The NSX-T Tier-0 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.

An XCCDF Rule

Description

<VulnDiscussion>If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251743r810096_rule
Severity: Medium
References: CCI-000366
Updated: about 1 year ago

To create a segment profile with SpoofGuard enabled, do the following:

From the NSX-T Manager web interface, go to Networking >> Segments >> Segment Profiles >> Add Segment Profile >> SpoofGuard.

Enter a profile name, enable port bindings, and then click "Save".
To update a Segments SpoofGuard profile, do the following:

From the NSX-T Manager web interface, go to Networking >> Segments and click "Edit" from the drop-down menu next to the target Segment.

Expand Segment Profiles, choose the new SpoofGuard profile from the drop-down list, and then click "Save".

The NSX-T Tier-0 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.

Description

Remediation - Manual Procedure