Deep Security 11 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.

Test the VMware Site Recovery Manager integration

After integrating Deep Security with VMware Site Recovery Manager (SRM), you are ready to test the integration. Follow these steps:

Step 1: At the protected site, assess rules

Before attempting a failover, you'll need to assess the Intrusion Prevention and Integrity Monitoring rules assigned to VMs on your protected site. It is important to know which rules are in use so that you can re-assign them to VMs on the recovery site after a failover.

To assess the assigned rules:

  1. Go to Deep Security Manager and click Computers.
  2. Look for the protected site. In our example, the protected site is listed under the [...] Datacenter-65 > Protected heading.
  3. (Optional) Right-click a VM on the protected site and run a recommendation scan and assign the recommended rules manually or automatically. In this example, we run recommendation scans on srmtest-w7 and srmtest-ubuntu and assign all recommended rules.
  4. Double-click a protected VM and on its General tab, look for the Intrusion Prevention and Integrity Monitoring fields.
  5. Write down how many rules are assigned. In our example, we assigned 953 Intrusion Prevention rules and 20 Integrity Monitoring rules to srmtest-w7.

    These rules will not be carried over to the recovery site.

Step 2: At the protected site, test agentless protection

Before attempting a failover, go to the protected site and test agentless protection on the VMs to ensure that everything is working.

The types of tests you should conduct and the expected results are described in Test list and expected results.

Step 3: Fail over

You are now ready to fail over to the recovery site. Follow these steps:

3a. Run the SRM recovery plan

See your SRM documentation for instructions on running the SRM recovery plan. When the plan executes, your VMs are migrated from the protected site to the recovery site. The images below show the recovery plan being run. You can see that the Status changes from ready, to 'in progress', to complete.

After the recovery plan has completed, the VMs on the protected site are powered off and the VMs on the recovery site are powered on.

3b. Check that the correct VMs are powered on and off

  1. Go to Deep Security Manager and click Computers.
  2. Look for the protected site. In our example, the protected site is listed under the [...] Datacenter-65 > Protected heading.
  3. Check that the VMs on the protected site have switched from... to...
  4. Check that the icons for the VMs on the recovery site have changed from...to...

The following table shows the BIOS UUIDs of the 2 VMs that are part of the recovery plan. Notice how their UUIDs are now the same on the protected and recovery sites. (The UUIDs from the protected site have been replicated on the recovery site.) The UUIDs remain the same until you trigger a reprotection (coming up later).

VM BIOS UUID (UUIDs are the SAME at each site)
VM Name Protected site (VM Stand-by/ Off) Recovery site
srmtest-ubuntu AAA AAA
srmtest-win7 BBB BBB

3c. Check your Deep Security events

  1. Go to Deep Security Manager and click Events & Reports > System Events.
  2. Check the System Events page. You may see Duplicate Unique Identifiers Detected events as a result of the UUIDs being the same for the protected and replicated VMs. This event is expected and can be ignored.

3d. Deactivate the protected site VMs

  1. Go to Deep Security Manager and click Computers.
  2. Find the protected site. In our example, it's under the [...] Datacenter-65 > Protected heading.
  3. Deactivate the VMs on the protected site by right-clicking them and selecting Actions > Deactivate. Their status changes from Managed (VM Stopped) to Unmanaged (VM Stopped). The green dot changes to grey.

3e. Reprotect the recovery site VMs

See your SRM documentation for details.

The reprotect process unfolds in two stages:

  • First, SRM reverses the direction of protection.
  • Next, SRM synchronizes the storage between the new protected site and the new recovery site.

Below is the recovery plan status after the reprotect operation. You can see the direction has been updated (*.66 and *.65 have been swapped).

The following table shows the current BIOS UUIDs of the 2 VMs that are part of the recovery plan. Notice how their UUIDs are now different. New UUIDs have been created for the protected site.

VM BIOS UUID (UUIDs are the DIFFERENT at each site)
VM Name Protected site (VM Stand-by/ Off) Recovery site
srmtest-ubuntu MMM AAA
srmtest-win7 NNN BBB

3f. Activate and assign policies to the recovery site VMs

  1. Go to Deep Security Manager and click Computers.
  2. Find the recovery site. In our example, it's under the [...] Datacenter-65 > Recovery heading.
  3. Under the recovery site, right-click a VM and select:
    1. Action > Assign Policy to assign a policy to the VM manually.
    2. Action > Activate/Reactivate to activate the VM manually.

    At the time of writing, only manual activation and deactivation have been tested and are supported.

    In this example, srmtest-ubuntu was assigned the Ubuntu Linux policy, and srmtest-w7 was assigned the Windows Desktop policy. Both were then activated. After activation, the VMs appear in Deep Security Manager like this:

3g. Assign rules on the recovery site VMs (run a recommendation scan)

  1. Go to Deep Security Manager and click Computers.
  2. Look for the recovery site. In our example, the recovery site is listed under the [...] Datacenter-65 > Recovery heading.
  3. Double-click a protected VM and on its General tab, look for the Intrusion Prevention and Integrity Monitoring fields. Notice that the Intrusion Prevention and Integrity Monitoring modules are on, but there are no rules assigned. Rules are not carried over to the VMs on the recovery site.

  4. Assign rules by right-clicking a VM on the recovery site and running a recommendation scan and then assigning the proposed rules. In this example, we run recommendation scans on srmtest-w7 and srmtest-ubuntu and assign all recommended rules.
  5. Check that the assigned rules on the VM on the recovery site.

    Your rules should match in number to those on the pre-failover protected site.

Step 5: At the recovery site, test agentless protection

At the recovery site, test agentless protection on the VMs to ensure that failover has succeeded.

The types of tests you should conduct and the expected results are described in Test list and expected results.

Step 6: Fail back

Run the SRM recovery plan again to migrate your VMs from the recovery site back to the protected site (failback). For high-level steps, see below. For detailed steps, see Step 3: Fail over but complete the steps on the opposite site than the one indicated. In other words, when you're told to complete a task on the protected site, do it on the recovery site, and vice versa.

The high-level steps to fail back are:

  • Run the SRM recovery plan to migrate VMs back to the protected site.
  • Check that the correct VMs are powered on and off. The recovery site VMs are powered off; the protected site VMs are powered on.
  • Check your Deep Security events.
  • Deactivate the recovery site VMs.
  • Reprotect the protected site VMs.
  • Activate and assign policies to the protected site VMs.
  • Assign rules on the protected site VMs (run a recommendation scan).

Step 7: At the protected site, test agentless protection

At the protected site, test agentless protection on the VMs to confirm that failback has succeeded.

The types of tests you should conduct and the expected results are described in Test list and expected results.

Test list and expected results

The table below shows the tests you should perform on your VMs and the expected results. The tests should be performed on the active site, whichever one that may be (either the protected site or recovery site).

If you obtain the expected results, you'll know your agentless protection is working on the active site.

Test Expected result
  srmtest-ubuntu (Linux VM) srmtest-win7 (Windows VM)
Test activation. Instructions. Pass Pass
Test Anti-Malware real-time. Instructions.

Not supported

Pass
Test Web Reputation. Instructions. Pass Pass
Test Firewall rules. Instructions. Pass Pass
Test Intrusion Prevention. Instructions. Pass Pass
Test Integrity Monitoring. Instructions.

Not supported

Pass
Do not test Log Inspection. It is not supported.

Not supported

Not supported

Do not test Application Control. It is not supported.

Not supported

Not supported

At the time of writing, only manual activation and deactivation have been tested and are supported.