This topic describes how to install and configure Anti-Virus Mirror for VMware Tanzu. VMware recommends that you install this tile before installing Anti-Virus for VMware Tanzu.
If you do not have an external mirror for Anti-Virus jobs to fetch database updates from, you can deploy a mirror using the Anti-Virus Mirror tile.
This deployed internal mirror, which uses mutual TLS (mTLS), can support both air-gapped environments and Anti-Virus Mirror networked environments:
If you have already deployed an external mirror, you can use that instead of installing this tile, and continue to Installing and Configuring Anti-Virus for VMware Tanzu.
To install the Anti-Virus Mirror, you must have:
A Ops Manager operator user account with admin rights. For more information, see Platform Operators.
Operations Manager (Ops Manager). For compatible versions, see the Product Snapshot.
At least 1 GB of RAM free for each VM that installs Anti-Virus. This is so that you can install the Anti-Virus for VMware Tanzu tile after deploying this mirror. Anti-Virus installs itself on each tile VM and runs internally. Anti-Virus takes at least 610 MB of RAM on each VM. On Google Cloud Platform (GCP), the recommended minimum VM size is micro.cpu
using 2 CPU and 2 GB RAM.
To install the Anti-Virus Mirror for VMware Tanzu tile:
Download the product file from VMware Tanzu Network.
For air-gapped networks, follow your company’s offline installation protocols. For more information, see Installing Ops Manager in Air-gapped Environments.
Navigate to the Ops Manager Installation Dashboard and select Import a Product to upload the product file.
Under the Import a Product button, click + next to the version number of Anti-Virus Mirror for VMware Tanzu. This adds the tile to your staging area.
Click the newly added Anti-Virus Mirror for VMware Tanzu tile.
To assign availability zones (AZs) and networks:
Select Assign AZs and Networks.
Configure the fields as follows:
Field | Description |
---|---|
Place singleton jobs in | Select an AZ. If you install only one Anti-Virus Mirror VM, this is the AZ that it is placed in. |
Balance other jobs in | Select one or more AZs. If you install more than one Anti-Virus Mirror VM, these are the AZs that the VMs are placed in. |
Network | Select a subnet for the antivirus_mirror VM. This is typically the same subnet that includes the VMware Tanzu Application Service for VMs (TAS for VMs) component VMs. |
Click Save.
To configure Anti-Virus Mirror:
Select Anti-Virus Mirror Configuration.
Configure the fields as follows:
Field | Instructions |
---|---|
Log output destination | Select the file descriptor to forward your logs through:
|
Anti-Virus Mirror Port | Enter the port for Anti-Virus Mirror to use. The default value is 6501 . |
Mirror for Automatic Database Updates |
|
Official mirror | Select this to have the mirror fetch databases from the official virus database mirror.
|
Existing mirror |
|
Note: Anti-Virus Mirror for VMware Tanzu serves virus definitions to your environment for Anti-Virus for VMware Tanzu to use, but the Anti-Virus mirror needs to get databases itself. You can configure the Anti-Virus mirror to get virus definitions using the supported options in Mirror for Automatic Database Updates above.
Click Save.
(Optional) If you selected Official mirror or Existing mirror in the previous section, you can configure a proxy for the Anti-Virus mirror to retrieve the databases from. To do this:
Select HTTP Proxy Configuration.
Set HTTP proxy to get database updates to Enabled.
Enter the host, port, username, and password in the fields that appear.
Click Save.
Follow the steps below to enable system logging for Anti-Virus Mirror for VMware Tanzu.
Select Syslog.
Select Yes for Do you want to configure Syslog forwarding?.
Configure the fields as follows:
Field | Instructions |
---|---|
Address | Enter the address or host of the syslog server for sending logs, for example, logmanager.example.com . |
Port | Enter the port of the syslog server for sending logs, for example, 29279 . |
Transport Protocol | Select the transport protocol used to send system logs to the server. VMware recommends using TCP. |
Enable TLS | If you select TCP, you can also select to send logs encrypted over TLS. |
Permitted Peer | Enter either the accepted fingerprint, in SHA1, or the name of the remote peer, for example, *.example.com . |
SSL Certificate | Enter the SSL or TLS Certificates for the syslog server. This ensures the logs are transported securely. |
Queue Size | Enter an integer. This value specifies the number of log entries held in the buffer. The default value is 100000 . |
Forward Debug Logs | Select this box to forward debug logs to an external source. This option is deselected by default. If you select it, you might generate a large amount of log data. |
Custom rsyslog Configuration | Enter configuration details for rsyslog. This field requires RainerScript syntax. |
Click Save Syslog Settings.
Anti-Virus jobs do load balancing for you.
VMware recommends one Anti-Virus Mirror VM for every 250 VMs with Anti-Virus installed. To scale the number of deployed mirrors:
Select Resource Config.
For antivirus-mirror
, set INSTANCES to the number of mirrors that you want to deploy.
Click Save.
Your Anti-Virus Mirror installation is not complete until you apply your configuration changes. To do this:
Return to the Ops Manager Installation Dashboard.
Click Review Pending Changes.
antivirus-mirrors
. To do this, see Updating Virus Definitions.