NeverStopLearni
Contributor
Contributor

Inaccurate compliance results for distributed switch uplink port groups?

Jump to solution

Hello,

I am relatively new to vSphere and recently installed 6.5 with Operations Management. After applying a policy on all objects against the 6.0 hardening guide (level 3) I began receiving compliance warnings for both hosts (with distributed switches) and distributed switch uplink port groups that forged transmits, mac address changes, and promiscuous mode are not being rejected. I confirmed that all distributed switch port groups for VMs/vmk's are in fact set to reject under Security, but I cannot find a way to apply those settings on the uplink port groups since the menu is different and there is no Security option. Am I missing something or should uplink ports be exempt from the hardening guide rule?

Example of warnings:

<host> has symptom vNetwork.reject-mac-changes - Policy is not set to reject Mac address changes (5.5/6.0 Hardening Guide)     Aggregated MAC Address Changes "true" = "true"

<uplink port group> has symptom vNetwork.reject-forged-transmit-dvportgroup - The Forged Transmits policy is not set to reject (6.0 Hardening Guide)     Forged Transmits "true" = "true"

Port group options

DSwitch_PortGroup.png

Uplink group options

DSwitch_UplinkPortGroup.png

Thanks!

0 Kudos
1 Solution

Accepted Solutions
caduncan
Enthusiast
Enthusiast

This looks to be by design. In my test environment, I tested using PowerCLI to force it to “false” and broke the management vmkernal, so don’t change it.

I also read an article discussing this (sorry I can’t find the link) topic. Security settings are at the normal port group level only. However, vROPS doesn't seem to differentiate Uplink from normal port groups, so for now I changed the symptom to “Info” until I find way to exclude specific port groups from the alert or policy while still monitoring the other port groups.

Not sure this helps much, but maybe provides some insight.

View solution in original post

5 Replies
parmarr
VMware Employee
VMware Employee

I believe the steps on the document Configure the Security Policy for a Distributed Port Group or Distributed Port must help

Sincerely, Rahul Parmar VMware Support Moderator
0 Kudos
NeverStopLearni
Contributor
Contributor

Unfortunately, the text you referred me to only serves to highlight my original point. The configuration options under "Edit Settings" are different for distributed switch port groups than they are for distributed switch uplink ports. It can be seen in the images I posted, for example, that there is no "Security" option for uplink ports which is where MAC address changes and Forged transmits would be set. I am trying to determine if this is an intentional design restriction for uplink ports. If so, then Operations Manager compliance checks should be modified to not report uplink ports as 'out of compliance' with the Hardening Guide.

0 Kudos
caduncan
Enthusiast
Enthusiast

This looks to be by design. In my test environment, I tested using PowerCLI to force it to “false” and broke the management vmkernal, so don’t change it.

I also read an article discussing this (sorry I can’t find the link) topic. Security settings are at the normal port group level only. However, vROPS doesn't seem to differentiate Uplink from normal port groups, so for now I changed the symptom to “Info” until I find way to exclude specific port groups from the alert or policy while still monitoring the other port groups.

Not sure this helps much, but maybe provides some insight.

NeverStopLearni
Contributor
Contributor

I appreciate the response. Thanks for looking into it.

0 Kudos
matthiasrieder
Enthusiast
Enthusiast

As a Workaround I can recommend you the following adjustments:

I made a Custom Group with the Uplink PortGroups excluded. You can filter it out by Name or Tag.

In the Default Policy I disabled the "vSphere Distributed Port Group is violating VMware vSphere Security Configuration Guide" Alert and I made a dedicated Policy with the Alert enabled and applied only to the Custom Group.

I hope the port groups types will be differentiated in an upcoming version.

0 Kudos