL lines.
5 (Optional) Type a description.
6 Click Keep.
Results
The CRL appears in the on-screen list.
Add a Service Certificate to the Edge Gateway
Adding service certificates to an edge gateway makes those certificates available for use in the VPN-related settings of the edge gateway. You can add a service certificate to the Certificates screen.
Prerequisites
Verify that you have the service certificate and its private key in PEM format. In the user interface, you can either paste in the PEM data or browse to a file that contains the data and is available in your network from your local system.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the Certificates tab.
3 Click Service certificate.
4 Input the PEM-formatted data of the service certificate.
■ If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
■ If you can copy and paste the PEM data, paste it into the Service Certificate (PEM format)
field.
Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE lines.
5 Input the PEM-formatted data of the certificate private key.
When FIPS mode is on, RSA key sizes must be greater or equal to 2048 bits.
■ If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
■ If you can copy and paste the PEM data, paste it into the Private Key (PEM format) field.
Include the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE
KEY lines.
6 Enter a private key passphrase and confirm it.
7 (Optional) Enter a description.
8 Click Keep.
Results
The certificate with type Service Certificate appears in the on-screen list. This service certificate is now available for you to select when you configure the VPN-related settings of the edge gateway.
Custom Grouping Objects
The Networking software in your Cyfuture Cloud Console environment provides the capability for defining sets and groups of certain entities, which you can then use when specifying other network-related configurations, such as in firewall rules.
Create an IP Set for Use in Firewall Rules and DHCP Relay Configuration
An IP set is a group of IP addresses that you can create at an organization virtual data center level. You can use an IP set as the source or destination in a firewall rule or in a DHCP relay configuration.
You create an IP set by using the Grouping Objects page of the Cyfuture Cloud Console tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.
Procedure
1 Open the Grouping Objects page.
|
Option |
Action |
|
Open through Edge Gateway Services |
a Navigate to Networking > Edges. b Select the edge gateway that you want to edit, and click Configure Services. c Click Grouping Objects. |
|
Open through Security Services |
a Navigate to Networking > Security. b Select the security service that you want to edit, and click Configure Services. c Click Grouping Objects. |
2 Click the IP Sets tab.
The IP sets that are already defined are displayed on the screen.
3 To add an IP set, click the Create (
) button.
4 Enter a name, optionally, a description for the IP set, and the IP addresses to be included in the set.
5 (Optional) If you are specifying the IP set using the Grouping Objects page on the Services screen, use the Inheritance toggle to enable inheritance and allow visibility at the underlying scopes.
Inheritance is enabled by default.
6 To save this IP set, click Keep.
Results
The new IP set is available for selection as the source or destination in firewall rules or in DHCP relay configurations.
Create a MAC Set for Use in Firewall Rules
An MAC set is a group of MAC addresses that you can create at an organization virtual data center level. You can use a MAC set as the source or destination in a firewall rule.
You create a MAC set using the Grouping Objects page of the Cyfuture Cloud Console tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.
Procedure
1 Open the Grouping Objects page.
|
Option |
Action |
|
Open through Edge Gateway Services |
a Navigate to Networking > Edges. b Select the edge gateway that you want to edit, and click Configure Services. c Click Grouping Objects. |
|
Open through Security Services |
a Navigate to Networking > Security. b Select the security service that you want to edit, and click Configure Services. c Click Grouping Objects. |
2 Click the MAC Sets tab.
The MAC sets that are already defined are displayed on the screen.
3 To add a MAC set, click the Create () button.
4 Enter a name for the set, optionally, a description, and the MAC addresses to be included in the set.
5 (Optional) If you are specifying the MAC set using the Grouping Objects page on the Services screen, use the Inheritance toggle to enable inheritance and allow visibility at underlying scopes.
Inheritance is enabled by default.
6 To save the MAC set, click Keep.
Results
The new MAC set is available for selection as the source or destination in firewall rules.
View Services Available for Firewall Rules
You can view the list of services that are available for use in firewall rules. In this context, a service is a protocol-port combination.
You can view the available services using the Grouping Objects page of the Cyfuture Cloud Console tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.
You cannot add new services to the list using the tenant portal. The set of services available for your use is managed by your Cyfuture Cloud Console system administrator.
Procedure
1 Open the Grouping Objects page.
|
Option |
Action |
|
Open through Edge Gateway Services |
a Navigate to Networking > Edges. b Select the edge gateway that you want to edit, and click Configure Services. c Click Grouping Objects. |
|
Open through Security Services |
a Navigate to Networking > Security. b Select the security service that you want to edit, and click Configure Services. c Click Grouping Objects. |
2 Click the Services tab.
Results
The available services are displayed on the screen.
View Service Groups Available for Firewall Rules
You can view the list of service groups that are available for use in firewall rules. In this context, a service is a protocol-port combination, and a service group is a group of services or other service groups.
You can view the available service groups using the Grouping Objects page of the Cyfuture Cloud Console tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.
You cannot create service groups using the tenant portal. The set of service groups available for your use is managed by your Cyfuture Cloud Console system administrator.
Procedure
1 Open the Grouping Objects page.
|
Option |
Action |
|
Open through Edge Gateway Services |
a Navigate to Networking > Edges. b Select the edge gateway that you want to edit, and click Configure Services. c Click Grouping Objects. |
|
Open through Security Services |
a Navigate to Networking > Security. b Select the security service that you want to edit, and click Configure Services. c Click Grouping Objects. |
2 Click the Service Groups tab
Results
The available service groups are displayed on the screen. The Description column displays the services that are grouped in each service group.
Statistics and Logs for an Edge Gateway
You can view statistics and logs for an edge gateway.
View Statistics
You can view statistics on the Edge Gateway Services screen.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the Statistics tab.
3 Navigate through the tabs depending on the type of statistics you want to see.
|
Option |
Description |
|
Connections |
The Connections screen provides operational visibility. The screen displays graphs for the traffic flowing through the interfaces of the selected edge gateway and for the firewall. Select the period for which you want to view the statistics. |
|
IPsec VPN |
The IPsec VPN screen displays the IPsec VPN status and statistics, and status and statistics for each tunnel. |
|
L2 VPN |
The L2 VPN screen displays the L2 VPN status and statistics. |
Enable Logging
You can enable logging for an edge gateway. In addition to enabling logging for the features for which you want to collect log data, to complete the configuration, you must have a Syslog
server to receive the collected log data. When you configure a Syslog server on the Edge Settings screen, you are able to access the logged data from that Syslog server.
Prerequisites
n Verify that you are an organization administrator or you are assigned a role that includes an equivalent set of rights.
n Verify that your role includes the Configure System Logging right.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 On the Edge Settings tab, click the Edit Syslog server button.
You can customize the Syslog server for the networking-related logs of your edge gateway for those services that have logging enabled.
If the Cyfuture Cloud Console system administrator has already configured a Syslog server for the Cyfuture Cloud Console environment, the system uses that Syslog server by default and its IP address is displayed on the Edge Settings screen.
3 Enable logging per feature.
■ On the NAT tab, click the DNAT Rule button, and turn on the Enable logging toggle. Logs the address translation.
■ On the NAT tab, click the SNAT Rule button, and turn on the Enable logging toggle. Logs the address translation.
■ On the Routing tab, click Routing Configuration, and under Dynamic Routing Configuration, turn on the Enable logging toggle.
Logs the dynamic routing activities. From the Log Level drop-down menu, you can select the lower bound of the message status level to log.
■ On the Load Balancer tab, click Global Configuration, and turn on the Enable logging
toggle.
Logs the traffic flow for the load balancer. From the Log Level drop-down menu, you can select the lower bound of the message status level to log.
■ On the VPN tab, navigate to IPSec VPN > Logging Settings, and turn on the Enable logging toggle.
Logs the traffic flow between the local subnet and peer subnet. From the Log Level
drop-down menu, you can select the lower bound of the message status level to log.
■ On the SSL VPN-Plus tab, click General Settings, and turn on the Enable logging toggle. Maintains a log of the traffic passing through the SSL VPN gateway.
■ On the SSL VPN-Plus tab, click Server Settings, and turn on the Enable logging toggle.
Logs the activities that occur on the SSL VPN server, for Syslog. From the Log Level
drop-down menu, you can select the lower bound of the message status level to log.
Enable SSH Command-Line Access to an Edge Gateway
You can enable SSH command-line access to an edge gateway.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the Edge Settings tab.
3 Configure the SSH settings.
|
Option |
Description |
|
Username Password Retype Password |
Enter the credentials for the SSH access to this edge gateway. By default, the SSH user name is admin. |
|
Password Expiry |
Enter the expiration period for the password, in days. |
|
Login Banner |
Enter the text to be displayed to users when they begin an SSH connection to the edge gateway. |
4 Turn on the Enabled toggle.
What to do next
Configure the appropriate NAT or firewall rules to allow an SSH access to this edge gateway.
Working with Security Tags
Security tags are labels which can be associated with a virtual machine or a group of virtual machines. Security tags are designed to be used with security groups. Once you create the security tags, you associate them with a security group which can be used in firewall rules. You can create, edit, or assign a user-defined security tag. You can also view which virtual machines or security groups have a particular security tag applied.
A common use case for security tags is to dynamically group objects to simplify firewall rules. For example, you might create several different security tags based on the type of activity you expect to occur on a given virtual machine. You create a security tag for database servers and another one for email servers. Then you apply the appropriate tag to virtual machines that house database servers or email servers. Later, you can assign the tag to a security group, and write a firewall rule against it, applying different security settings depending on whether the virtual machine is running a database server or an email server. Later, if you change the functionality of the virtual machine, you can remove the virtual machine from the security tag rather than editing the firewall rule.
Create and Assign Security Tags
You can create a security tag and assign it to a virtual machine or a group of virtual machines. You create a security tag and assign it to a virtual machine or a group of virtual machines.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select a security service and click Configure services.
3 Click the Security Tags tab.
4 Click the Create () button, and enter a name for the security tag.
5 (Optional) Enter a description for the security tag.
6 (Optional) Assign the security tag to a virtual machine or a group of virtual machines.
In the Browse objects of type drop-down menu, Virtual Machines is selected by default.
a Select a virtual machine from the left panel.
b Assign the security tag to the selected virtual machine by clicking the right arrow.
The virtual machine moves to the right panel and is assigned the security tag.
7 When you complete assigning the tag to the selected virtual machines, click Keep.
Results
The security tag is created, and if you chose, is assigned to selected virtual machines.
What to do next
Security tags are designed to work with a security group. For more information about creating security groups, see Create a Security Group.
Change the Security Tag Assignment
After you create a security tag, you can manually assign it to virtual machines. You can also edit a security tag to remove the tag from the virtual machines to which you have already assigned it.
If you have created security tags, you can assign them to virtual machines. You can use security tags to group virtual machines for writing firewall rules. For example, you might assign a security tag to a group of virtual machines with highly sensitive data.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select a security service and click Configure services.
3 Click the Security Tags tab.
4 From the list of security tags, select the security tag that you want to edit, and click the Edit
( ) button.
5 Select virtual machines from the left panel, and assign the security tag to them by clicking the right arrow.
The virtual machines in the right panel are assigned the security tag.
6 Select virtual machines in the right panel, and remove the tag from them by clicking the left arrow.
The virtual machines in the left panel do not have the security tag assigned.
7 When you finish adding your changes, click Keep.
Results
The security tag is assigned to the selected virtual machines.
What to do next
Security tags are designed to work with a security group. For more information about creating security groups, see Create a Security Group.
View Applied Security Tags
You can view the security tags applied to virtual machines in your environment. You can also see the security tags that are applied to security groups in your environment.
Prerequisites
A security tag must have been created and applied to a virtual machine or to a security group.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select a security service and click Configure services.
3 View the assigned tags from the Security Tags tab.
a On the Security Tags tab, select the security tag for which you want to see assignments, and click the Edit icon.
b Under the Assign/Unassign VMs, you can see the list of virtual machines assigned to the security tag.
c Click Discard.
4 View the assigned tags from the Security Groups tab.
a Click the Grouping Objects tab, and click Security Groups. b Select a security group.
c From the list under Include Members, you can see the security tag assigned to a security group.
Results
You can view the existing security tags and associated virtual machines and security groups. This way, you can determine a strategy for creating firewall rules based on security tags and security groups.
Edit a Security Tag
You can edit a user-defined security tag
If you change the environment or function of a virtual machine, you might also want to use a different security tag so that firewall rules are correct for the new machine configuration. For example, if you have a virtual machine where you no longer store sensitive data, you might want to assign a different security tag so that firewall rules that apply to sensitive data is no longer run against the virtual machine.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select a security service and click Configure services.
3 Click the Security Tags tab.
4 From the list of security tags, select the security tag that you want to edit.
5 Click the Edit (
) button.
6 Edit the name and the description of the security tag.
7 Assign the tag to or remove the assignment from the virtual machines that you select.
8 To save your changes, click Keep.
What to do next
If you edit a security tag, you might also need to edit an associated security group or firewall rules. For more information about security groups, see Working with Security Groups
.
Delete a Security Tag
You can delete a user-defined security tag.
You might want to delete a security tag if the function or environment of the virtual machine changes. For example, if you have a security tag for Oracle databases, but you decide to use a different database server, you can remove the security tag so that firewall rules that apply to Oracle databases no longer run against the virtual machine.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select a security service and click Configure services.
3 Click the Security Tags tab.
4 From the list of security tags, select the security tag that you want to delete.
5 Click the Delete (
) button.
6 To confirm the deletion, click OK.
Results
The security tag is deleted.
What to do next
If you delete a security tag, you might also need to edit an associated security group or firewall rules. For more information about security groups, see Working with Security Groups.
Working with Security Groups
A security group is a collection of assets or grouping objects, such as virtual machines, organization virtual data center networks, or security tags.
Security groups can have dynamic membership criteria based on security tags, virtual machine name, virtual machine guest OS name, or virtual machine guest host name. For example, all virtual machines that have the security tag "web" will be automatically added to a specific security group destined for Web servers. After creating a security group, a security policy is applied to that group.
Create a Security Group
You can create user-defined security groups.
Prerequisites
If you want to use security tags with security groups, Create and Assign Security Tags.
Procedure
1 Open the Security Services.
a Navigate to Networking > Security.
b Select the organization VDC for which you want to apply security settings, and click
Configure Services.
The tenant portal opens Security Services.
2 Navigate to Grouping Objects > Security Groups
The Security Groups page opens.
3 Click the Create () button.
4 Enter a name and, optionally, a description for the security group.
The description displays in the list of security groups, so adding a meaningful description can make it easy to identify the security group at a glance.
5 (Optional) Add a dynamic member set.
a Click the Add () button under Dynamic Member Sets.
b Select whether to match Any or All of the criteria in your statement.
c Enter the first object to match.
The options are Security Tag, VM Guest OS Name, VM Name, and VM Guest Host Name.
d Select an operator, such as Contains, Starts with, or Ends with.
e Enter a value.
f (Optional) To add another statement, use a Boolean operator And or Or.
6 (Optional) Include Members.
a From the Browse objects of type drop-down menu, select the type of objects, such as
Virtual Machines, Org VDC networks, IP sets, MAC sets, or Security tags.
b To include an object in the Include Members list, select the object from the left panel, and move it to the right panel by clicking the right arrow.
7 (Optional) Exclude members.
a From the Browse objects of type drop-down menu, select the type of objects, such as
Virtual Machines, Org VDC networks, IP sets, MAC sets, or Security tags.
b To include an object in the Exclude Members list, select the object from the left panel, and move it to the right panel by clicking the right arrow.
8 To preserve your changes, click Keep.
Results
The security group can now be used in rules, such as firewall rules.
Edit a Security Group
You can edit user-defined security groups.
Procedure
1 Open the Security Services.
a Navigate to Networking > Security.
b Select the organization VDC for which you want to apply security settings, and click
Configure Services.
The tenant portal opens Security Services.
2 Navigate to Grouping Objects > Security Groups
The Security Groups page opens.
3 Select the security group you want to edit.
The details for the security group display below the list of security groups.
4 (Optional) Edit the name and the description of the security group.
5 (Optional) Add a dynamic member set.
a Click the Add () button under Dynamic Member Sets.
b Select whether to match Any or All of the criteria in your statement.
c Enter the first object to match.
The options are Security Tag, VM Guest OS Name, VM Name, and VM Guest Host Name.
d Select an operator, such as Contains, Starts with, or Ends with.
e Enter a value.
f (Optional) To add another statement, use a Boolean operator And or Or.
6 (Optional) Edit a dynamic member set by clicking the Edit (
) icon next to the member set that you want to edit.
a Apply the necessary changes to the dynamic member set.
b Click OK.
7 (Optional) Delete a dynamic member set by clicking the Delete ( ) icon next to the member set that you want to delete.
8 (Optional) Edit the included members list by clicking the Edit () icon next to the Include Members list.
a From the Browse objects of type drop-down menu, select the type of objects, such as
Virtual Machines, Org VDC networks, IP sets, MAC sets, or Security tags.
b To include an object in the include members list, select the object from the left panel, and move it to the right panel by clicking the right arrow.
c To exclude an object from the include members list, select the object from the right panel, and move it to the left panel by clicking the left arrow.
9 (Optional) Edit the excluded members list by clicking the Edit () icon next to the Exclude Members list.
a From the Browse objects of type drop-down menu, select the type of objects, such as
Virtual Machines, Org VDC networks, IP sets, MAC sets, or Security tags.
b To include an object in the exclude members list, select the object from the left panel, and move it to the right panel by clicking the right arrow.
c To exclude an object from the exclude members list, select the object from the right panel, and move it to the left panel by clicking the left arrow.
10 Click Save changes.
The changes to the security group are saved.
Delete a Security Group
You can delete a user-defined security group.
Procedure
1 Open the Security Services.
a Navigate to Networking > Security.
b Select the organization VDC for which you want to apply security settings, and click
Configure Services.
The tenant portal opens Security Services.
2 Navigate to Grouping Objects > Security Groups
The Security Groups page opens.
3 Select the security group you want to delete.
4 Click the Delete () button.
5 To confirm the deletion, click OK.
Results
The security group is deleted.