NSX – Configure SpoofGuard policies to enhance security

After synchronizing with the vCenter Server, NSX Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine. If a virtual machine has been compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.

You create a SpoofGuard policy for specific networks that allows you to authorize the IP addresses reported by VMware Tools and alter them if necessary to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK. Operating separately from Firewall rules, you can use SpoofGuard to block traffic determined to be spoofed.

SpoofGuard supports both IPv4 and IPv6 addresses. When using IPv4, the SpoofGuard policy supports a single IP address assigned to a vNIC. IPv6 supports multiple IP addresses assigned to a vNIC. The SpoofGuard policy monitors and manages the IP addresses reported by your virtual machines in one of the following modes.

Automatically Trust IP Assignments On Their First Use – This mode allows all traffic from your virtual machines to pass while building a table of vNIC-to-IP address assignments. You can review this table at your convenience and make IP address changes. This mode automatically approves all ipv4 and ipv6 address on a vNIC.

Manually Inspect and Approve All IP Assignments Before Use  – This mode blocks all traffic until you approve each vNIC-to-IP address assignment.

SpoofGuard inherently allows DHCP requests regardless of enabled mode. However, if in manual inspection mode, traffic does not pass until the DHCP-assigned IP address has been approved.

SpoofGuard includes a system-generated default policy that applies to port groups and logical networks not covered by the other SpoofGuard policies. A newly added network is automatically added to the default policy until you add the network to an existing policy or create a new policy for it.

Create a SpoofGuard Policy

You can create a SpoofGuard policy to specify the operation mode for specific networks. The system generated policy applies to port groups and logical switches not covered by existing SpoofGuard policies.


1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click SpoofGuard.

3. Click the Add icon.

4. Type a name for the policy.

5. Select Enabled or Disabled to indicate whether the policy is enabled.

6. For Operation Mode, select one of the following:

Automatically Trust IP Assignments on Their First Use – Select this option to trust all IP assignments upon initial registration with the NSX Manager.
Manually Inspect and Approve All IP Assignments Before Use  – Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.

7. Click Allow local address as valid address in this namespace to allow local IP addresses in your setup.

When you power on a virtual machine but it is unable to connect to the DHCP server, a local IP address is assigned to it. This local IP address is considered valid only if the SpoofGuard mode is set to Allow local address as valid address in this namespace. Otherwise, the local IP address is ignored.

8. Click Next.

9. To specify the scope for the policy, click Add and select the networks, distributed port groups, or logical switches that this policy should apply to. A port group or logical switch can belong to only one SpoofGuard policy.

10. Click OK and then click Finish.

Approve IP Addresses

If you set SpoofGuard to require manual approval of all IP address assignments, you must approve IP address assignments to allow traffic from those virtual machines to pass.


1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click SpoofGuard.

3. Select a policy. Policy details are displayed below the policy table.

4. In View, click one of the option links.

Active Virtual NICs – List of all validated IP addresses
Active Virtual NICs Since Last Published – List of IP addresses that have been validated since the policy was last updated
Virtual NICs IP Required Approval – IP address changes that require approval before traffic can flow to or from these virtual machines
Virtual NICs with Duplicate IP – IP addresses that are duplicates of an existing assigned IP address within the selected datacentre
Inactive Virtual NICs – List of IP addresses where the current IP address does not match the published IP address
Unpublished Virtual NICs IP – List of virtual machines for which you have edited the IP address assignment but have not yet published

5. Do one of the following.

  • To approve a single IP address, click Approve next to the IP address.
  • To approve multiple IP addresses, select the appropriate vNICs and then click Approve Detected IP(s).

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.