Firewall rules are applied in the order in which they exist in the rule table. You can move a custom rule up or down in the table - the default rule is always at the bottom of the table and cannot be moved.
Procedure
1 Do one of the following.
Firewall Rule Level Method
Datacenter a In the vSphere client, Go to Inventory > Hosts and Clusters. b Select a datacenter.
c Click the vShield tab. d Click the App Firewall tab.
Virtual wire a Go to Inventory > Hosts and Clusters and select the Network
Virtualization tab. b Click the Networks tab.
c In the Name column, click the virtual wire for which you want to add a rule.
d Click the Security tab.
e Ensure that you are in the Firewall tab.
Port group with an independent namespace
a In the vSphere client, Go to Inventory > Networking. b Select a Port group with an independent namespace. c Click the vShield tab.
d Click the App Firewall tab.
2 Select the rule that you want to move. 3
Click the Move rule up ( ) or Move rule down ( ) icon. 4 Click Publish Changes.
Using SpoofGuard
After synchronizing with the vCenter Server, the vShield Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine. Up to vShield 4.1, vShield trusted the IP address provided by VMware Tools on a virtual machine. However, if a virtual machine has been compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies. SpoofGuard allows you to authorize the IP addresses reported by VMware Tools, and alter them if necessary to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK. Operating separately from the App Firewall rules, you can use SpoofGuard to block traffic determined to be spoofed. A SpoofGuard policy supports a single IP address to vNIC assignment. IPv6 is not supported.
When enabled, you can use SpoofGuard to monitor and manage the IP addresses reported by your virtual machines in one of the following modes.
Automatically Trust IP Assignments On Their First Use
This mode allows all traffic from your virtual machines to pass while building a table of vnic-to-IP address assignments. You can review this table at your convenience and make IP address changes.
Manually Inspect and Approve All IP Assignments Before Use
This mode blocks all traffic until you approve each MAC-to-IP address assignment.
NOTE SpoofGuard inherently allows DHCP requests regardless of enabled mode. However, if in manual
SpoofGuard Screen Options
The SpoofGuard interface contains the following options. Table 13‑1. SpoofGuard Screen Options
Option Description
Active Virtual NICs List of all validated IP addresses Active Virtual NICs Since Last
Published List of IP addresses that have been validated since the policy was last updated Virtual NICs IP Required Approval IP address changes that require approval before traffic can flow to or from these
virtual machines
Virtual NICs with Duplicate IP IP addresses that are duplicates of an existing assigned IP address within the selected datacenter
Inactive Virtual NICs List of IP addresses where the current IP address does not match the published IP address
Unpublished Virtual NICs IP List of virtual machines for which you have edited the IP address assignment but have not yet published
Enable SpoofGuard
Once enabled, you can use SpoofGuard to manage IP address assignments for your entire vCenter inventory.
IMPORTANT You must upgrade all vShield App instances to vShield App 1.0.0 Update 1 or later before you
enable SpoofGuard. Procedure
1 In the vSphere Client, select a datacenter, virtual wire, or port group with an independent namespace.
SpoofGuard Scope Method
Datacenter a Go to Inventory > Hosts and Clusters. b Select a datacenter.
c Click the vShield tab.
Virtual wire a Go to Inventory > Hosts and Clusters and select the Network Virtualization tab.
b Click the Networks tab.
c In the Name column, click the virtual wire for which you want to add a rule.
d Click the Security tab.
Port group with an independent namespace
a Go to Inventory > Networking.
b Select a Port group with an independent namespace. c Click the vShield tab.
2 Click the SpoofGuard tab.
3 Click Edit at the right side of the SpoofGuard window. 4 For SpoofGuard, click Enable.
5 For Operation Mode, select one of the following:
Option Description
Automatically Trust IP Assignments on Their First Use
Select this option to trust all IP assignments upon initial registration with the vShield Manager.
Manually Inspect and Approve All IP Assignments Before Use
Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.
6 Click Allow local address as valid address in this namespace to allow local IP addresses in your setup. When you power on a virtual machine but it is unable to connect to the DHCP server, a local IP address is assigned to it. This local IP address is considered valid only if the SpoofGuard mode is set to Allow
local address as valid address in this namespace. Otherwise, the local IP address is ignored.
7 Click OK.