RUNECAST

Runecast Analyzer makes hardware checking against the VMware HCL easy

Runecast Analyzer is a tool that helps VMware administrators to proactive manage there vSphere environment. It discovers potential risks in the VMware environment before they can cause a major outage. It uses best practices, security hardening guides (VMware, DISA STIG, PCI-DSS v3.2.1 and HIPAA) and known issues found in the VMware Knowledge Base to protect the Software Defined Data Center (SDDC).  Runecast Analyzer supports the following VMware products:

  • VMware vSphere
  • VMware vSAN
  • VMware NSX-V
  • VMware Horizon

Runecast Analyzer introduced a new feature called “Automated VMware HCL” and “ESXi Compatibility Simulation“. The “Automated VMware HCL” feature checks the VMware ESXi host hardware, driver and firmware versions against the VMware Hardware Compatibility List (HCL). The VMware Hardware Compatibility List (HCL) lists all the physical hardware components, driver and firmware versions that are supported by VMware. Keeping the hardware aligned with the VMware HCL is essential for a healthy, stable and supported VMware environment but can be difficult to perform. For example see the blog post below how to identify a networkcard and the supported driver.

Identify NIC driver and supported driver version for ESXi server

 

Within the “Automated VMware HCL” feature you can enable “ESXi Comparability Simulation“. ESXi comparability simulation checks the existing hardware against a newer VMware ESXi version before upgrading to this new version so you can verify if the hardware, driver and firmware levels are supported.

Automated Hardware Compatibility

After deploying the Runecast Analyzer appliance and connecting to one or more vCenter Servers, the first scan can be performed by clicking on the purple “Analyze Now” button. When the scan is completed select “HW Compatibility” on the left menu bar. By default all ESXi hosts are listed. In the action pane you can specify a specific clusters or one or more host(s).

The screenshot shows the host, ESXi release, hardware summary and the compatible status of the BIOS and I/O devices. The BIOS and I/O Devices are red in this example which means they need attention. All the hardware, firmware and driver  results can be exported to a CSV file. Per ESXi host you can drill down to the server hardware.

The BIOS state needs an update, it’s reported as possible incompatibility “Not Found” in the HCL Data field. When clicking on the “HCL online” button we’ve got redirected to the VMware Compatibility List (HCL).

The VMware HCL tells that the BIOS level that matches is version 1.2. After the BIOS view we go to the I/O devices by clicking on the I/O Devices tab

The Intel I350 Gigabit and the Samsung NVMe SSD Controller needs attention. When looking at the Intel I350 in the HCL we see that the the firmware level is okay and that the installed driver version is 0.1.1.0 is old. The HCL reports that version 1.4.1 is needed.

ESXi Compatibility Simulation

With the Hardware Compatibility Overview there is another feature called “ESXi Compatibility Simulation“.  ESXi Compatibility Simulation checks the existing hardware against a newer VMware ESXi version before upgrading to this new version so you can verify if the hardware, driver and firmware levels are supported.

After turning on the ESXi Compatibility Simulation feature and selecting the ESXi version to upgrade to you can fire the simulation. In this environment I want to upgrade to ESXi 6.7 U2 and it shows that the BIOS not compatible.

Conclusion

It can be difficult and time consuming for VMware admins to check if the server hardware is aligned with the VMware Hardware Compatibility List (HCL) for maintaining a healthy, stable and supported environment. Runecast Analyzer makes this very easy and fast by performing a simple scan and see if the hardware of the VMware environment is complaint with the VMware HCL.

Another great feature is the ESXi Compatibility Simulation. Again with a simple scan you check if the hardware is compatible against a newer version of ESXi before actually upgrading to this version. The Automated Hardware Compatibility and ESXi Compatibility Simulation are great new features that saves a lot of value time investigating if the VMware environment is compliant.

You can download a 30 day full trial version of Runecast Analyzer and try it yourself.

 

New enhancements in Runecast Analyzer 2.0

Runecast Analyzer provides proactive management for VMware environments. It discovers potential risks in the VMware environment before they can cause a major outage. In 90% of the outages with VMware environments, the root cause is based on a known issue that is already available in the VMware knowledge base. Runecast Analyzer uses information from the VMware knowledge base, security hardening guides (VMware, DISA STG and PCI-DSS), and best practices to proactively identify problems or outages before they occur.

In my last review of Runecast Analyzer I tested version 1.7 (link) with vSphere and vSAN support. The next version (1.8) included NSX-V support and a couple of weeks ago version 2.0 is of Runecast Analyzer is released. This version includes the following new enhancements.

New User Interface (UI)

Runecast Analyzer 2.0 has a complete redesigned User Interface(UI) that includes new widgets such as:

  • Historical Trending
  • Host with Most Issues

History trending

It includes historical trending for at least 3 months of vSphere, vSAN and NSX-V scan results. By default every day (this can be changed) a scan is performed against one of more vCenter environment(s). The scans contains the description, IP address and why the issues was detected. The trending information is showed in widgets in the UI.

With this functionality you can keep track how compliant you are and what progress you made to solve issues. All the detected issues are summarized in the “Issue History” widget per day or weeks.

Hosts with Most Issues

Another new widget in the UI is the “Hosts with Most Issues”. It shows which ESXi host that has the most issues and deserves the most priority to investigate.

History Analysis

History Analysis is a new functionality that helps with isolating the root cause of the reported incident as quick as possible.

The first section shows a chart with a trend of detected and fixed issues over time. There are interactive dots in the chart trend that shows  issues and details of the scan. The second section shows a table with detailed descriptions of the issues.

Within the history analysis there can be filtered on:

  • Severity (Critical, Major, Medium or Low)
  • Source ( PCIDSS, SH, BP or KB)
  • Applies to (Network, Compute, vCenter, Management or VM)
  • Products (NSX-V or vSphere)

The issue results can be compared with previous scan results and the differences are showed.

This makes the new history analysis very powerful for finding issues in the vSphere environment for example after a maintenance window when performing configuration changes.

vSphere 6.7 with vSphere HTML5 client support

Runecast Analyzer supports vSphere 6.7 and has a HTML5 web-plugin for the vSphere Client and even integrates in the NSX dashboard.

PCI-DSS compliance 

Runecast Analyzer 2.0 includes a new profile with 226 different checks for the Payment Card Industry Data Securiy Standard (PCI-DSS). The profile can be enabled and automatically checks if you are compliant with the PCI-DSS profile (Runecast Analyzer supports PCI DSS 3.2.1).

This helps with becoming PCI-DSS compliant and very helpful for companies in the financial space.

The PCI-DSS results can be easily filtered and exported in different formats (PDF, CSV or clipboard copy). This can be useful when having for example an audit.

Latest VMware Knowledge Base updates

When there are new knowledge definitions available the definition database can be (automated) updated. For example with the Spectre, Meltdown and L1TF vulnerabilities, Runecast Analyzer can quickly identify those vulnerabilities when VMware releases the KB articles.

Appliance Update

In version 2.0 of Runecast Analyzer the internal components of the appliance are updated to the latest versions (such as Ubuntu, 14.04.05 LTS, PostgreSQL 10, Apache Tomcat  9.0.10 and TLS 1.2 is used). The appliance meets the latest security compliance. The appliance and knowledge definitions can be easily updated when a new version is available.

For new users deploying a new appliance (OVF) is a piece of cake. Runecast Analyzer is installed en operational within a couple of minutes. A free Runecast Analyzer trail or demo can be requested by using the following link.

Version 2.0 of Runecast Analyzer adds great new enhancements that helps better to proactively identify problems or outages before they occur and easily check the compliance of the VMware vSphere, vSAN en NSX-V environment.

Proactively manage your vSphere environment with Runecast Analyzer

I’ve got the opportunity to test Runecast Analyzer. Runecast Analyzer Proactively use VMware KBs, best practices and security hardening guidelines to identify problems in your VMware environment. In this review you find my own experiences of testing Runecast Analyzer.

Deployment

The deployment of Runecast Analyzer is easy. It’s an on-premises deployment on you’re vSphere environment. Within a couple of minutes the Runecast is up and running. First download and deploy the virtual appliance OVA in an existing vSphere 5 or higher environment. During the deployment 3 appliance configuration sizes are available:

Deployment vCPU Memory (GB) Storage (GB) Network
Small 2 4 90 100Mbit=>
Medium 4 8 90 100Mbit=>
Large 8 32 90 100Mbit=>

Choosing the appliance size, set the IP address and you’re ready to access the appliance using a web browser
After the appliance is deployed, the updating of the KB definitions, updates, application and OS updates can be configured in the VA admin interface of the appliance. When using the automatic updating feature you’re always up-to-date.

When the appliance has no internet connection, offlines updates are available on the RuneCast website.

Scan the vSphere environment

Add one ore more vCenter Server(s) and you’re ready to fire you’re first scan of the VMware environment. The scan can be manually performed of scheduled.

After the scan of the environment the issues are displayed in a dashboard.  The issues are categorized in critical, major and medium.

Version 1.7 adds a new dashboard called “issues by layer”. This dashboard categories the issues in 5 main layers: Management, VM, Compute, Network and Storage.

The detected issues are added in the five layers. This dashboard is interactive. By selecting the layer and issue you can drill-down and find the affected component and root cause.

It is possible to integrate RuneCast in the vSphere Web client. The plugin displays all issues detected by RuneCast Analyzer with the details and their root causes.

The vSphere Web Client HTML5 page looks awesome.

Meltdown and Spectre

Runecast is continuously monitoring the VMware KB articles and is able to detect Spectre and Meltdown issues. The great thing is that when VMware is updating or adding a Spectre or Meltdown KB issue, Runecast monitors that and alert you when the vSphere environment is affected. In the following example the Spectre/Meltdown issues are found.

You can drill down to see what hosts are effected.

Log Analytics

Runecast Analyzer includes log analytics. Runecast collects the syslogs from the ESXi hosts and do a smart analytics to discover possible problems found in KBs.

Hardening

Runecast Analyzer uses VMware Security checks (https://www.vmware.com/security/hardening-guides.html) and DISA STIG 6 to check the compliance of the vSphere environment. The results are reports in a dashboard.

vSAN support

Version 1.7 adds support for VMware vSAN environments. It scans vSAN clusters and test their configurations against VMware KB articles and best practices. When issues are found guides are added how to fix them. For example in a customer vSAN environment Runcast Analyzer found the following vSAN problem:

When drilling down the guide tells me that this issue is fixed in ESXi 6.5 Update 1 (vSAN 6.6.1). After patching, the issue was solved without occurring in the vSAN environment. This is what I called “proactive management”.

Conclusion

With Runecast Analyzer every VMware vSphere admin can proactively identify possible (security) problems in there vSphere environment. The installation is easy and fast. Within a couple of minutes the appliance ready for the first scan. As VMware consultant I use Runecast on frequently basis which gives me a great overview of the state of the vSphere environment i’m working with.

Every new release adds great new features such as vSAN and vSphere Web Client (HTML5) support. The next release will contain NSX-V support.

In my opinion Runecast Analyzer is a must have tool for every VMware vSphere admin to proactively monitor there environment.

Wanna try?

There is a 14-day free trial available from this link.