Guest introspection is a service that is deployed from NSX Manager to offload security functions to a dedicated security appliance on each host; thus removing the need for an AV agent within the guest operating system.
Using the Guest Introspection driver baked into VMware Tools and a third party service virtual machine, such as McAfee MOVE, all virtual machines are protected by real-time inspection as soon as they are powered on. This reduces administrative and guest memory overheads, whilst standardising deployments.
vShield Manager and Endpoint
Guest introspection functionality was previously achieved using vShield Manager with vShield Endpoint as part of the vCloud Networking and Security suite. NSX Manager v6.2.4 onwards is the replacement product for vShield Manager which has now reached end of life. Guest Introspection replaces vShield Endpoint, you may have noticed in ESXi 5.5 U2 the vShield drivers were renamed to guest introspection drivers as part of the VMware Tools install.
When upgrading from vShield Manager to NSX Manager the vShield Endpoint VIBs are already present on the hosts, these need upgrading to Guest Introspection. For assistance with upgrading from vShield Manager to NSX Manager see the post Upgrading vShield Manager to NSX Manager. This post will detail a clean installation process for the Guest Introspection service, as well as extending an IP Pool for use with Guest Introspection.
NSX Manager and Guest Introspection
Guest introspection is installed on a per cluster basis using the vSphere web client. Deploying Guest Introspection installs a new VIB and ESX Agent on each host in the cluster. You should check with your third party security vendor for compatibility and specific instructions. In most cases, such as with McAfee MOVE, an additional service virtual machine for offloaded anti-malware and AV scanning is deployed to each host.
Both the Guest Introspection ESX Agent and the third party appliance will require storage and a dedicated IP address, this can be configured using either DHCP or a VMware IP pool. The IP addressing of these ESX agents should be factored in to your solution design. The network is provided by a vSphere distributed switch, if you are not using distributed switches then it is possible to set an agent network on each host as a work around under Configuration > Agent VM Settings in vSphere.
To enable Guest Introspection log into the vSphere web client and browse to Networking & Security, then click Installation. Click the green plus symbol to add a new service deployment.
In the new service deployment screen select Guest Introspection and click Next.
Select the cluster or clusters to deploy the service to and click Next.
Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps at the bottom of this post to extend. When the storage and network settings are configured click Next.
Review the details on the confirmation page and click Finish.
The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX agents being deployed in the vSphere recent tasks pane.
Once complete the installation status should show succeeded and the service status ok. The Guest Introspection service has now been deployed to the selected clusters and you can move on to deploying and configuring your chosen third party appliance.
If you are using stateless environments then you should update the Auto Deploy image with the NSX VIBs, otherwise the guest introspection status will change to not ready after a host is rebooted.
Browse to https://NSX/bin/vdn/nwfabric.properties (where NSX is the IP or FQDN of the NSX Manager) and find the VIB URL for your version of ESXi, open the relevant URL which will auto download vxlan.zip. For assistance with updating Auto Deploy images see the VMware Auto Deploy Guide.
- Service deployment failed with Agent VIB module cannot be detected on the host? See this post.
- Guest Introspection intermittently losing connectivity? See this post.
Extending NSX Manager IP Pools
When creating Service Deployments through NSX Manager a new IP Pool can be created for use with the service. During the service deployment wizard although we can create new pools, there is no option to extend an existing pool. In the event a pool requires additional capacity you can follow the steps outlined below.
From the home page of the vSphere web client select Networking & Security, click NSX Managers.
With the NSX Manager selected open the Manage tab and click Grouping Objects, IP Pools.
The existing IP Pools will be listed, here you can add, remove, and edit IP Pools. The Used / Total column will tell you how many IP addresses have been used in the pool. For this example we have an IP Pool with 22/22 used addresses, we will therefore extend the pool. Select the IP Pool to extend and click the Edit icon.
Change the relevant settings in the pop-out window, I will be altering the static IP Pool to include an additional 2 addresses. Click Ok once complete.
We can see the IP Pool has used 22/24 addresses.
Now there are available addresses we can go ahead and use the IP Pool for our new service deployment.
15 thoughts on “NSX Manager Guest Introspection”
Thank you, that was exactly what I wanted to do. Is there any other use case for this apart from AV Agents?
It’s basically for security services, so NSX Data Security, and other third party security solutions.
LikeLiked by 1 person
Exactly what i wanted, Thank you. Just a quick one, can this be used for anything else apart from AV agents?
It is required for Agentless Antivirus , File Integrity ,Identity based firewall
Can I rename the guest introspection agent after it is deployed e.g. to esxhostname-GI
Hi Do you achieve to rename your guest introspection agent ?
You cannot rename the Guest Introspection agent but in NSX 6.4.1 the name has changed to include the host name
I deployed the guest introspection on my ESXi , now the state is not ready …
how can I check if the agent running ?
Once it completes you will see installation status as succeeded and you will find a vm with a name “Guest Introspection” .
Is it possible to not deploy 3rd party service on every host.Can i deploy it on a dedicated host and redirect traffic from guest vms to this service vm sitting on a seperate host from the guest vms?
No ESX agent has to be on each host
I have two networks on my Guest Introspection agents. The first one is mgmt network and a pool. The second one is named vmservice-vshield-pg and has a dhcp setting with IP 169.254.24.1 on all agents in my cluster. It’s detected as an IP conflict. What should I do to fix this? Thanks
The vshield network should be on a standard switch and is a local private network on the host for Guest Introspection to talk to your AV SVM. If it was me I would check the IP pool configuration does not overlap any other IP ranges that are in use and then remove and redeploy the agents. You are better off logging a ticket with support if you are stuck.
What are the steps to remove Guest Introspection and McAfee Move virtual appliances from an ESXi? I would like to remove the ESXi out of the cluster (the cluster is based on vSAN)