You want to understand the security implications of allowing forged transmits and MAC Address Changes on a port group as you have an application that is requesting this setting to enable functionality like high availability (HA).

What the standard practices for VMware and if this is turned on in the port group does it need to be turned on the distributed switch?

VMware vSphere 8.0 documentation in What is Security Policy describes:

Networking security policy provides protection of traffic against MAC address impersonation and unwanted port scanning.

The security policy of a standard or distributed switch is implemented in Layer 2 (Data Link Layer) of the network protocol stack. The three elements of the security policy are promiscuous mode, MAC address changes, and forged transmits.

You can protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a security policy on port groups or ports as per Secure vSphere Distributed Switches and Distributed Port Groups. Further details related to MAC address changes and forged transmits, which by default are set to Reject, can be read in the Securing vSphere Standard Switches, as the same explanation applies to distributed switches and port groups.

As documented in What is Security Policy, you can configure MAC address changes or forged transmits at the distributed port level, enable the port-level override option for this policy. You are not required to configure this at the distributed virtual switch level.

In summary and to answer the specific questions:

• VMware standard practice is for MAC Address Changes and Forged Transmits to be configured to Reject by default.
  
  
• If this is turned on in the port group, it does not need to be turned on for the distributed switch.

What is Security Policy

Secure vSphere Distributed Switches and Distributed Port Groups

Securing vSphere Standard Switches