v14.

2 VMWare Installation Guide

v14.2 VMWare Installation Guide

v14.2 VMWare Installation Guide 1

 Contents

Contents
Imperva SecureSphere Virtual Appliance on VMWare ESXi Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
SecureSphere VM Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Important Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Deployment Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Transparent Bridge Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Sniffing Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Reverse Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Reverse Proxy - Bridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Reverse Proxy - One Arm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Management Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Obtaining the Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Deploying the Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuring the Virtual NICs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Native VMware vSwitch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Cisco Nexus 1000V Series Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Adding Virtual NICs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Configuring Disk Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Reserving Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Balloon State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring the OVF for non-vCenter Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
SecureSphere First-Time Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Performing First-Time Login for the Management Server (MX). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
First-Time Login for the Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
SecureSphere Installer Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Confirming the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
VMotion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Protected Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Management Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Cloning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

v14.2 VMWare Installation Guide

 Contents

Proprietary Rights Notice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

End User License and Services Agreement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

v14.2 VMWare Installation Guide

 v14.2 VMWare Installation Guide

Imperva SecureSphere Virtual Appliance on VMWare

ESXi Server
• Introduction
• SecureSphere VM Specifications
• Important Notes

57589 Imperva SecureSphere Virtual Appliance on VMWare ESXi Server Last modified: 2/7/2017 12:46:57 PM

v14.2 VMWare Installation Guide 4

 v14.2 VMWare Installation Guide

Introduction
A virtual machine is a software implementation of a physical machine. Software running in the virtual machine is
unaware of the virtualization layer separating it from the physical machine. Virtualization enables, for example, a
single physical machine to host multiple guest virtual machines, each of which runs a different operating system,
called guest operating systems, under whose control any number of software applications run. The virtual machines
are isolated from each other, though they can, if required, communicate with each other through the network, exactly
as if they were separate physical machines.

Virtualization has become increasingly widely-used in recent years because it enables improved usage of resources
and significant savings in hardware and other operational costs.

Also, organizations with strict policies regarding the types of network equipment installed on their premises will often
prefer to deploy solutions as software on their own approved hardware. Imperva SecureSphere Virtual Appliance
enables these organizations to obtain the benefits of SecureSphere while conforming to their network equipment
policies.

In addition, virtual environments enable organizations to scale resources beyond those available to SecureSphere
physical appliances. The need to do this typically arises in high-volume audit environments, where virtualization
enables organizations to greatly expand the resources available for auditing, alerts and profiling.

57590 Introduction Last modified: 10/25/2018 8:44:54 AM

v14.2 VMWare Installation Guide 5

 v14.2 VMWare Installation Guide

SecureSphere VM Specifications
A fully-functional version of a SecureSphere appliance is available for virtual environments.

Notes:

• Only distributed deployments (management servers and gateways on separate virtual

machines) are supported by Imperva SecureSphere Virtual Appliance.
• The memory allocated to the MX and Gateway virtual appliances is automatically reserved.
For information on how to manually adjust memory reservation, see Reserving Memory.
• You must have vCenter installed for all OVF deployments. If you receive the error message The
OVF package requires support for OVF Properties. Details: Line 317: Unsupported
element 'Property', please contact Imperva Support for instructions on how to edit the OVF
file for direct ESX deployment (without vCenter).

The minimum requirements for the physical host machine are shown in the table below.

Minimum Requirements for Physical Host - General

Component Requirement

VMware ESX/ESXi, 6.x

Hypervisor
Note: All versions of Imperva SecureSphere Virtual Appliance support all the versions of ESX/
ESXi listed above.

Processor Dual-core server Intel VTx or AMD-V

Memory See requirements for guest appliances below.

Network Interface Hypervisor-supported interface card

Notes:

• VM Guest operating system should be RHEL 7 (64 bit).

The minimum requirements for the physical host machine - per SecureSphere virtual appliance - are shown in the
table below.

v14.2 VMWare Installation Guide 6

 v14.2 VMWare Installation Guide

Minimum Requirements for Physical Host - per SecureSphere Virtual Appliance

SecureSphere Virtual Appliances

Specification
Management
Gateways
Server

V6500 V4500 V2500 V1000 VM150

CPU 8 4 2 2 4

Memory 16 GB 8 GB 4 GB 4 GB 8 GB

Minimum Disk
250 GB 160 GB 160 GB 160 GB 160 GB
Space1

Notes:

• The memory values represent the minimum requirement for each machine. Less memory is not supported.
• Adding memory is supported only with the VM150 model - i.e for the MX only. The maximum memory supported is
32Gb. Attempting to change the memory with any other model is not supported and can lead to supportability
issues.
• Changing the number of CPUs is supported only with VM150 model - i.e for the MX only. Attempting to change the
CPU with any other model is not supported and can lead to supportability issues.

1. The number given here is for WAF appliances. File Security and Database Security products may require more
space for audit files. For information on how to change the disk allocation, see Configuring Disk Space.

The Imperva products supported by each SecureSphere virtual appliance are shown in the table below.

SecureSphere Virtual Appliances

v14.2 VMWare Installation Guide 7

 v14.2 VMWare Installation Guide

SecureSphere Virtual Appliances

Specification
Management
Gateways
Server

V6500 V4500 V2500 V1000 VM150

Web Application Web Application

Firewall Firewall

Database Activity Database Activity

Database
Monitoring Monitoring
Activity
Monitoring MX Management
Database Firewall Database Firewall
Supported Web Application Server
SecureSphere Products Database Firewall
File Activity File Activity
Firewall SOM
Monitoring Monitoring

File Firewall File Firewall

SecureSphere for SecureSphere for

SharePoint SharePoint

Performance assurance testing for the above VM models were conducted based on an appliance with the following
hardware specifications:

• HP ProLiant BL460c Generation 7 (G7) Server Blade:

• CPUs: 2x Intel® Xeon® X5650, 6 cores, 2.67Ghz
• HDD: SAS MSA2000 15k 1TB
• Memory: RAM DDR3-1333Mhz
• Performance specifications are based on multiple factors and parameters such as the underlying Server
specification, Network parameters, ESX/ESXi version and other environmental factors. As a result, actual
performance may vary due to differences in any of these parameters.
• For information on how to change the disk allocation, see Configuring Disk Space.

73262 SecureSphere VM Specifications Last modified: 3/14/2021 5:22:30 PM

v14.2 VMWare Installation Guide 8

 v14.2 VMWare Installation Guide

Important Notes
With ESX 5.5, working on snapshots or changing the number of virtual CPUs once SecureSphere on VMware is running
will cause performance issues.

59299 Important Notes Last modified: 7/10/2016 1:58:06 PM

v14.2 VMWare Installation Guide 9

 v14.2 VMWare Installation Guide

Deployment Modes
Imperva SecureSphere Virtual Appliance supports the same deployment modes as the physical SecureSphere
appliances:

• As a gateway, in one of the following modes:

• Transparent bridge
• Sniffing mode
• Reverse proxy
• As a management server (MX)
• As a SOM

High availability deployments are available exactly as with physical appliances. See the SecureSphere
Administration Guide for details.

Some possible deployments are depicted in the following sections.

• Transparent Bridge Mode

• Sniffing Mode
• Reverse Proxy
• Management Server

57592 Deployment Modes Last modified: 3/10/2015 2:21:27 PM

v14.2 VMWare Installation Guide 10

 v14.2 VMWare Installation Guide

Transparent Bridge Mode

The following figure shows Imperva SecureSphere Virtual Appliance configured in transparent bridge mode.

From SecureSphere’s viewpoint, it is bridging its own virtual NICs, which are mapped to the hypervisor’s virtual
switches. The virtual switches are mapped to physical NICs by the hypervisor. SecureSphere is unaware of the
physical NICs. All of SecureSphere’s internal configuration is performed in terms of the virtual NICs.

Note: The fail-open (or bypass) feature is implemented in hardware and is therefore
unavailable in virtual deployments.

The protected servers can be on other physical machines or on the same host machine with Imperva SecureSphere
Virtual Appliance.

The SecureSphere gateway must also be connected to a SecureSphere management server, either on the same
physical machine or on another machine.

v14.2 VMWare Installation Guide 11

 v14.2 VMWare Installation Guide

Other applications, including other instances of SecureSphere, can run in the same hypervisor on the same physical
machine. For example, it is possible to run a SecureSphere management server and any number of SecureSphere
gateways (resources permitting) in the same hypervisor. All the instances of Imperva SecureSphere Virtual Appliance
are isolated from each other by the hypervisor and do not interfere with each other, though they can communicate
with each other over the network, exactly as if they were on separate physical appliances.

The SecureSphere gateway must also be connected to a SecureSphere management server, either on the same
physical machine or on another machine.

57593 Transparent Bridge Mode Last modified: 2/20/2017 12:06:57 PM

v14.2 VMWare Installation Guide 12

 v14.2 VMWare Installation Guide

Sniffing Mode
In a SecureSphere sniffing gateway deployment, traffic does not pass through the gateway but is copied (mirrored) to
it for analysis. The SecureSphere sniffing gateway can prevent malicious traffic from reaching the protected servers by
issuing TCP resets to the servers via the blocking interface.

The SecureSphere sniffing gateway must also be connected to a SecureSphere management server, either on the
same physical machine or on another machine.

The protected server can also be virtual servers running on the same hypervisor. One possible configuration like this is
shown in the following figure.

v14.2 VMWare Installation Guide 13

 v14.2 VMWare Installation Guide

57594 Sniffing Mode Last modified: 2/20/2017 12:07:31 PM

v14.2 VMWare Installation Guide 14

 v14.2 VMWare Installation Guide

Reverse Proxy
In a Reverse Proxy, traffic intended for a Web server first passes through the Reverse Proxy.

For information about configuring Reverse Proxy deployments, see the Topologies and Deployment chapter in the
SecureSphere Administration Guide.

57595 Reverse Proxy Last modified: 2/26/2017 11:27:42 AM

v14.2 VMWare Installation Guide 15

 v14.2 VMWare Installation Guide

Reverse Proxy - Bridge

In the "Bridge" Reverse Proxy deployment, the SecureSphere gateway’s topology is similar to that of a bridge. For
more information, see Transparent Bridge Mode.

73582 Reverse Proxy - Bridge Last modified: 6/12/2019 5:15:01 PM

v14.2 VMWare Installation Guide 16

 v14.2 VMWare Installation Guide

Reverse Proxy - One Arm

In a "one arm" Reverse Proxy deployment, the virtual appliance’s inbound and outbound interfaces are the same. In
the configuration shown below, the protected servers are virtual servers on the same hypervisor, but this is only one
possible configuration. The protected servers can be physical servers, or they can be virtual servers on the same or
different hypervisors.

73583 Reverse Proxy - One Arm Last modified: 6/12/2019 5:16:04 PM

v14.2 VMWare Installation Guide 17

 v14.2 VMWare Installation Guide

Management Server

The SecureSphere gateways managed by the virtual MX can be on other physical machines (as in the figure above) or
on the same host machine with SecureSphere MX (as in the figure below).

The SecureSphere MXs managed by the virtual SOM can be on other physical machines (as in the figure above) or on
the same host machine with SecureSphere SOM (as in the figure below).

v14.2 VMWare Installation Guide 18

 v14.2 VMWare Installation Guide

57598 Management Server Last modified: 2/20/2017 12:08:59 PM

v14.2 VMWare Installation Guide 19

 v14.2 VMWare Installation Guide

Obtaining the Software

The Imperva SecureSphere Virtual Appliance software package is provided on a disk. The most recent version is
available from the Imperva FTP site.

Note: Your "Welcome Imperva SecureSphere Customer" email includes a username and password
that enable you to access the Imperva FTP site.

Table 3: Locations of the Software Downloads

Edition Location

SecureSphere 64 bit /Downloads/Imperva_Setup/v14/v14.2/VM

Note: There is only one OVF in this directory, and it is for all products and
SOM 64 bit models.

73650 Obtaining the Software Last modified: 6/13/2019 10:55:54 AM

v14.2 VMWare Installation Guide 20

 v14.2 VMWare Installation Guide

Deploying the Software

Imperva SecureSphere Virtual Appliance for VMware ESX environment is deployed in the ESX environment.

Note: Standard SecureSphere VM can only be deployed on ESX managed by VCenter. For
instructions on deploying the .ovf in a non-VCenter environment, see Configuring the OVF for non-
vCenter Deployments.

To deploy Imperva SecureSphere Virtual Appliance using the VMware vSphere Client:

1. Start the VMware vSphere client.

2. From the menu, start the Import Virtual Appliance wizard as follows:
1. Select File > Deploy OVF Template.
2. In the Deploy OVF Template window, browse to the installation file and select it.
3. Click Next. The OVF template details window is displayed.
4. Click Next. The End User License Agreement window is displayed.
5. Click Accept then click Next.
6. Type a name for the instance of SecureSphere you are installing and click Next.
7. Select a Deployment Configuration. You can see the details of each type of machine when you select it.
8. Click Next.
9. Select a host or cluster on which to run the deployed template and click Next.
10. Select a specific host within the cluster on which to run the deployed template and click Next.
11. Select a resource pool within which to deploy the template and click Next.
12. Select a destination storage where you want to store the virtual machine files and click Next.
13. Select the format in which you want to store the virtual disks and click Next.
14. Network Mapping - Accept the defaults, which you will later change according to your specific deployment (for
more information, see Configuring the Virtual NICs).
15. Click Next.
16. Type the IPv4 address, the CIDR and the default gateway IP address of the deployed machine.
17. Click Next.
18. The configuration is displayed, and you are asked to accept it by clicking Finish.

65020 Deploying the Software Last modified: 3/10/2019 2:43:48 PM

v14.2 VMWare Installation Guide 21

 v14.2 VMWare Installation Guide

Configuration
After installing the SecureSphere virtual machine, you must configure the interfaces, as described in the following
sections.

Note: SecureSphere on VMware only supports the Ethernet Adapter Type VMXNET 3.

• Configuring the Virtual NICs

• Adding Virtual NICs
• Configuring Disk Space
• Configuring Memory
• Reserving Memory
• Balloon State
• Configuring the OVF for non-vCenter Deployments
• SecureSphere First-Time Login
• Confirming the Configuration

57602 Configuration Last modified: 12/7/2015 3:20:10 PM

v14.2 VMWare Installation Guide 22

 v14.2 VMWare Installation Guide

Configuring the Virtual NICs

This section reviews subjects related to configuring the virtual NICs and includes the following:

• Overview
• Native VMware vSwitch
• Cisco Nexus 1000V Series Switches

57603 Configuring the Virtual NICs Last modified: 2/4/2019 1:31:50 PM

v14.2 VMWare Installation Guide 23

 v14.2 VMWare Installation Guide

Overview

For some examples of how SecureSphere’s virtual NICs must be configured in various SecureSphere deployments, see
Deployment Modes.

When Imperva SecureSphere Virtual Appliance is installed, four (4) virtual NICs (Network adapter 1, Network adapter
2, Network adapter 3, and Network adapter 4) are created. Each of these virtual NICs corresponds to one of
SecureSphere’s internal interfaces (eth0, eth1 etc.), as shown in the following figure, and is automatically assigned a
MAC address.

v14.2 VMWare Installation Guide 24

 v14.2 VMWare Installation Guide

VMware automatically assigns each of SecureSphere’s virtual NICs to one of VMware’s vSwitches (virtual switches).
Because it is unlikely that VMware’s automatic assignments will meet your needs, you will probably have to change
these assignments.

You need to map each SecureSphere internal interface (eth0, eth1, etc.) to a VMware vSwitch, as shown in the
following figure.

The Virtual Switch can in turn be mapped to a physical NIC, depending on the topology.

Table 4: Mapping

map to

SecureSphere internal
Virtual NIC based on MAC addresses
interface

Virtual NIC Virtual Switch

via Virtual Machine Port Groups
Virtual Switch Physical NIC

57604 Overview Last modified: 2/4/2019 1:33:26 PM

v14.2 VMWare Installation Guide 25

 v14.2 VMWare Installation Guide

Native VMware vSwitch

To configure the Virtual NICs

1. Power on the virtual machine.

2. Log in to the Imperva SecureSphere Virtual Appliance command line interface (CLI).
3. Run the ifconfig command to determine the MAC addresses of the SecureSphere interfaces (eth0, eth1, etc.).

Write the MAC addresses down, as you will need this information later.

4. In the VMware vSphere client, select the host machine.

5. Click the Configuration tab.
6. Under Hardware, click Network Adapters.
7. Note the MAC addresses assigned to each virtual NIC (see the figure below).

In Figure 10 below, there are six (6) physical NICs: vmnic0 through vmnic5.

Each SecureSphere internal interface (eth0, eth1 etc.) corresponds to the virtual switch with the same MAC
address.

8. In the VMware vSphere client, select the Imperva SecureSphere Virtual Appliance you have just installed.
9. Click the Configuration tab.
10. Under Hardware, click Networking.

v14.2 VMWare Installation Guide 26

 v14.2 VMWare Installation Guide

Note the mapping of the virtual switches to the physical adapters.

11. Select the Virtual Appliance in the tree on the left and assign each Network Adapter to a Network Connection
(see the figure below), based on the results of the ifconfig command you ran earlier.

For each virtual NIC, define a port group and assign the virtual NIC to the port group (see the figure above).

Both port groups and virtual switches are listed under Network Connection.

You need to match the internal SecureSphere interfaces (eth0, eth1, etc.) to the Virtual Appliance network
adapters with the same MAC addresses. Then, based on the deployment (bridge, sniffing, etc.), you assign each
network adapter to a network connection.

v14.2 VMWare Installation Guide 27

 v14.2 VMWare Installation Guide

12. If required (see Adding Virtual NICs), add a virtual NIC (network adapter) to the Imperva SecureSphere Virtual
Appliance.
13. For virtual NIC in sniffing or in-line mode set the port group to which it is assigned to Accept for Promiscuous
Mode, MAC Address Changes and Forged Transmits (see the figure below). If in Reverse Proxy mode, only the
Promiscuous Mode should be marked as Accept. If not set as defined here, the virtual switch will not pass
traffic through to SecureSphere.

Note: When working with VDS (virtual distributed switch), all port groups associated with
SecureSphere virtual machine should be set to Accept for Promiscuous Mode, MAC Address Changes
and Forged Transmits.

v14.2 VMWare Installation Guide 28

 v14.2 VMWare Installation Guide

14. In impcfg, configure the SecureSphere’s internal interfaces (eth0, eth1, etc.) accordingly.

EXAMPLE:

Figure 1 in the section Transparent Bridge Mode shows Imperva SecureSphere Virtual Appliance configured in
transparent bridge mode.

Suppose you want to configure the appliance as a bridge between eth2 (facing the internet) and eth3 (facing the
protected network). The names eth2 and eth3 are SecureSphere’s internal names for the interfaces, but VM does not
recognize these names. You have to assign eth2 to the VM network adapter facing the internet, and eth3 to the VM
network adapter facing the protected network. You do this based on the MAC addresses.

When the Imperva SecureSphere Virtual Appliance was installed, VM assigned a MAC address to each of
SecureSphere’s internal interfaces (eth0, eth1, etc.). You can find out what these MAC addresses are using the ifconfig
command.

Each VM network adapter has a MAC address and is assigned to a VM Network Connection, so it serves to connect the
internal SecureSphere interface with the outside world.

v14.2 VMWare Installation Guide 29

 v14.2 VMWare Installation Guide

An internal SecureSphere interface corresponds to the VM network adapter with which it shares a MAC address. You
can see the VM network adapter’s MAC address and the Network Connection to which it is assigned in the ESX GUI (see
the figure above).

In this way, you can determine which VM network adapter to assign to the Network Connection facing the internet,
and which to assign to the Network Connection facing the protected network.

73581 Native VMware vSwitch Last modified: 6/12/2019 5:12:52 PM

v14.2 VMWare Installation Guide 30

 v14.2 VMWare Installation Guide

Cisco Nexus 1000V Series Switches

Configuring an environment that includes a Cisco Nexus virtual switch is similar to the configuration described in the
previous section, but there are some important differences.

Assume a topology as shown in the following figure.

In this topology, traffic from the internet is routed directly to the Web server. By adding a SecureSphere Virtual
Gateway to the topology, the Web server will be protected.

The following figure shows a SecureSphere Virtual Gateway added to the topology.

v14.2 VMWare Installation Guide 31

 v14.2 VMWare Installation Guide

Traffic from the internet is now routed to the SecureSphere Virtual Gateway, which routes the traffic to the Web server
over a bridge (eth1-eth2), and the Web server is now protected.

To configure Cisco Nexus virtual switch topology:

1. In the Cisco Nexus command line interface (CLI), add a private VLAN and a new port group (PortGroup1 -
Secure).
2. In the VMware vSphere client, connect the Web server to the new port group (Secure), for example, as shown in
the following.

v14.2 VMWare Installation Guide 32

 v14.2 VMWare Installation Guide

3. In the VMware vSphere client, connect the SecureSphere Virtual Gateway to the port group to which the Web
serve was previously connected (UpLink) and to the new port group (Secure), for example, as shown in the
following figure.

v14.2 VMWare Installation Guide 33

 v14.2 VMWare Installation Guide

57606 Cisco Nexus 1000V Series Switches Last modified: 2/4/2019 2:11:18 PM

v14.2 VMWare Installation Guide 34

 v14.2 VMWare Installation Guide

Adding Virtual NICs

All SecureSphere Virtual Appliances are configured by default with (4) virtual NICs. You can configure up to 4
additional virtual NICs (for a maximum of 8). Depending on the required number of NICs you may need to upgrade the
virtual hardware version. You can upgrade by right-clicking on the virtual machine and clicking Upgrade Virtual
Hardware. For more information regarding upgrading virtual hardware version and NIC maximum capacity, please see
VMware documentation.

To add a virtual NIC:

1. In the VMware vSphere client, right-click the Imperva SecureSphere Virtual Appliance.
2. Stop the Imperva SecureSphere Virtual Appliance.
3. Select Edit Settings from the menu.
4. In the Virtual Machine Properties window, click Add.
5. Select Ethernet Adapter.
6. Configure the new virtual NIC.
7. Start on the Imperva SecureSphere Virtual Appliance.
8. Teardown and reboot the appliance using the following commands:

impctl teardown

impctl gateway unregister

impctl gateway register

impctl boot

Once SecureSphere has restarted, the additional virtual NICs are available.

57607 Adding Virtual NICs Last modified: 12/26/2017 9:55:09 AM

v14.2 VMWare Installation Guide 35

 v14.2 VMWare Installation Guide

Configuring Disk Space

You can increase the disk space allocated to Imperva SecureSphere Virtual Appliance from the default.

Notes:

• Database and File Security Products require a minimum of 250 GB disk space. You
may require additional disk space for audit files. The larger your deployment the
more space should be made available.
• Only 80% of the total extra space capacity will be utilized, where the other 20%
will be reserved for upgrade purposes where snapshots can be stored.

To increase the disk space allocated to a virtual appliance:

1. In the ESX, add a new hard disk.

2. If you do this before the First Time Login, Imperva SecureSphere Virtual Appliance will automatically take
advantage of the new disk.
3. If you do this after the First Time Login, proceed as follows:
1. Run the following commands:

impctl stop

impctl platform storage allocate-new-vdisks

impctl start

2. You will be asked to enter the hard disk to allocate.

74222 Configuring Disk Space Last modified: 4/16/2020 1:31:46 PM

v14.2 VMWare Installation Guide 36

 v14.2 VMWare Installation Guide

Configuring Memory
This procedure describes how to configure additional memory for your VMware Image.

Note: Adding memory is only available with the SecureSphere VM150 model.

To configure additional memory for the VM150:

1. In the VMware vSphere client, Power Off your Imperva SecureSphere Virtual Appliance.
2. Right-click the appliance, the choose Edit Settings.
3. In the Properties window, click the Hardware tab.
4. Click Memory, then type the amount of memory you want to add. Options include:
◦ 16GB: To add 16GB type 16384MB
◦ 32GB: To add 32GB type 32768MB

58124 Configuring Memory Last modified: 11/2/2015 3:33:28 PM

v14.2 VMWare Installation Guide 37

 v14.2 VMWare Installation Guide

Reserving Memory
To prevent re-allocation of memory by ESX to its own use and leave the virtual appliance with insufficient memory,
SecureSphere reserves memory automatically.

The following procedure allows viewing/changing the memory reservation settings.

To reserve memory for the MX or Gateway virtual appliance:

1. In the VMware vSphere client, Power Off your Imperva SecureSphere Virtual Appliance.
2. Right-click again and choose Edit Settings.
3. In the properties window, click the Resources tab.
4. In the Resources tab, click Memory.

5. On the right side of the Resources tab, in the Resource Allocation section under Reservation, enter the
number of MB to reserve, as follows:
◦ To reserve 2GB, enter 2048.
◦ To reserve 4GB, enter 4096.
◦ To reserve 8GB, enter 8192

The following two values are only available with the SecureSphere VM150 model appliance, and only if you've
increased your memory allocation as described in Configuring Memory.

◦ To reserve 16GB, enter 16384

◦ To reserve 32GB, enter 33536
6. Click OK.
7. Power on the SecureSphere appliance.

57610 Reserving Memory Last modified: 5/6/2015 1:40:13 PM

v14.2 VMWare Installation Guide 38

 v14.2 VMWare Installation Guide

Balloon State
If adequate memory has not been properly reserved in advance, it may happen that ESX will not honor a
SecureSphere Virtual Gateway’s request for additional memory. If this occurs, the Gateway’s performance will be
degraded.

A system event is generated which indicates that the Virtual Gateway has entered the "balloon" state and specifies the
amount of additional memory required. Also, the status of the Virtual Gateway in the Gateways screen indicates that
it is in the balloon state.

To resolve the issue, the SecureSphere administrator must arrange for adequate memory to be reserved for the
ballooned Virtual Gateway. Once this is done, the Virtual Gateway will be allocated the memory it requires and its
performance will improve.

57611 Balloon State Last modified: 3/10/2015 2:21:31 PM

v14.2 VMWare Installation Guide 39

 v14.2 VMWare Installation Guide

Configuring the OVF for non-vCenter Deployments

By default, you can deploy the .ovf file for SecureSphere on vCenter deployments. However, in order to deploy it on
non-vCenter environments, you need to conduct additional configuration.

To configure the ovf for non-vCenter Deployments:

1. Edit the .ovf file by right-clicking on the file and opening in an editing utility such as Notepad++.
2. Delete out the opening and closing <property> tags and all the lines in between, as this content is supported
only when using a vCenter.
3. Deploy the edited .ovf. Then when running the FTL, be sure to enter the SecureSphere VM model you want to
deploy, for example, v2500 or v4500.

73233 Configuring the OVF for non-vCenter Deployments Last modified: 11/26/2019 4:09:52 PM

v14.2 VMWare Installation Guide 40

 v14.2 VMWare Installation Guide

SecureSphere First-Time Login

To perform the SecureSphere First Time Login:

1. If you are configuring a Gateway, make sure the Gateway’s Management Server (MX) is up and running.
2. Power on the virtual machine (the instance of SecureSphere) you have just installed. For instructions on
installing (deploying) the software, see Deploying the Software.
3. Open SecureSphere in a console window. You are prompted to login.
4. Complete first time login as required for the component you're installing as follows:
◦ First-Time Login for the Management Server (MX)
◦ First-Time Login for the Gateway
5. Once you've completed first time login and configuration, open an internet browser and navigate to the IP
address of the MX Server you configured via HTTPS. For example: https://<IP address of MX>:8083. The End User
License Agreement (EULA) is displayed.
6. Read the EULA, then click Accept. You are asked to configure an Admin password for the GUI.
7. Follow the instructions to set the GUI's Admin password. The Upload License window appears.
8. In the Upload License window, click the hyperlinked word here, as shown in the following:

The Imperva Activation Portal appears.

v14.2 VMWare Installation Guide 41

 v14.2 VMWare Installation Guide

The Challenge is automatically filled-in.

9. Type your Enterprise License Code. You receive this from the "Welcome Imperva SecureSphere Customer"
email you had received after purchasing the product.
10. Type your email address. The license file will be sent to this email address as an attachment. The End User
License Agreement (EULA) is displayed.
11. Read the EULA, then enable the Accept checkbox.
12. Type the Verification strings as required.
13. Click Activate.
14. Check your email for the email with the license file, and when it arrives, save the license file.
15. Return to the Upload License window and click Browse to browse to the license file you just saved.
16. Click Upload.
17. Continue as prompted.

Note: Your "Welcome Imperva SecureSphere Customer" email includes the following
information:

• username and password to access the Imperva FTP site

• License Code

v14.2 VMWare Installation Guide 42

 v14.2 VMWare Installation Guide

65010 SecureSphere First-Time Login Last modified: 3/10/2019 2:43:32 PM

v14.2 VMWare Installation Guide 43

 v14.2 VMWare Installation Guide

Performing First-Time Login for the Management Server (MX)

To activate the appliance, you need to define the system configuration by performing the procedures below.

Notes:

• If you configure a DNS client during the first-time login, make sure you specify the IP address of
a real DNS server that is available during the setup.
• Some procedure steps include yes/no options. The selections that appear are examples only.
For any no selection, you may select yes and specify the related values. Note that the system
operates more efficiently when you select yes in procedures that are marked recommended.
• Some options are displayed only when specific selections are made in previous steps.
• For full descriptions of the configuration options, see Imperva On-Premises Administration
Guide.
• You can automate the first-time login process to configure the gateway in sniffing mode. For
more information, see Automating First Time Login in the Imperva On-Premises
Administration Guide.
• If installing as a SOM, use the First Time Login for Management Server (MX) procedure.

To log into the appliance for the first time:

1. Open up the SecureSphere instance in a console window.

2. Log in with the username admin and the password admin.
3. Change the admin password. The new admin password must be 7-14 characters long and contain Upper case
letters, lower case letters, digits and these special characters: * ( ) - + = | # % ^ : / ~ . , [ ] _
4. Run the command ftl. The Imperva configuration tool is displayed and you can begin the initial setup. You are
displayed one or more Component types.

To set the SecureSphere component:

A numbered list of options to configure the appliance is displayed. Type 1 to configure a Management Server (MX), 2 to
configure a SOM, or 3 to configure network settings only then press Enter.

To set the management interface:

1. The configuration tool displays the default "management" interface for the appliance. On the Do you want to
change it? line, enter n.
2. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.1.1/24
3. On the Do you want to set IPv6 Address as well? line, enter n.

To set the LAN interface:

1. On the Do you want to set a LAN interface? line, enter y.

2. The configuration tool displays the default LAN interface for the appliance. On the Do you want to change it?
line, enter n.
3. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.5.5/24

v14.2 VMWare Installation Guide 44

 v14.2 VMWare Installation Guide

4. On the Do you want to set IPv6 Address as well? line, enter n.

(Recommended) To set the default gateway:

1. On the Do you want to set an IPv4 default gateway? line, enter y.

2. On the Gateway [IPv4 Address reachable from onboard interface] line, enter the IPv4 address. For example:
192.168.1.254
3. On the Do you want to specify a device? line, enter n.

To set the DNS client option:

• On the Do you want to configure a DNS client? line, enter n.

To set the passwords for the Linux root and grub users:

1. On the Enter password line, enter a new password for the Linux root user. This password will also be used as
the grub bootloader password.
◦ Minimum password length: 7 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [ _ ]
2. On the Re-enter password line, enter the same password again.

To set the password for the administrative user:

1. On the Enter password line, enter a new password for the administrative user.
◦ Minimum password length: 7 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [ _ ]
2. On the Re-enter password line, enter the same password again.

To set the password for the system user (database administrator):

1. On the Enter password line, enter a new password.

◦ Minimum password length: 7 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [ _ ]
2. On the Re-enter password line, enter the same password again.

To assign a name to the host:

• On the Host name line, enter a name for the host.

• The host name may be short or in FQDN format.
• If you use FQDN format:
• Use a period (.) to separate the parts.
• Each part must start with a letter.
• Each part must include at least two of the following: letter, digit, underscore, dash

To set the time zone:

v14.2 VMWare Installation Guide 45

 v14.2 VMWare Installation Guide

1. Please select a continent or ocean is displayed, followed by a numbered list of areas. Enter the number for
your location, or enter 11 to specify a time zone using the Posix TZ format.
2. Please select a country is displayed, followed by a numbered list of countries. Enter the number for your
country.
3. Your selection and the local time are displayed. Next, Is the above information OK? is displayed followed by a
numbered yes/no list. Enter a number to indicate whether the information is correct.

(Recommended) To set the network time protocol:

1. On the Do you want to configure an NTP client? line, enter y.

2. On the NTP servers line, enter one or more IPv4 addresses. For example: 192.168.2.250

Use a space between multiple addresses.

To apply the system configuration:

Notes related to applying the system configuration are displayed.

Note: The process of applying the system configuration may take about 10 minutes. Do not reboot
the appliance during system configuration processing.

• On the Press <ENTER> to continue line, press Enter to apply the system configuration.

74313 Performing First-Time Login for the Management Server (MX) Last modified: 12/25/2019 2:08:27 PM

v14.2 VMWare Installation Guide 46

 v14.2 VMWare Installation Guide

First-Time Login for the Gateway

To activate the appliance, you need to define the system configuration by performing the procedures below.

Notes:

• If you configure a DNS client during the first-time login, make sure you specify the IP address of
a real DNS server that is available during the setup.
• Some procedure steps include yes/no options. The selections that appear are examples only.
For any no selection, you may select yes and specify the related values. Note that the system
operates more efficiently when you select yes in procedures that are marked recommended.
• Some options are displayed only when specific selections are made in previous steps.
• For full descriptions of the configuration options, see Imperva On-Premises Administration
Guide.
• You can automate the first-time login process to configure the gateway in sniffing mode. For
more information, see Automating First Time Login in the Imperva On-Premises
Administration Guide.
• If installing as a SOM, use the First Time Login for Management Server (MX) procedure as
described inFirst-Time Login for the Management Server.

To log into the appliance for the first time:

1. Open up the SecureSphere instance in a console window.

2. Log in with the username admin and the password admin.
3. Change the admin password. The new admin password must be 7-14 characters long and contain Upper case
letters, lower case letters, digits and these special characters: * ( ) - + = | # % ^ : / ~ . , [ ] _
4. Run the command ftl. The Imperva configuration tool is displayed and you can begin the initial setup. You are
displayed one or more Component types.

To set the SecureSphere component:

A numbered list of options to configure the appliance is displayed as shown below. Type 3 to configure a gateway,
then press Enter.

To set the management port:

1. The configuration tool displays the default "management" interface for the appliance. On the Do you want to
change it? line, enter n.
2. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.1.1/24
3. On the Do you want to set IPv6 Address as well? line, enter n.

To set the LAN interface:

1. On the Do you want to set a LAN interface? line, enter y.

2. The configuration tool displays the default LAN interface for the appliance. On the Do you want to change it?
line, enter n.

v14.2 VMWare Installation Guide 47

 v14.2 VMWare Installation Guide

3. On the IP Address [IP Address/CIDR] line, enter the IP address/number of bits. For example: 192.168.5.5/24
4. On the Do you want to set IPv6 Address as well? line, enter n.

(Recommended) To set the default gateway:

1. On the Do you want to set an IPv4 default gateway? line, enter y.

2. On the Gateway [IPv4 Address reachable from onboard interface] line, enter the IPv4 address. For example:
192.168.1.254
3. On the Do you want to specify a device? line, enter n.

To set the DNS client option:

• On the Do you want to configure a DNS client? line, enter n.

To set the passwords for the Linux root and grub users:

1. On the Enter password line, enter a new password for the Linux root user. This password will also be used as
the grub bootloader password.
◦ Minimum password length: 7 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [ _ ]
2. On the Re-enter password line, enter the same password again.

To set the password for the SecureSphere administrative user:

1. On the Enter password line, enter a new password for the administrative user.
◦ Minimum password length: 7 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [ _ ]
2. On the Re-enter password line, enter the same password again.

To set the password for the imperva user:

The imperva user is responsible for communication with remote agents.

1. On the Enter password line, enter a new password.

◦ Minimum password length: 7 characters
◦ Maximum password length: 14 characters
◦ The password may include letters, digits, and the following special characters: * ( ) - + = | # % ^ : / ~ . , [ _ ]
2. On the Re-enter password line, enter the same password again.

To assign a name to the host:

• On the Host name line, enter a name for the host.

• The host name may be short or in FQDN format.
• If you use FQDN format:
• Use a period (.) to separate the parts.
• Each part must start with a letter.
• Each part must include at least two of the following: letter, digit, underscore, dash

v14.2 VMWare Installation Guide 48

 v14.2 VMWare Installation Guide

To set the gateway's management server IP:

• On the Enter the Management Server's IP Address line, enter IPv4 Address. For example: 10.1.1.205

To set the gateway operation mode:

• A numbered list of gateway operation modes is displayed. Enter the number for your operation mode
preference.

To set the time zone:

1. Please select a continent or ocean is displayed, followed by a numbered list of areas. Enter the number for
your location, or enter 11 to specify a time zone using the Posix TZ format.
2. Please select a country is displayed, followed by a numbered list of countries. Enter the number for your
country.
3. Your selection and the local time are displayed. Next, Is the above information OK? is displayed followed by a
numbered yes/no list. Enter a number to indicate whether the information is correct.

(Recommended) To set the network time protocol:

1. On the Do you want to configure an NTP client? line, enter y.

2. On the NTP servers line, enter one or more IPv4 addresses. For example: 192.168.2.250

Use a space between multiple addresses.

To apply the system configuration:

Notes related to applying the system configuration are displayed.

Note: Note: The process of applying the system configuration may take about 5 minutes. Do not
reboot the appliance during system configuration processing.

• On the Press <ENTER> to continue line, press Enter to apply the system configuration.

74314 First-Time Login for the Gateway Last modified: 12/25/2019 2:13:40 PM

v14.2 VMWare Installation Guide 49

 v14.2 VMWare Installation Guide

SecureSphere Installer Wizard

The SecureSphere Installer is an installation wizard that helps you set up your SecureSphere environment, which
includes one Management Server (MX) and several WAF Gateways.

The wizard helps you define the operational mode and networking configurations. You are able to observe the
progress of the installation and when the installation process ends the SecureSphere environment becomes
operational and is ready to process and inspect Web traffic.

Note: The SecureSphere Installer wizard is used instead of the First Time Login process and
therefore, must be deployed prior to it. Once the wizard is completed, it cannot be deployed again
on the same environment.

To set up a SecureSphere environment using the SecureSphere Installer:

1. Using your browser, go to the address https://<IP address of the MX>:8181. The Welcome screen is displayed.
2. Login using the below credentials. The Management Configuration screen is displayed.

Username: admin

Password: ImpvWAF12

3. From the "Welcome Imperva SecureSphere Customer" email you had received after purchasing the product,
connect to the SecureSphere License Activation Portal and use the challenge key shown in the Management
Configuration screen to activate the product. An email containing your license is sent to the email address you
provided.
4. In Upload license, click Browse, navigate to where you have saved your SecureSphere license and select it.
5. [Optional] Under the Advanced section, define the Management server passwords, DNS, the Management
server parameters (Hostname, NTP Server Address and Time Zone), and set the server groups’s operation mode
(Simulation or Active).
6. Click Next. The Gateway Configuration screen is displayed.
7. In Group mode, select the operational mode (Bridge, Transparent Reverse Proxy or Reverse Proxy) for the entire
group of gateways you are installing.
8. If you are setting up a high availability environment, select the High availability check box.
9. In Group name, type a name for the group of gateways.
10. Under the Gateways List section, select gateways that were already recognized by the installer, or add your
own to the installation process.

v14.2 VMWare Installation Guide 50

 v14.2 VMWare Installation Guide

Note: When adding gateway IPs that are from a different subnet than the MX’s, only one
gateway IP per subnet is required. The installer discovers any additional uninstalled gateways
in that subnet automatically

11. [Optional] Under the SSL Certificates section, configure the client certificate you want to upload in order to:
◦ Validate the backend web server SSL certificate in the gateway making sure that the web server is
authenticated.
◦ Validate the gateway client certificate in the web server making sure that the gateway is authenticated.
12. [Optional] Under the Advanced section, define the root user password, DNS, and the gateway parameters (NTP
Server Address and Time Zone).
13. Click Next. The Networking Setup screen is displayed according to your operational mode selection as follows:
◦ For Bridge, the Bridge Mode Configuration screen is displayed. This screen consists of adding IP
addresses to be protected by SecureSphere, adding the HTTP ports to be monitored and adding HTTPS
ports for SSL traffic.
◦ For Transparent Reverse Proxy, the Transparent Reverse Proxy Mode Configuration screen is displayed.
This screen consists of defining details of the Transparent Reverse Proxy network.
◦ For Reverse Proxy, the Reverse Proxy Mode Configuration screen is displayed. This screen consists of
defining decision rules that set up how to handle incoming Web traffic, and defining the network interface
IP management. These settings are meant for working in Reverse Proxy (RP) mode.
14. Click Install. The Installation screen is displayed. Installation begins and the overall status and result is
indicated in a status bar. For the MX and each gateway, you can see the installation status and result in a table,
where you can also perform actions in case of failure.
15. Click Next. The Installation Summary Report screen is displayed. This screen consists of a summary of the
installation results.
16. Click Open MX. The SecureSphere MX UI opens and you are asked to log in with the credentials you supplied
during installation.

73962 SecureSphere Installer Wizard Last modified: 7/29/2019 1:28:54 PM

v14.2 VMWare Installation Guide 51

 v14.2 VMWare Installation Guide

Confirming the Configuration

Once you have completed the First Time Login, you can use standard networking tools to confirm that you have
correctly configured the Imperva SecureSphere Virtual Appliance.

To confirm that you have correctly configured the Imperva SecureSphere Virtual Appliance:

• Bridge: Disable the bridge’s interfaces and verify that the protected servers are unreachable. Enable the bridge’s
interfaces and verify that the protected servers are reachable.
• Other Configurations: Use the standard networking tools to confirm that the Imperva SecureSphere Virtual
Appliance is properly monitoring and/or intercepting traffic.

65024 Confirming the Configuration Last modified: 3/10/2019 2:43:28 PM

v14.2 VMWare Installation Guide 52

 v14.2 VMWare Installation Guide

VMotion
VMware VMotion leverages the complete virtualization of servers, storage and networking to move an entire running
virtual machine instantaneously from one server to another. VMware VMotion uses VMware’s cluster file system to
control access to a virtual machine’s storage. During a VMotion, the active memory and precise execution state of a
virtual machine is rapidly transmitted over a high speed network from one physical server to another and access to
the virtual machines disk storage is instantly switched to the new physical host.

Since the network is also virtualized by VMware ESX, the virtual machine retains its network identity and connections,
ensuring a seamless migration process.

If you need to move both the protected servers and the SecureSphere gateways, it is recommended that the protected
servers be moved first and then the SecureSphere gateways be moved.

• Protected Servers
• Management Servers
• Gateways

57614 VMotion Last modified: 3/10/2015 2:21:31 PM

v14.2 VMWare Installation Guide 53

 v14.2 VMWare Installation Guide

Protected Servers
VMotion of servers protected by SecureSphere is supported.

57615 Protected Servers Last modified: 3/10/2015 2:21:31 PM

v14.2 VMWare Installation Guide 54

 v14.2 VMWare Installation Guide

Management Servers
VMotion of SecureSphere management servers is supported.

57616 Management Servers Last modified: 3/10/2015 2:21:32 PM

v14.2 VMWare Installation Guide 55

 v14.2 VMWare Installation Guide

Gateways
VMotion of SecureSphere gateways is supported, but note that this might cause up to 50 seconds downtime.

57617 Gateways Last modified: 3/10/2015 2:21:32 PM

v14.2 VMWare Installation Guide 56

 v14.2 VMWare Installation Guide

Snapshot
The VM snapshot feature is a mechanism for backing up applications and their data.

SecureSphere products (especially database products) typically generate large amounts of data, and snapshots can
quickly deplete available disk space as they grow in size. For this reason, it is recommended that you monitor the
snapshot size and if necessary, delete the snapshot file and redo the snapshot.

57619 Snapshot Last modified: 3/10/2015 2:21:32 PM

v14.2 VMWare Installation Guide 57

 v14.2 VMWare Installation Guide

Cloning
Cloning of virtual Gateways, MX servers and SOM is not supported.

62519 Cloning Last modified: 4/23/2019 10:20:56 AM

v14.2 VMWare Installation Guide 58

 v14.2 VMWare Installation Guide

Frequently Asked Questions

Q. Are there special licensing considerations?

A. You need a special license for a Imperva SecureSphere Virtual Appliance.

Q. Is Fail-Open Supported for Virtual Appliances?

A. Fail-open (or bypass) is a hardware feature and is not available for Imperva SecureSphere Virtual Appliance.

Q. Is SSL-offloading supported?

A. Hardware-based SSL off-loading to hardware is not supported for Imperva SecureSphere Virtual Appliance, but
software-based SSL-offloading (to SecureSphere) is supported for Imperva SecureSphere Virtual Appliance.

Q. Is Onebox supported for Imperva SecureSphere Virtual Appliance?

A. No. This option is not currently available for Imperva SecureSphere Virtual Appliance.

Q. Can Imperva SecureSphere Virtual Appliances and physical SecureSphere appliances be deployed together?

A. Yes, you can freely mix physical SecureSphere appliances and Imperva SecureSphere Virtual Appliances, provided
that you have the proper licenses.

Q. How do DB Agents fit into the virtualization picture?

A. DB Agents can communicate with virtualized SecureSphere gateways in exactly the same way they communicate
with physical SecureSphere gateways. Also, DB Agents can be installed on hypervisors.

Q. Can I add a network interface?

A. Yes, on ESX 4 and higher only. For information on how to do this, see Adding Virtual NICs.

Q. Can I add a CPU (core)?

A. No. Though for assistance with performance issues, please contact Imperva Support.

57620 Frequently Asked Questions Last modified: 3/10/2015 2:21:32 PM

v14.2 VMWare Installation Guide 59

 v14.2 VMWare Installation Guide

Proprietary Rights Notice

© 2002 - 2021 Imperva, Inc. All Rights Reserved.

Follow this link to see the SecureSphere copyright notices and certain open source license terms:

https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/SecureSphere-License-and-Copyright-Information

This document is for informational purposes only. Imperva, Inc. makes no warranties, expressed or implied.

No part of this document may be used, disclosed, reproduced, transmitted, transcribed, stored in a retrieval system,
or translated into any language in any form or by any means without the written permission of Imperva, Inc. To obtain
this permission, write to the attention of the Imperva Legal Department at: 3400 Bridge Parkway, Suite 200, Redwood
Shores, CA 94065.

Information in this document is subject to change without notice and does not represent a commitment on the part of
Imperva, Inc. The software described in this document is furnished under a license agreement. The software may be
used only in accordance with the terms of this agreement.

This document contains proprietary and confidential information of Imperva, Inc. This document is solely for the use
of authorized Imperva customers. The information furnished in this document is believed to be accurate and reliable.
However, no responsibility is assumed by Imperva, Inc. for the use of this material.

TRADEMARK ATTRIBUTIONS

Imperva and SecureSphere are trademarks of Imperva, Inc.

All other brand and product names are trademarks or registered trademarks of their respective owners.

PATENT INFORMATION

The software described by this document is covered by one or more of the following patents:

US Patent Nos. 7,640,235, 7,743,420, 7,752,662, 8,024,804, 8,051,484, 8,056,141, 8,135,948, 8,181,246, 8,392,963,
8,448,233, 8,453,255, 8,713,682, 8,752,208, 8,869,279 and 8,904,558, 8,973,142, 8,984,630, 8,997,232, 9,009,832,
9,027,136, 9,027,137, 9,128,941, 9,148,440, 9,148,446 and 9,401,927.

Imperva Inc.

3400 Bridge Parkway

Redwood Shores, CA 94065

United States

Tel: +1 (650) 345-9000

Fax: +1 (650) 345-9004

• Website: http://www.imperva.com

v14.2 VMWare Installation Guide 60

 v14.2 VMWare Installation Guide

• General Information: [email protected]

• Sales: [email protected]
• Professional Services: [email protected]
• Technical Support: [email protected]

Imperva-SecureSphere-v14.1-Virtual-Appliance-Installation-Guide-v1

75814 Proprietary Rights Notice Last modified: 6/2/2020 3:19:10 PM

v14.2 VMWare Installation Guide 61

 v14.2 VMWare Installation Guide

End User License and Services Agreement

To view the End User License and Service Agreement for this product, please visit http://www.imperva.com/Other/
LicenseAgreement

60620 End User License and Services Agreement Last modified: 7/19/2020 10:37:57 AM

v14.2 VMWare Installation Guide 62