SV-216838r612237_rule
V-216838
SRG-APP-000516
VCWN-65-000016
CAT II
10
To remove collector IPs do the following:
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. Click edit and remove any unknown collector IPs.
or
From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ""
$spec.IpfixConfig.CollectorPort = "0"
$spec.IpfixConfig.ActiveFlowTimeout = "60"
$spec.IpfixConfig.IdleFlowTimeout = "15"
$spec.IpfixConfig.SamplingRate = "0"
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}
Note: This will reset the NetFlow collector configuration back to the defaults.
To disable NetFlow on a distributed port group do the following:
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and change NetFlow to disabled.
or
From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}
To view NetFlow Collector IPs configured on distributed switches:
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting.
or
From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}
----
To view if NetFlow is enabled on any distributed port groups:
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status.
or
From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDPortgroup | Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}
If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding.
V-216838
False
VCWN-65-000016
To view NetFlow Collector IPs configured on distributed switches:
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting.
or
From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}
----
To view if NetFlow is enabled on any distributed port groups:
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status.
or
From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDPortgroup | Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}
If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding.
M
4030