I have been working through the vSphere hardening guide in vROps 6.6
I have disabled forged transmits on the Standard vSwitches and the DVSwitch port groups with out any issue.
Using PowerCLI I ran
get-vdportgroup | get-vdsecuritypolicy
and found that all the DVSwitch Uplinks where set to ForgedTransmitsAllowed = $true whilst all the port groups were set to $False
This was showing as a compliance alert in vROps
So I ran the following PowerCLI to disable the DVSwitch Uplinks
get-vdportgroup | get-vdsecuritypolicy |set-vdsecuritypolicy -forgedtransmits $false
At this point every VM lost network connectivity, and continued to have intermittent connectivity until the setting was reverted.
Is this expected behaviour?
It feels like its either my lack of understanding of the setting or a bug that I have stumbled across.
If the "Forged Transmits" policy is set to accept for a non-uplink port, this is a finding.
it seems vROPS doesn't differentiate between the non-uplink and uplink ports when it comes to this settings..
so I suggest dont change it.
Inaccurate compliance results for distributed switch uplink port groups?
If the "Forged Transmits" policy is set to accept for a non-uplink port, this is a finding.
it seems vROPS doesn't differentiate between the non-uplink and uplink ports when it comes to this settings..
so I suggest dont change it.
Inaccurate compliance results for distributed switch uplink port groups?