IT, Cloud, Windows Etc

To content | To menu | To search

Tag - hyper-v

Entries feed - Comments feed

Sunday 18 June 2017

Sophos XG Firewall Setup on Hyper-V

The Sophos XG Firewall is a powerful and advanced NextGen Firewall. It works well in virtualized environment. You can find more info about Sophos XG Firewall here

The XG firewall run on Hyper-v as a Gen 1 VM, it supports VLAN in access or trunk mode and VMQ. You can use up to 8 net adapters. If you need more, you can use VLAN trunking to create more net adapters.

There are 2 ways to create an XG Firewall. You can use the ready to use VHD files or you can install it from the ISO.

I will cover only the first one.

First, we need to design the network. We need at least 3 net adapters, one for the admin network used for the first setup, one for the wan connection and one for LAN connection.

The first one is used during the setup to configure the firewall. It must be on a separate network, you will need to use 172.16.16.0/24 and you must be able to open a web browser to this network.

The WAN adapter must be bound to a virtual switch with internet access. It’s important that the firewall can access the Internet during Setup as it’s used to register the device.

The LAN adapter can be bound to any virtual switch and configured as you need. But remember, hyper-v default VM net adapter do not allow to have multiple MAC on a port, so you will have to disable this option.

Be aware the order of the net adapter is important. The first net adapter (eth0) will be used for the initial setup and the second for external access.

Let’s start,

#this script setup a new XG Firewall
#this is the Hyper-v Server used to run the virtual Firewall
$ComputerName = "MyHyperVServer"
#the name of the virtual firewall VM
$vmname = "MyNewFirewal"

 #the Ram of the firewall, from 1Gb to unlimited 
$ram = 6GB
#the number of vCpu, from 1 to unlimited check your licence
$vmproc = 4

#the path of the VM on the Hyper-V server

$path = "e:\xfSophosFirewall"



#Names of the virtual switch used in this example
#the admin vSwitch used for initial setup and later for admin
$vswitchadmin = "admin"
#The virtual Switch used for external access during the setup and later
$vswtichwan = "Wan"
#the virtual switch used for internal network
$vswitchlan = "lan"

#the Path of the 2 VHD
$fwPRIMARYVhd = "$path\PRIMARY-DISK.vhd"
$fwAUXILIARYVhd = "$path\AUXILIARY-DISK.vhd"

#create the VM
New-VM -Verbose -name $vmname -MemoryStartupBytes  $ram  -Generation 1  -Path $path  -ComputerName $ComputerName
#Setup vm processor
 Set-VMProcessor  -Count $vmProc -VMName $vmname -ComputerName $ComputerName 

#remove all net interface 
Get-VMNetworkAdapter -VMName $vmname -ComputerName $ComputerName | Remove-VMNetworkAdapter

# add the 2 harddrive to the newly vm
Add-VMHardDiskDrive -path $fwPRIMARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0
Add-VMHardDiskDrive -path $fwAUXILIARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0

# Admin setup interface 
# I use a vlan, but you can also use a dedicaded network
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchadmin -Name setup 

#Add the wan interface, on the 
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswtichwan -Name wan
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName wan -access -vlanID 5 -computername $ComputerName

#add the lan interface. It's a trunk interface with a default vlan
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchlan -Name lan
Set-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -Name lan  -MacAddressSpoofing On
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName lan -Trunk -AllowedVlanIdList "6,7" -NativeVlanId 10

After the setup, you should change the admin/setup IP address to fit your admin network. If you forget this step, you may fail to setup another XG Firewall on the same network as 2 devices will have the same IP 172.16.16.16.

You can also find the script here

Monday 9 May 2016

Measure Vm

Hyper-v 2012 introduced a set of PowerShell cmdlet that allow you to measure VM resource consumption: CPU, memory, network, and storage. Measure data is stored inside the VM, so data move with the VM. The main purpose of VM resource metering is not to monitor VM host, but to provide information on resources (Cpu, Network, Memory, …) for reporting and billing, for or to balance VM in regards of resource capacity. By default, Hyper-v collect data every one hour. It can be changed only at the host level. You can use value between 1 hour and 24 hours.

/// PS>set-vmhost –computername HyperVHostName -ResourceMeteringSaveInterval 24:00:00 ///


If you try to use less than one hour, PowerShell will not throw an error, instead the interval will be set to one hour. Each host in your environment should be set with the same interval. Remember Metering data are store within the VM. Data will move with the VM.

/// PS>set-vmhost –computername host01,host02,…,host03 -ResourceMeteringSaveInterval 24:00:00 ///


Now we must enable metering for each VM, again metering data are stored within the VM. We don’t want to re-enable each VM only the new one.

/// PS> get-vm -computername host01,host02,…,host03 | ? ResourceMeteringEnabled -eq $false | Enable-VMResourceMetering ///

Now we can start collecting data.

/// PS>get-vm | Measure-VM ///

MeasureVM-part1.png

AvgCpu Measure the average CPU usage in Mhz per hour. Why in Mhz and not a percent, because VM can move and they can move between host with different CPU clock speeds. Metering data are stored in the VM so a 10 % CPU usage do not reflect the situation if the VM move from a 2.5 Ghz Cpu server to a 2 Ghz CPU server percent make no sense.

Ram We have 3 measures, Average, Maximum and Minimum memory used during the interval. If you don’t use dynamic memory, the 3 values are the same. TotalDisk is the disk allocation, it includes all snapshot. When using dynamic disk, it reports not the disk space used but the final disk size.

Network External traffic is reported in MB, only external traffics are reported by default. The system uses an ACL list to measure traffic from and to 0.0.0.0/0.


Using

/// PS>get-vm | Measure-VM | fl ///

You will get more data
MeasureVM-part2.png

Since Windows 2012 R2 you can get some new metrics. AggregatedAverageNormalizedIOPS. This is an average of IOPS during 20s, not the actual measure. AggregatedAverageLatency This the cumulated Latency during a 20 s sample. AggregatedDiskDataRead and AggregatedDiskDataWritten The total data read of written during the metering duration In windows 2016 only AggregatedNormalizedIOCount

The total IO of written during the metering duration

Note that you also have a detailed network and hard drive report

Now that we have all the data needed for billing and reporting how to use it. If you only have a single Hyper-v Server with few Vm you can simply use get-vm | Measure-VM | fl and phone the billing department. But if you only have Hyper-v host there are some chance that you don’t have a billing department. You could use ConvertTo-Json, it work well if you use it with only one Metering object :

/// PS> measure-vm -Name xRPVM | ConvertTo-Json ///

But if you use more than one report in your object, you will not have the NetworkMeteredTrafficReport or the HardDiskMetrics. Instead you will have this : "Microsoft.HyperV.PowerShell.VMNetworkAdapterPortAclMeteringReport",

You can find in my github a sample to convert data in a more readable format

https://github.com/omiossec/Hyper-V-report/blob/master/measure.ps1

Monday 4 April 2016

Member, Powershell and Objects

A friend complained that it can’t get enough information about VM in PowerShell. He checked all the documentation, go to Google and Bing with no luck. Going to TechNet to get information about a PowerShell Cmdlet is OK, but there is a better way to do that. Get-member, return all the properties and method of an object. So you do not have to memorize all the Technet and Msdn sites. So if you want know all the properties associated with get-vm You can run this

Get-vm | get-member –membertype properties

((/public/powershell/.getVM_m.jpg

It works for all object

Get-vmswitch | get-member –membertype properties

get-vmSwitch.png

And you will more detail than you can have a Google search page and maybe find true Gems. net-adapter.png

Sunday 6 March 2016

Nat in Windows 2016 Hyper-v

Windows Server 2016 TP 4 include a NAT mode for VmSwitch. Even if this feature is built for container, you can use it for all VM. The NAT engine is part of the Windows core routing engine. Nat VmSwitch will have the save limit.

The process is very simple, create a vmSwtich in NAT mode and Create NAT Policy in windows

$Subnet = "192.168.100.0/23"

New-VmSwitch –name SwNat -SwitchType NAT -NatSubnetAddress $Subnet
New-NetNat -Name NatPolicy -InternalIPInterfaceAddressPrefix $Subnet

The NatSubnetAdress and InternalIPInterfaceAddressPrefix must be the Same.

For now, it’s seem that you can only have one Nat Policy with an internal Ip interface. You will have an error If you already have a Nat Policy. It is the case if you test the container on the same host.

If so you can remove the nat policy if you don’t want to use

Get-netnat | remove-netnat 

Or you can simply use it. In this case, the subnet is 172.16.0.0/12

If you want more detail about NetNat you can use

PS>get-command –module NetNat

get-command.png

Get-netnat give you more detail about the netnat object
get-netnat.png

Get-NetNatExternalAddress will give you all external address used in the Nat instance.

Now you can setup a VM and plug it on the Nat Switch You will need to use an IP address in the subnet 192.168.100.0/23. The default gateway is 192.168.100.1.

Check that you can access to internet. Now you can map a service to your VM, a destination NAT.

Add-NetNatStaticMapping -NatName NatPolicy  -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 192.168.100.25 -InternalPort 80 -ExternalPort 80

This will create destination map from everywhere to the VM with 192.168.100.25 IP using standard http port.

Nat feature is a good solution for a containers host or a lab environment. With all this limitation you should use a more robust tool. You can choose Sophos UTM in VM or a windows 2012 R2/2016 with RAS or any other firewall/network virtual appliance.

Friday 4 March 2016

Something important about LBFO

If you use LBFO nic teaming with a converged fabric on Windows 2012 R2 please read this

Windows Supportability Team Blog, from Kaushik Ainapure

Change the load balancing mode to Hyper-v Port or Hash

There is Patch https://support.microsoft.com/en-us/kb/3137691

Friday 5 February 2016

Create a Sophos XG firewall on Hyper-V

Like UTM Firewall, Sophos XG firewall work as a VM on Hyper-v. There is an option to download a ready to run package. But there is a lack of documentation. The package, now VI-SFOS_15.01.0.HYV-376.zip, contain 2 VHD files, PRIMARY-DISK.vhd and AUXILIARY-DISK.vhd. Upload this 2 files in a folder on your hyper-v server. And create a generation VM, with the 2 disk attached on the first IDE controller. Select the amount of ram (1 Gb is the minimum) and the number processor you need. Add at least 2 network cards, remember that the first one will be the LAN and will be used for initial setup.

New-VM –Name "XGDemo" –MemoryStartupBytes 1GB -Generation 1 -Path 'X:\SophosXG' 
Set-VMProcessor  -Count 2 -VMName "XGDemo"
Add-VMHardDiskDrive -VMName "XGDemo"  -Path "X:\SophosXG\PRIMARY-DISK.vhd" -ControllerType IDE -ControllerNumber 0 -ControllerLocation 0
Add-VMHardDiskDrive -VMName "XGDemo"  -Path "X:\SophosXG\AUXILIARY-DISK.vhd" -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
Add-VMNetworkAdapter -VMName "XGDemo"  -Name "LAN_NIC1" -SwitchName SetupLan
Add-VMNetworkAdapter -VMName "XGDemo"  -Name "LAN_NIC2" -SwitchName LAN


Remember that the first NIC, LAN_NIC1, is the management port. The default IP for the management port is 172.16.16.16. It’s a problem even if you have the 172.16.16.16 as internal network. You need to create an access to https://172.16.16.16:4444 to setup the firewall. The solution creates a vswitch, internal or external, to setup the firewall from the parent partition, from another VM or an external network, if you need to access outside the hypervisor but be sure to have a dedicated nic on the parent host and a dedicated network.

You can start the VM and once you get this message
SophosXGSetup3.png

You can open your browser to setup your firewall
SophosXgFirewall

Sunday 31 January 2016

Converged Fabric, Hyper-v Server and Mac confusion

Installing Hyper-v Server 2012 R2 is easy, Creating a converged fabric too. A converged fabric (or hyper-converged fabric) is a single external vSwitch connected to a team or a net adapter, with multiple vmnet adapters to server multiple roles (Management, live migration). It’s a good approach when using 10 Gbps adapters or for a lab.

Imagine the situation if you install your server via IPMI, create your converged fabric and add the management network adapter. But there is a problem. Hyper-v uses the first IPv4 on the server to build the range of MAC addresses for the virtual machine.

  • 00:15:5D for the Microsoft IEEE identifier
  • XX:XX corresponding of the 2 last octets from the first IPv4 of the server
  • The last byte, from 00 to FF for each virtual adapter

But what happen if you don’t have any IP Address. Hyper-v will assign 00:15:5D:00:00:00. Hyper-v Server wasn’t able to create a valid range. It’s not a problem for a single server, but if you have multiple servers connected to the same network, you are in trouble, and if you use a converged fabric all your servers can have the same MAC for the management adapter.

You can change that by creating the mac address range before your converged network.

PS>Set-VMHost -MacAddressMinimum 00155D020600 -MacAddressMaximum 00155D0206FF

And it’s not a bad idea to change the default Range by using something like server ID or Serial number.

Using VMM Bare Metal deployment prevent this problem