Enterprise virtualization manager

Rationale

This rule allows administrators (compliant devices, restricted directory groups) and automation tools to reach the manager's main interface over HTTPS. Since the manager is a controlled internal server, ssl_inbound_inspection decrypts inbound traffic to detect exploits targeting the interface (T1190) and malicious uploaded files. Identity is restricted by directory group (least privilege). Risk is critical (risk 5) because compromising the manager enables pivoting to all managed hypervisors (T1210). This rule also covers the redirect from HTTP port 80 (see rule 3).

Security profiles

Rationale

The appliance administration interface (port 5480) is the only way to manage the appliance's system settings: backup, network configuration, NTP, certificates, OS updates, and SSH enable/disable. It is structurally mandatory (without it, the appliance cannot be managed outside the main interface) and distinct from the 443 management interface. Access is restricted to system administrators only (a narrower directory group than rule 1). ssl_inbound_inspection covers exploits (T1190, T1078). Risk is critical (risk 5): access to this interface allows full reconfiguration of the appliance, including SSH activation.

Security profiles

Rationale

Port 80 is accepted solely to allow the automatic redirect to HTTPS 443 (a stable, documented behaviour). No application data is transmitted in clear text: the session is immediately redirected. IPS in block mode (high severity) detects exploitation attempts targeting the HTTP redirect layer. Decryption is not applicable: the HTTP flow is not encrypted and the redirect occurs before any data exchange.

Security profiles

Rationale

The manager drives managed hypervisors via a bidirectional channel. The dedicated management port (TCP) carries data transfer, configuration, and VM console (MKS). The HTTPS port (TCP 443) is used for configuration channel and agent management on the hypervisor side. The availability heartbeat (UDP) also uses the dedicated management port. Decryption is disabled (cert_pinned_app exclusion): managed hypervisors present device certificates and a MITM proxy would break the authenticated management channel. IPS detects exploits targeting embedded management services (T1210). Risk is critical (risk 5): this channel is the main pivot vector to hypervisors. Note: the UDP heartbeat on the same port is covered by a separate service rule if the firewall distinguishes TCP from UDP.

Security profiles

Rationale

The UDP availability heartbeat between the manager and managed hypervisors enables rapid detection of unavailable hosts. This flow is fundamental for high-availability management and hypervisor health monitoring. IPS in default mode detects protocol anomalies on this UDP flow without blocking legitimate probes.

Security profiles

Rationale

DNS resolution is structurally mandatory: appliance installation fails if A/PTR records for its FQDN cannot be resolved. In operation, DNS is required to reach managed hypervisors, directory controllers, and the update service. The flow is restricted to a controlled internal resolver (no direct Internet resolution). The dns_security profile with sinkhole mitigates DNS tunneling from the appliance if it were compromised. TCP/53 (DNSSEC or >512-byte responses) is handled by the same rule if the firewall supports multi-protocol; otherwise duplicate for tcp/53.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if direct NTP synchronisation is configured on the appliance (via its administration interface). NTP can technically be disabled in favour of synchronisation through the host hypervisor, but is strongly recommended in production as it is critical for TLS certificate validity, SSO/Kerberos authentication, and consistency of event logs and high-availability mechanisms. IPS in default mode detects NTP protocol anomalies (amplification, non-standard mode).

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the appliance SSH service has been explicitly activated via the administration interface for a maintenance operation. SSH is disabled by default on the appliance (security best practice) and must be re-disabled after the operation. This rule should be activated with a time-limited policy (maintenance window). The ssh_proxy decryption mode allows inspection of commands executed over the SSH tunnel (detection of exfiltration or suspicious commands). Access is restricted to compliant management hosts and the narrowest administration group (T1133). log_start is enabled to trace every SSH session opening.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the hypervisor network provisioning service is in place. This service enables stateless hypervisor automated deployment: hosts being provisioned connect to the manager to receive their system image, configuration profile, and assignment rules. Antivirus and IPS inspect inbound flows. Decryption is disabled (cert_pinned_app) as hypervisors booting over the network use device certificates that a proxy cannot impersonate. If provisioning uses UEFI HTTPS Boot (modern boot), it goes through TCP 443 (rule 1) and this rule can remain disabled.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the network provisioning service uses legacy PXE boot (BIOS or classic iPXE). TFTP enables download of the iPXE boot file when a hypervisor PXE-boots. This rule is unnecessary if modern network boot (UEFI HTTPS Boot) is configured, as it operates entirely over HTTPS 443 (rule 1 or rule 8). TFTP is an unencrypted protocol: restrict its use to the segmented management network and consider migrating to UEFI HTTPS boot to eliminate this flow.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the host lifecycle management service is activated to drive updates and check compliance of managed hypervisors. This service exposes an HTTPS patch/image repository from the manager to hypervisors. If this flow is blocked, compliance checks and remediations fail silently. HTTPS port (9087): the primary flow in the current service version (replaces legacy HTTP port 9084). ssl_inbound_inspection enables antivirus and sandboxing inspection of distributed content.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the host lifecycle service still uses the legacy HTTP port (9084) for compatibility-mode hypervisors, or the host configuration store access port (8083). In the current service version, the main flow goes through HTTPS 9087 (rule 10); these ports are legacy residues. Note: since 9084 is unencrypted HTTP, consider migrating to 9087/HTTPS to eliminate this unencrypted flow and close this rule.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the virtual machine replication service is deployed. This SOAP flow allows the manager to control the replication appliance (replication policy configuration, monitoring). It is distinct from inter-hypervisor replication data traffic, which belongs to a dedicated hypervisor profile. ssl_inbound_inspection inspects inbound HTTPS SOAP flows to the manager.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if the manager's SNMP agent is activated and a network management system (NMS) performs polling. SNMPv3 with authentication and encryption is strongly recommended. Access must be restricted to the NMS IP address. IPS in default mode monitors SNMP protocol anomalies (unauthorised walk attempts).

Security profiles

Rationale

CONDITIONAL — Enable ONLY if SNMP trap sending is configured on the manager toward a trap receiver (NMS). The manager emits SNMP UDP traps to the NMS to report infrastructure events. Prefer SNMPv3 with authentication. IPS in default mode monitors anomalies.

Security profiles

Rationale

CONDITIONAL — Enable ONLY if unencrypted syslog collection is configured AND the current manager version supports it. VERSION WARNING: unencrypted syslog on UDP/TCP 514 is supported in version 9.x but is blocked and unsupported from manager version 9.1 onward. If an upgrade to 9.1+ is planned, migrate to syslog TLS (rule 16, port 1514) BEFORE the upgrade. Unencrypted syslog exposes event logs to interception and tampering on the management network — prefer rule 16 in all circumstances. IPS monitors flow anomalies.

Security profiles

Rationale

CONDITIONAL — Enable if encrypted TLS syslog log collection is configured on the manager. Recommended in version 9.x, and mandatory from manager version 9.1 onward (unencrypted syslog on 514 is blocked from that version). Recommended migration path from rule 15. Decryption is disabled (cert_pinned_app) as the TLS syslog collector uses a device certificate for mutual authentication.

Security profiles

Rationale

The manager downloads its updates and hypervisor patches/images from a vendor service on the Internet. This is the only outbound Internet flow and a critical supply-chain vector (T1195.002): ssl_forward_proxy is mandatory to allow antivirus and sandboxing to inspect downloaded packages. url_filtering blocks risky categories and uncategorised sites. The domain allow-list for the vendor update service is deployment-specific: domains documented by the source are recorded as provenance (references[].endpoints), to be set in url_filtering.allow_list at deployment — without hardcoding a brand into the rule. Deployment note: the vendor update service uses a per-account authentication token; see the provenance documentation (references[]) for the recommended SSL inspection exclusion on this specific flow (KB 431697). High risk (risk 4): supply-chain vector with wide blast radius.

Security profiles

Rationale

Hardening: clear-text (HTTP) communication attempts toward hypervisor management interfaces are silently dropped. Modern hypervisors expose their management interfaces only over HTTPS (port 443, rule 4); an HTTP flow toward a hypervisor is either a legacy configuration residue or an attempt to bypass encryption (T1557 — in-flight interception, credential theft). High-priority logging flags every attempt for investigation. Note: this rule targets internal manager <-> hypervisor flows; the HTTP 80 to HTTPS redirect for administrator clients is covered by rule 3 (inbound direction).