Set up an alert for port blocked by vSwitch security policy

Today I’m gonna show you, how to be alerted when VM port is being blocked by security policy defined on portgroup or vSwitch level.

If you are not aware so far, these settings prevents VM users (or attackers) to change MAC address from the operating system.

There are three security policies which you can specify:

Promiscuous mode: Allows virtual adapters connected to this dvPortgroup to see all frames passed on the host proxy switch that are allowed under the VLAN policy for the dvPortgroup

Mac address changes: Allows virtual machines to receive frames with a Mac Address that is different from the one configured in the VMX.

Forged Transmits: Allows virtual machines to send frames with a Mac Address that is different from the one specified in the VMX.

 

I suggest you to set all policies to Reject as simple security precaution. Of course only if you don’t explicitly require it because of some network specific application i.e. Microsoft NLB in unicast mode. I believe this is by default since vSphere 5.1. If you do require to have it enabled I suggest you to create specific portgroup only for such VMs.

Once some port is blocked it is logged inside vmkernel.log of ESXi. Easiest way to be alerted once it happens is to create alert by using vRealize Log Insight, which is included in your vCenter license.

It is logged in the following format:

2017-05-31T11:30:25.980Z esx.domain.local vmkernel: cpu14:4446484)etherswitch: L2Sec_EnforcePortCompliance:257: client VMNAME.eth2 has policy vialations on port 0x900004c. Port is blocked

To create an alert

  1. Log in to Log Insight and navigate to Interactive Analytics
  2. Define query to:
    1. Match all of the following filters
    2. vmw_esxi_vmk_component contains etherswitch
    3. text contains port is blocked
      createetherswitchalertquery
  3. Click Create Alert from Query…
  4. Type name, email, Raise an alert condition and Save
    define alert parameters

You are done 🙂

The following two tabs change content below.
Dusan has over 6 years experience in Virtualization field. Currently working as Senior VMware plarform Architect at one of the biggest retail bank in Slovakia. He has background in closely related technologies including server operating systems, networking and storage. Used to be a member of VMware Center of Excellence at IBM, co-author of several Redpapers. His main scope of work consists from designing and performance optimization of business critical virtualized solutions on vSphere, including, but not limited to Oracle WebLogic, MSSQL and others. He holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, MCITP and the others. Honored with #vExpert2015 and 2016 awards by VMware for his contribution to the community. Opinions are my own!

About Dusan Tekeljak

Dusan has over 6 years experience in Virtualization field. Currently working as Senior VMware plarform Architect at one of the biggest retail bank in Slovakia. He has background in closely related technologies including server operating systems, networking and storage. Used to be a member of VMware Center of Excellence at IBM, co-author of several Redpapers. His main scope of work consists from designing and performance optimization of business critical virtualized solutions on vSphere, including, but not limited to Oracle WebLogic, MSSQL and others. He holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, MCITP and the others. Honored with #vExpert2015 and 2016 awards by VMware for his contribution to the community. Opinions are my own!
Bookmark the permalink.

Comments are closed