VShield Edge 5 - STILL not ready for production

BISGInc · ‎12-08-2011

The short version: vShield Edge is a HORRIFIC implementation that should be avoided at all costs.

The long version:

IPSec Instability - tunnels created with VSE have proven to be unreliable. They bounce up and down like a pogo stick, and for seemingly no reason. We removed VSE from the equation and terminated the same tunnels (with no changes on the far end) onto hardware based devices and every singe problem went away. The remote devices were Cisco ASAs and Sonic Walls and both had the same issue.

Rule Maintenance - Maintaining the rule database is insanely tedious. There is no ability to copy rules. There is no ability to create rule groups or object groups.

Double Entry - With static NAT assignments in place, every firewall rule requires two entries: one "into" the external IP and one "out of" the internal IP. As maddening as this is, the worst part is that it took two VMware support engineers to figure this out because there is no documentation and even those on the VShield support team seem to struggle to make the thing work.

No Documentation - Whereas the documentation for the admittedly far more advanced Cisco ASA is many book volumes in length, the vShield Edge documentation is barely TWO PAGES.

Backup Issues - For those of us that are in multi-tenant environments, a single VSE cannot be backed up or restored. It is an all-or-nothing proposition, and this alone should disqualify its use.

No Debugging - When things do not go as planned, such as the aforementioned IPSec issue, there are virtually no debugging options available to the network engineer. What is there is useless.

In the end, the idea of having a fully functional virtual firewall appliance is definitely attractive. However, VSE 5 is alpha-quality code at best and should not, under any circumstances, be used in a production environment.

Rick

neyz · ‎12-13-2011

IPSec Instability : I haven't had any issues with it for now but only tested with some Juniper equipment.

Rule Maintenance : This is a PAIN to maintain, i can only agree, something needs to be done. Also, I managed to create some IP groups at the datacenter level i can't seem to use them inside the edge interface. It seems to me the grouping function is more there for vshield app than edge but then again, all inbound / outbound rules need to be configured at the edge level so it's all nice and fancy to be able to group and whatever with app but we need to be able to do the same in edge and have some sort of datacenter level management.

Double Entry - With static NAT assignments in place, : Took me a while to figure this out to, and when you add in an ipsec interface you have to keep in mind the end point is after the external interface but before the internal interface. Documentation was...wait..which documentation ?

No Documentation - Agree

Backup Issues : This is just dumb. I can't understand why. Having some sort of versioning would also be pretty nice to be able to rollback etc..

No Debugging : I haven't tried out the syslog export but was kinda hopping it would be verbose enough to be able to debug things. It's a pity.

I wouldn't say VSE5 is alpha quality code because i haven't experienced instabilities or anything but it's definitely hard to sell to people used to deploying pfsense instances which are more functional and free..

arvep · ‎01-24-2012

Any response from VMware on this matter?

mcowger · ‎01-24-2012

This is a user to user forum, not really a good place to get an official response.

If you need an official response, contacting your VMware account team would be the better choice.

--Matt VCDX #52 blog.cowger.us

BISGInc · ‎01-25-2012

Actually, yes... there was a response from VMware.

On the issue of IPSec instability, the engineering team was apparently able to reproduce the issue and they believe they have fixed it. The fix will appear in a pending update.

On the backup issue, this is also supposed to be addressed in a forthcoming update. This update will apparently permit the backup and restore of a single VSE instance without having to backup and restore ALL VSE intances at once.

I do home that they address the rule maintenance, documentation, and debugging issues as well - though I've not heard anything on these three issues.

kjbarrass · ‎01-26-2012

IPSec Instability - We dont have many VPNs deployed but have had no issues with VPN on either vShield 4.1 or 5 from Cisco devices.

Rule Maintenance - The vShield Manager user interface isnt bad but you can also use the REST API to create large numbers of rules or copy/paste rules.

Double Entry - As far as I can tell the documentation reflects this now.

No Documentation - no comment.

Backup Issues - In our environment we use the backup schedule in the vShield manager but have also developed some RESTful scripts that backs up each vShield Edge individualy and will allow us to restore individualy.

No Debugging - We have not had to do a great deal of debugging on VPN but what CLI show commands they are seemed sufficient. The firewall CLI show and debug commands are pretty good and allow you to trace packets through the vShield Edge.

mattdreyer · ‎01-27-2012

Hi there-

Thank you to everyone on this thread for being part of over 2,000 vShield customers world wide. We appreciate your feedback and the time you invest in giving it. In the upcoming months you will see a concerted effort to improve the usability and documentation of vShield products. Our current set of technical documentation can be found in the Technical Papers area of the website at http://www.vmware.com/resources/techresources/cat/91,190. We are already in progress with our first TechNote around vShield Edge and are focusing it around a simple DMZ use case defending a couple of servers. Expect to see this document on the website by the end of February.

What other scenarios would you like to see documented?

-Matt

All

VShield Edge 5 - STILL not ready for production