Avoid IP spoofing with the SpoofGuard service
Set up policies to detect IP spoofing
Last Updated on 12/02/2021
Objective
SpoofGuard protects against IP spoofing by maintaining a reference table of VM names and IP addresses. SpoofGuard maintains this reference table by using the IP addresses that the NSX Manager retrieves from VMware Tools when a VM initially starts.
This guide explains how to setup Spoofguard policies.
Requirements
- being an administrative contact of your Hosted Private Cloud infrastructure to receive login credentials
- a user account with access to vSphere as well as the specific rights for NSX (created in the OVHcloud Control Panel)
- an enabled Distributed Firewall
Instructions
In the vSphere interface menu, go to the Networking and Security dashboard.
On the left side, navigate to the Spoofguard section.
Click on + Add to create a new policy.
You could edit the default policy as well instead.
Name and enable the policy.
Choose the mode you wish to use:
- Automatically trust IP assignments on their first use
- Manually inspect and approve all IP assignment before use
Manual mode will block all traffic from your VMs until you validate the vNIC/IP combinations.
For convenience, you can also allow local address as valid address in namespace.
Click Next.
Select the Network objects the policy will apply to and click Finish.
The policy is now on the list end enabled.
If there are alerts and/or pending actions for you, you will be able to click on the number in the Pending Approval and Conflicted IPs columns.
Go further
Join our community of users on https://community.ovh.com/en/.
Did you find this guide useful?
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.