The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.

An XCCDF Rule

Description

If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.

ID: SV-251769r856688_rule
Version: T1FW-3X-000036
Severity: Medium
References: CCI-002664
Updated: 4 days ago

Remediation Templates

To create a segment profile with SpoofGuard enabled do the following:

From the NSX-T Manager web interface, go to Networking >> Segments >> Segment Profiles >> Add Segment Profile >> SpoofGuard.

Enter a profile name and enable port bindings, then click "Save".
To update a Segment's SpoofGuard profile, do the following:

From the NSX-T Manager web interface, go to the Networking >> Segments, then click "Edit" from the drop-down menu next to the target Segment.

Expand Segment Profiles, choose the new SpoofGuard profile from the drop-down list, and then click "Save".

The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.

Description

Remediation Templates

A Manual Procedure