Create Modify or Delete SpoofGuard policies

 
A function of the NSX Manager is to collect all of the IP address of all of the Virtual Machines in vCenter using VMware tools. However, if a VM is exploited, the IP can be spoofed allowing malicious activity. Spoofguard policies allow you to authorize IP address that NSX Manager collected from VMware tools, and if needed, you can alter them to prevent spoofing. SpoofGuard can be used to block any traffic that you believe to be spoofed and has support for both IPv4 and IPv6. There are two different types of modes for SpoofGuard.
 
Automatically Trust IP Assignments on Their First Use: This is just as it sounds, all assignments are initially trusted, and you can review them periodically as needed.
 
Manually Inspect and Approve all IP Assignments before use: If you select this mode, all traffic will be blocked until you manually approve the vNIC to IP address.
 
Note: If you are using DHCP and manually inspect mode, traffic will be blocked until the vNIC to IP address is manually approved.
 
Step 1. To manage Spoofguard open a vSphere web client and navigate to Networking & Security -> SpoofGuard.
 
The default SpoofGuard policy is disabled for all networks.
 
1
 
Step 2. From this page you can either change the default policy, or add a new policy. Let’s add a new one by clicking the + sign. Spcify a Name and Enabled or Disabled and the Operation Mode then hit Next
 
2
 
Step 3. Specify the Network then click OK and hit Finish
 
3
 
Step 4. After SpoofGuard is enabled, you need to approve the vNIC to IP addresses by clicking Approve on the right hand side.
 
4
 
Step 5. You will noticed the it shows the IP Approver, Last Approved Date, and Approved IP.
 
5
 
Step 6. You can clear any approved IPs if necessary by checking the vNIC and clicking Clear Approved IP(s)
 
6
 
Step 7. You can also change the view to find any vNICs waiting for approval, duplicate IPs, and much more. Full options are shown below.
 
7
 

3 Comments

  1. Justin -  June 2, 2015 - 12:51 pm 128

    Have you ever set this to manual and published the changes before approving the IPs? I have this right now and it has disabled https access to vCenter and I can’t get in to disable SpoofGuard.

    Reply
    • Sean Whitney -  June 2, 2015 - 3:52 pm 131

      Hi Justin,

      It’s possible you can console into the vCenter Server and log into the web client via https, and approve the IP, does that work? Otherwise, it may be stored in the NSX manager database to clear it, but I am unsure of those steps right now. You might want to open a support request with VMware to see if they can assist.

      Thanks,
      Sean

      Reply
      • Matt -  June 21, 2016 - 5:40 pm 496

        For future reference, to disable spoofguard:

        Using REST API on Firefox, set your authorization to basic along with credentials, next, set custom Content-Type to application/xml.

        Run this first to get a list of your policies:
        GET https://NSX MGR IP/api/4.0/services/spoofguard/policies/

        PUT
        https://NSX MGR IP/api/4.0/services/spoofguard/policies/spoofguardpolicy-1

        spoofguardpolicy-1
        Default Policy
        DISABLE
        2010-01-01 10:00:00.000
        domain\user
        false
        false
        true

        Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top