Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> All Rules. For each rule, click the gear icon and verify the logging setting. If logging is not enabled for any rule, this is a finding.
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> Category Specific Rules. For each rule that has logging disabled, click the gear icon, toggle the logging option to "Enable" and click "Apply". or For each Policy or Section, click the menu icon on the left and select "Enable Logging for All Rules". After all changes are made, click "Publish".
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> All Rules. For each rule, click the gear icon and verify the logging setting. If logging is not enabled for any rule, this is a finding.
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> Category Specific Rules. For each rule that has logging disabled, click the gear icon, toggle the logging option to "Enable" and click "Apply". or For each Policy or Section, click the menu icon on the left and select "Enable Logging for All Rules". After all changes are made, click "Publish".
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> All Rules. For each rule, click the gear icon and verify the logging setting. If logging is not enabled for any rule, this is a finding.
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> Category Specific Rules. For each rule that has logging disabled, click the gear icon, toggle the logging option to "Enable" and click "Apply". or For each Policy or Section, click the menu icon on the left and select "Enable Logging for All Rules". After all changes are made, click "Publish".
From the NSX Manager web interface, navigate to Security >> Settings >> General Settings >> Firewall >> Flood Protection to view Flood Protection profiles. If there are no Flood Protection profiles of type "Distributed Firewall", this is a finding. If the TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit are "not set" or SYN Cache and RST Spoofing is not Enabled on a profile, this is a finding. For each distributed firewall flood protection profile, examine the "Applied To" field to view the workloads it is protecting. If a distributed firewall flood protection profile is not applied to all workloads through one or more policies, this is a finding.
To create a new Flood Protection profile: From the NSX Manager web interface, navigate to Security >> Settings >> General Settings >> Firewall >> Flood Protection >> Add Profile >> Add Firewall Profile. Enter a name and specify appropriate values for the following: TCP Half Open Connection limit, UDP Active Flow Limit, ICMP Active Flow Limit, and Other Active Connection Limit. Enable SYN Cache and RST Spoofing, configure the "Applied To" field with the appropriate security groups, and then click "Save".
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> Category Specific Rules >> APPLICATION >> Default Layer3 Section >> Default Layer3 Rule >> Action. If the Default Layer3 Rule is set to "ALLOW", this is a finding.
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> Category Specific Rules >> APPLICATION >> Default Layer3 Section >> Default Layer3 Rule and change action to "Drop" or "Reject". After all changes are made, click "Publish". Note: Before enabling, ensure the necessary rules to whitelist approved traffic are created and published, or this change may result in loss of communication for workloads.
From the NSX Manager web interface, navigate to Security >> Distributed Firewall >> All Rules. Review rules that do not have a Context Profile assigned. For example, if a rule exists to allow SSH by service or custom port, then it should have the associated SSH Context Profile applied. If any rules with services defined have an associated suitable Context Profile but do not have one applied, this is a finding.
From the NSX Manager web interface, navigate to Security >> Policy Management >> Distributed Firewall >> Category Specific Rules. For each rule that should have a Context Profile enabled, click the pencil icon in the Context Profile column. Select an existing Context Profile or create a custom one then click "Apply". After all changes are made, click "Publish". Note: This control does not apply to Ethernet rules. Not all App IDs will be suitable for use in all cases and should be evaluated in each environment before use. A list of App IDs for application layer rules is available here: https://docs.vmware.com/en/NSX-Application-IDs/index.html.
Identity SpoofGuard profiles in use by doing the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> NSX. For each segment, expand view Segment Profiles >> SpoofGuard to note the profiles in use. Review SpoofGuard profile configuration by doing the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> Profiles >> Segment Profiles. Review the SpoofGuard profiles previously identified as assigned to segments to ensure the following configuration: Port Bindings: Yes If a segment is not configured with a SpoofGuard profile that has port bindings enabled, this is a finding.
To create a segment profile with SpoofGuard enabled, do the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> Profiles >> Segment Profiles >> Add Segment Profile >> SpoofGuard. Enter a profile name and enable port bindings, then click "Save". To update a segments SpoofGuard profile, do the following: From the NSX Manager web interface, navigate to the Networking >> Connectivity >> Segments >> NSX, and click "Edit" from the drop-down menu next to the target segment. Expand "Segment Profiles" then choose the new SpoofGuard profile from the drop-down list, and then click "Save".
Identify IP Discovery profiles in use by doing the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> NSX. For each segment, expand view Segment Profiles >> IP Discovery to note the profiles in use. Review IP Discovery profile configuration by doing the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> Profiles >> Segment Profiles. Review the IP Discovery profiles previously identified as assigned to segments to ensure the following configuration: Duplicate IP Detection: Enabled ARP Snooping: Enabled ARP Binding Limit: 1 DHCP Snooping: Disabled DHCP Snooping - IPv6: Disabled VMware Tools: Disabled VMware Tools - IPv6: Disabled Trust on First Use: Enabled If a segment is not configured with an IP Discovery profile that is configured with the settings above, this is a finding.
To create a segment profile for IP Discovery, do the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> NSX >> Profiles >> Segment Profiles >> Add Segment Profile >> IP Discovery. Enter a profile name then configure the below settings: Duplicate IP Detection: Enabled ARP Snooping: Enabled ARP Binding Limit: 1 DHCP Snooping: Disabled DHCP Snooping - IPv6: Disabled VMware Tools: Disabled VMware Tools - IPv6: Disabled Trust on First Use: Enabled Click "Save". Note: ND Snooping may be enabled if IPv6 is in use. To update a segments IP Discovery profile, do the following: From the NSX Manager web interface, navigate to the Networking >> Connectivity >> Segments >> NSX, and click "Edit" from the drop-down menu next to the target segment. Expand "Segment Profiles" then choose the new IP Discovery profile from the drop-down list, and then click "Save".