Our firewall team has recommended using vShields to limit the use of physical firewalls in one of our clusters. I'm not familiar with how they work, but understand the concepts of the different trust zones. Im looking for some more insight on how they work.
We have a 2 ESX cluster. I've installed the vShield Manager and installed one vShield zone per ESX host. It then created 2 VM's, each labeled "vShield-FW-ESXHOSTNAME". It also creates a network called vmservice-vshield-pg (these are all defaults). The 2 FW VM's have the same IP as the vShield Manager.
So my question is, is it possible to give my firewall team access to these virtual firewalls via an SSH connection? I can SSH to the vShield Manager, but not sure if thats the actual firewall or not.
Maybe I just need someone to break down how it works so I can see if it will fit in our environment. I plan on taking the online Manage and Design for Security class but its not for a month or so and want to get a start on this.
vShield agent (vSA) provides FW protection and it shouldn't use the same IP as your vShield Manager (vSM) and vShield Manager is to manage, monitor for each vSA instances that you have instead doing FW.
Although vSA require to be installed per ESX host, if you have more than one vSwitch to protect, then you need to install and configure vSA for each vSwitch. By default, you should able to SSH vSA.
In the current version of vShield there is no need for a vShield App/Zones FW per vSwitch, just one per host. The need for one per vSwitch was only with the 1.0 version of vShield Zones which was a bridge based firewall and not a VMsafe enabled firewall.
As far as giving SSH access to the FW, while possible is highly discouraged. Rules should be managed through the vShield Manager UI or through the REST APIs to the vShield Manager.
These docs include an Admin Guide as well as a REST API programming guide.