VM Traffic bypasses DFW rules momentarily when VM IP is changed
search cancel

VM Traffic bypasses DFW rules momentarily when VM IP is changed

book

Article ID: 306065

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Symptoms:


When the IP address of virtual machine changes, DFW will continue to allow/deny traffic from new IP address and actual rules for new IP address may not be applied for few seconds.

Environment

VMware NSX for vSphere 6.4.x

Cause

This issue occurs because the DFW depends on VMware Tools as one of sources for getting the IP address of VM and applying rules using that IP address. When the IP address of the VM changes, VMware Tools takes a few seconds to detect and populate the new IP address, until then the traffic from this new IP will be allowed if the Default DFW rule is an ALLOW rule causing a security issue.

Resolution

To resolve this issue, do either one of the following:
  • Keep the default DFW rule as Deny rule, any traffic not matching any of user configured rules will be dropped by default rule.
  • Enable Spoofguard policy (Trust On First Use or MANUAL mode) which binds MAC to IP, this will block traffic if IP address spoofing is detected.


Powered by Wolken Software