This topic lists the controls rules and product control set for NSX-T. The NSX-T version supported is greater than or equal to 3.2.x.

Controls Rules and Product Control Set for NSX-T

  • The NSX-T Distributed Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.
  • The NSX-T Manager must be configured to send logs to a central log server.
  • The NSX-T Manager must enable two-factor authentication.
  • The NSX-T Manager must terminate the session after a defined period of inactivity.
  • The NSX-T Manager must be configured to reset account lockout period.
  • The NSX-T Manager must set log level to info on services.
  • The NSX-T Manager must be configured to protect against known types of denial-of-service (DoS) attacks by employing organization-defined security safeguards.
  • Do not install or use software not supported by VMware on your NSX-T Data Center appliances.
  • The NSX-T Tier-0 Gateway Firewall must be configured for service redundancy to limit the effects of types of denial-of-service (DoS) attacks on the network.
  • The NSX-T Tier-0 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.
  • The NSX-T Manager must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
  • The perimeter NSX-T Tier-0 Gateway must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field through egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
  • The NSX-T Manager must be configured to set the account lockout-period after a defined number of consecutive invalid login attempts.
  • The NSX-T Manager must be configured to enforce the limit on consecutive invalid login attempts, after which it must block any login attempt for a predefined time.
  • The NSX-T Manager must be configured to conduct backups on an organizational defined schedule.
  • The NSX-T Manager must enforce a minimum 15-character password length.
  • The NSX-T Manager must be configured to set the CLI account lockout-period after a defined number of consecutive invalid login attempts.
  • The NSX-T Manager must be configured to enforce the limit on consecutive invalid login attempts via CLI, after which it must block any login attempt for a predefined time.
  • The NSX-T Manager must enable TLS 1.2 only.
  • The NSX-T Manager must disable SNMP v2.
  • The NSX-T Manager must enable the global FIPs compliance mode for load balancers.
  • The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes.
  • Enable logging for distributed firewall rules.
  • The NSX-T Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
  • The NSX-T Tier-0 Gateway Firewall must generate traffic log entries containing information to establish what type of events occurred.
  • The NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
  • The NSX-T Tier-0 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
  • The NSX-T Tier-0 firewall/Gateway must apply ingress filters to traffic that is inbound to the network through any active external interface.
  • The NSX-T Tier-1 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.
  • The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
  • The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
  • The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish what type of events occurred.