The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.

An XCCDF Rule

Description

<VulnDiscussion>If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251769r856688_rule
Severity: Medium
References: CCI-002664
Updated: about 1 year ago

To create a segment profile with SpoofGuard enabled do the following:

From the NSX-T Manager web interface, go to Networking >> Segments >> Segment Profiles >> Add Segment Profile >> SpoofGuard.

Enter a profile name and enable port bindings, then click "Save".
To update a Segment's SpoofGuard profile, do the following:

From the NSX-T Manager web interface, go to the Networking >> Segments, then click "Edit" from the drop-down menu next to the target Segment.

Expand Segment Profiles, choose the new SpoofGuard profile from the drop-down list, and then click "Save".

The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.

Description

Remediation - Manual Procedure