Bluelock has discovered that certain vShield Edge (VSE) appliances are not applying the default “Block All” network traffic rule. This will allow all traffic through to VMs behind the VSE. Bluelock has been in contact with VMware who identified this as a known bug.
Bluelock has identified a workaround that will protect workloads as originally expected. Client action is required to apply the workaround. If you subscribe to Bluelock’s Managed Firewall Service for your VSE, Bluelock will apply this workaround. See below for details.
Virtual Machines that are behind a vShield Edge appliance relying on the Default Action Block policy are at risk. The block policy is not working in some rare cases. Not all VSEs are affected, however, at this point there is not a good means to identify which ones are working properly and which ones are not.
Bluelock is recommending all clients with non-Bluelock managed VSE appliances perform the below actions for security purposes. Managed clients should refer to the Action: Manage Firewall section for information on how this impacts your firewall and services.
Action: Client Remediation Action Required for Unmanaged Firewalls
Bluelock is recommending that all clients using a VSE firewall to protect their workload review their firewall rules. For VSEs that have the Default Action set to Deny, an additional rule should be added to the bottom of their policy to block all inbound traffic. It is suggested that the rule have logging turned on to allow future troubleshooting if desirable traffic is unintentionally blocked. Please ensure the rules above the new block-all policy are comprehensive and allow all desirable traffic.
Action: Managed Firewall Service
Bluelock is performing a workaround on all managed VSE firewalls during a maintenance window scheduled for April 27, 2013 at 10:00 p.m. EST. This application of the workaround will have no impact on environments with VSEs that are functioning properly, and will have no impact on running workloads. See below for possible risks.
If you wish to have the workaround applied before the maintenance window, please contact Bluelock immediately by calling or opening a case (see below). If you do not wish to have the workaround applied during the maintenance window, please contact Bluelock by opening a support case as outlined below.
During the maintenance window, Bluelock will be manually adding a Block-All policy for all inbound traffic as the last rule in the firewall for any firewalls that have the “Default Action: Block” rule checked. This rule will have the exact same effect as the default policy should have, but has been verified to work in all cases, even on affected VSEs. There is a risk for some clients that may be passing desirable traffic due to the policy not working correctly. If the block-all rule is added and it begins blocking this desirable traffic, some applications may be impacted. Bluelock will be enabling logging to help with any troubleshooting necessary if desirable network access is blocked. If you determine that the fix has impacted your access, please call Bluelock to open a support case to re-enable access securely.
If you have questions regarding implementation of the block rule or if you are impacted please open a support case with Bluelock via www.netsuite.com and login with your email address and password or call Bluelock Support at 888-402-2583 x3.
Please do not email a specific Client Services Representative as your communication may not be seen by the teams working on this issue.
Bluelock has communicated with VMware and determined that this is a known bug that is documented only internally to VMware. The next version of vShield Manager and its vShield Edge appliances has addressed this issue. The next version of the VSM is currently in testing at Bluelock and is scheduled to be installed on May 3rd, 2013. After this fix, new VSEs or VSEs that have been redeployed via the “Reset Network” option within vCloud Director will not have the issue. The workaround is sufficient to add the appropriate block policy to your VSE and no additional action is required even after the VSM upgrade.