If you are not using products that make use of the vSphere Network Appliance API (DvFilter), do not configure your host to send network information to a virtual machine. If the vSphere Network Appliance API is enabled, an attacker might attempt to connect a virtual machine to the filter. This connection might provide access to the network of other virtual machines on the host.

About this task

If you are using a product that makes use of this API, verify that the host is configured correctly. See the sections on DvFilter in Developing and Deploying vSphere Solutions, vServices, and ESX Agents. If your host is set up to use the API, make sure that the value of the Net.DVFilterBindIpAddress parameter matches the product that uses the API.

Procedure

  1. To ensure that the Net.DVFilterBindIpAddress kernel parameter has the correct value, locate the parameter by using the vSphere Web Client.
    1. Select the host and click the Manage tab.
    2. Under System, select Advanced System Settings.
    3. Scroll down to Net.DVFilterBindIpAddress and verify that the parameter has an empty value.

      The order of parameters is not strictly alphabetical. Scroll until you find the parameter.

  2. If you are not using DvFilter settings, make sure that the value is blank.
  3. If you are using DvFilter settings, make sure the value of the parameter matches the value that the product that uses the DvFilter is using.