Specifications

60 VM-Series Deployment Guide

Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall

Enable SpoofGuard

The NSX distributed firewall can only redirect traffic to the VM-series firewall when it matches an IP address

that is known to the vCenter Server. This means that any non-IP L2 traffic, or IP traffic that does not match

the IP addresses known to the vCenter Server, will not match the redirection rules defined on the NSX Manager

and be steered to the VM-Series firewall. Therefore, to ensure that all traffic is correctly filtered, you need to

perform the following steps:

 Enable SpoofGuard to prevent unknown IP traffic that might otherwise bypass the VM-series firewall.

When SpoofGuard is enabled if the IP address of a virtual machine changes, traffic from the virtual machine

will be blocked until you inspect and approve the change in IP address.

 Configure the NSX firewall rules to block non-IP L2 traffic that cannot be steered to the VM-Series firewall.

vCenter uses VMware Tools to learn the IP address(es) of each guest. If VMware

Tools is not installed on some of your guests, see Steer Traffic from Guests that

are not Running VMware Tools.

Enable SpoofGuard and Block Non-IP L2 Traffic

Step 1 Enable Spoofguard for the port group(s) containing the guests.

When enabled, for each network adapter, SpoofGuard inspects packets for the prescribed MAC and its

corresponding IP address.

1. Select

Networking and Security > SpoofGuard.

2. Click

Add to create a new policy, and select the following options:

• SpoofGuard:

Enabled

• Operation Mode: Automatically trust IP assignments on their first use.

•

Allow local address as valid address in this namespace.

• Select Networks: Select the port groups to which the guests are connected.