Fortinet Document Library

Version:


Table of Contents

Deploying FortiGate-VMX

VMware-NSX Security Fabric integration

Resources

Upgrade Path Tool
6.0.1
Download PDF
Copy Link

SpoofGuard in NSX

After synchronizing with the vCenter Server, NSX Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine. If a virtual machine has been compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.

Creating a SpoofGuard policy for specific networks allows you to authorize the IP addresses reported by VMware Tools and alter them if necessary to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK. Operating separately from firewall rules, you can use SpoofGuard to block traffic determined to be spoofed.

SpoofGuard supports both IPv4 and IPv6 addresses. When using IPv4, the SpoofGuard policy supports a single IP address assigned to a vNIC. IPv6 supports multiple IP addresses assigned to a vNIC. The SpoofGuard policy monitors and manages the IP addresses reported by your virtual machines.

Enable SpoofGuard

  1. Login with the vSphere Web Client.
  2. Choose Networking & Security.
  3. Select SpoofGuard.
  4. Create or edit an existing SpoofGuard policy and enable it.
  5. Select the Network.
  6. Click Finish.
  7. Highlight the SpoofGuard Policy on which you want apply the policy. Choose Inactive Virtual NICs in the View section.
  8. Edit the Virtual NIC IP address under Approved IP.

Resources

SpoofGuard in NSX

After synchronizing with the vCenter Server, NSX Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine. If a virtual machine has been compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.

Creating a SpoofGuard policy for specific networks allows you to authorize the IP addresses reported by VMware Tools and alter them if necessary to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK. Operating separately from firewall rules, you can use SpoofGuard to block traffic determined to be spoofed.

SpoofGuard supports both IPv4 and IPv6 addresses. When using IPv4, the SpoofGuard policy supports a single IP address assigned to a vNIC. IPv6 supports multiple IP addresses assigned to a vNIC. The SpoofGuard policy monitors and manages the IP addresses reported by your virtual machines.

Enable SpoofGuard

  1. Login with the vSphere Web Client.
  2. Choose Networking & Security.
  3. Select SpoofGuard.
  4. Create or edit an existing SpoofGuard policy and enable it.
  5. Select the Network.
  6. Click Finish.
  7. Highlight the SpoofGuard Policy on which you want apply the policy. Choose Inactive Virtual NICs in the View section.
  8. Edit the Virtual NIC IP address under Approved IP.