The NSX Distributed Firewall must configure an IP Discovery profile to disable trust on every use method.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-265633 | NDFW-4X-000034 | SV-265633r993996_rule | High |
| Description |
| STIG | Date |
| VMware NSX 4.x Distributed Firewall Security Technical Implementation Guide | 2024-12-13 |
Details
| Check Text (C-69550r993994_chk) |
| Identify IP Discovery profiles in use by doing the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> NSX. For each segment, expand view Segment Profiles >> IP Discovery to note the profiles in use. Review IP Discovery profile configuration by doing the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> Profiles >> Segment Profiles. Review the IP Discovery profiles previously identified as assigned to segments to ensure the following configuration: Duplicate IP Detection: Enabled ARP Snooping: Enabled ARP Binding Limit: 1 DHCP Snooping: Disabled DHCP Snooping - IPv6: Disabled VMware Tools: Disabled VMware Tools - IPv6: Disabled Trust on First Use: Enabled If a segment is not configured with an IP Discovery profile that is configured with the settings above, this is a finding. |
| Fix Text (F-69458r993995_fix) |
| To create a segment profile for IP Discovery, do the following: From the NSX Manager web interface, navigate to Networking >> Connectivity >> Segments >> NSX >> Profiles >> Segment Profiles >> Add Segment Profile >> IP Discovery. Enter a profile name then configure the below settings: Duplicate IP Detection: Enabled ARP Snooping: Enabled ARP Binding Limit: 1 DHCP Snooping: Disabled DHCP Snooping - IPv6: Disabled VMware Tools: Disabled VMware Tools - IPv6: Disabled Trust on First Use: Enabled Click "Save". Note: ND Snooping may be enabled if IPv6 is in use. To update a segments IP Discovery profile, do the following: From the NSX Manager web interface, navigate to the Networking >> Connectivity >> Segments >> NSX, and click "Edit" from the drop-down menu next to the target segment. Expand "Segment Profiles" then choose the new IP Discovery profile from the drop-down list, and then click "Save". |