STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021: STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:SV-243085r719498_rule
V-243085
SRG-APP-000516
VCTR-67-000016
CAT II
10
To remove collector IPs:
From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> NetFlow.
Click "Edit" and remove any unknown collector IPs.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following commands:
$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ""
$spec.IpfixConfig.CollectorPort = "0"
$spec.IpfixConfig.ActiveFlowTimeout = "60"
$spec.IpfixConfig.IdleFlowTimeout = "15"
$spec.IpfixConfig.SamplingRate = "0"
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}
Note: This will reset the NetFlow collector configuration back to the defaults.
To disable NetFlow on a distributed port group:
From the vSphere Client, go to Networking >> select a distributed port group >> Manage >> Settings >> Policies.
Go to "Monitoring" and change "NetFlow" to disabled.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following commands:
$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}
To view NetFlow Collector IPs configured on distributed switches:
From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> NetFlow.
View the NetFlow pane and verify that any collector IP addresses are valid and in use for troubleshooting.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}
To view if NetFlow is enabled on any distributed port groups:
From the vSphere Client, go to Networking >> select a distributed port group >> Manage >> Settings >> Policies.
Go to Monitoring and view the NetFlow status.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDPortgroup | select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}
If NetFlow is configured and the collector IP is not known and documented, this is a finding.
V-243085
False
VCTR-67-000016
To view NetFlow Collector IPs configured on distributed switches:
From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> NetFlow.
View the NetFlow pane and verify that any collector IP addresses are valid and in use for troubleshooting.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}
To view if NetFlow is enabled on any distributed port groups:
From the vSphere Client, go to Networking >> select a distributed port group >> Manage >> Settings >> Policies.
Go to Monitoring and view the NetFlow status.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDPortgroup | select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}
If NetFlow is configured and the collector IP is not known and documented, this is a finding.
M
5399