< Back
Grant-NsxSpoofguardNicApproval
Post
NAME Grant-NsxSpoofguardNicApproval
SYNOPSIS
Approves a new IP for the specified Spoofguard NIC.
SYNTAX
Grant-NsxSpoofguardNicApproval -SpoofguardNic <XmlElement> -IpAddress <String[]> [-Confirm] [-Publish]
[-Connection <PSObject>] [<CommonParameters>]
Grant-NsxSpoofguardNicApproval -SpoofguardNic <XmlElement> -ApproveAllDetectedIps [-Confirm] [-Publish]
[-Connection <PSObject>] [<CommonParameters>]
DESCRIPTION
If a virtual machine has been compromised, its IP address can be spoofed
and malicious transmissions can bypass firewall policies. You create a
SpoofGuard policy for specific networks that allows you to authorize the IP
addresses reported by VMware Tools and alter them if necessary to prevent
spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines
collected from the VMX files and vSphere SDK. Operating separately from
Firewall rules, you can use SpoofGuard to block traffic determined to be
spoofed.
Use the Grant-NsxSpoofguardNicApproval cmdlet to add the specified IP
to the list of approved IPs for the specified Spoofguard NIC.
PARAMETERS
-SpoofguardNic <XmlElement>
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-IpAddress <String[]>
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ApproveAllDetectedIps [<SwitchParameter>]
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompt for confirmation. Specify as -confirm:$false to disable confirmation prompt
Required? false
Position? named
Default value True
Accept pipeline input? false
Accept wildcard characters? false
-Publish [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? named
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-NsxSpoofguardPolicy test | Get-NsxSpoofguardNic -NetworkAdapter (Get-vm evil-vm | Get-NetworkAdapter|
select -First 1) | Grant-NsxSpoofguardNicApproval -IpAddress 1.2.3.4 -Publish
Grant approval for the first NIC on VM Evil-VM to use the IP 1.2.3.4 and
publish immediately
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-NsxSpoofguardPolicy test | Get-NsxSpoofguardNic -NetworkAdapter (Get-vm evil-vm | Get-NetworkAdapter|
select -First 1) | Grant-NsxSpoofguardNicApproval --ApproveAllDetectedIps -Publish
Grant approval for the first NIC on VM Evil-VM to use all IPs detected by
whatever IP detction methods are available and publish immediately.
Note: This *may* include 'local' IPs (such as fe80::/64) which may not be
allowed if the policy is not enabled with 'AllowLocalIps'. In this case
this operation will throw a cryptic error (Valid values are {2}) and not
succeed. In this case you must either change the policy to allow local IPs,
or manually approve the specific IPs you want. This issue affects the NSX
UI as well.
RELATED LINKS
SYNOPSIS
Approves a new IP for the specified Spoofguard NIC.
SYNTAX
Grant-NsxSpoofguardNicApproval -SpoofguardNic <XmlElement> -IpAddress <String[]> [-Confirm] [-Publish]
[-Connection <PSObject>] [<CommonParameters>]
Grant-NsxSpoofguardNicApproval -SpoofguardNic <XmlElement> -ApproveAllDetectedIps [-Confirm] [-Publish]
[-Connection <PSObject>] [<CommonParameters>]
DESCRIPTION
If a virtual machine has been compromised, its IP address can be spoofed
and malicious transmissions can bypass firewall policies. You create a
SpoofGuard policy for specific networks that allows you to authorize the IP
addresses reported by VMware Tools and alter them if necessary to prevent
spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines
collected from the VMX files and vSphere SDK. Operating separately from
Firewall rules, you can use SpoofGuard to block traffic determined to be
spoofed.
Use the Grant-NsxSpoofguardNicApproval cmdlet to add the specified IP
to the list of approved IPs for the specified Spoofguard NIC.
PARAMETERS
-SpoofguardNic <XmlElement>
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-IpAddress <String[]>
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ApproveAllDetectedIps [<SwitchParameter>]
Required? true
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Prompt for confirmation. Specify as -confirm:$false to disable confirmation prompt
Required? false
Position? named
Default value True
Accept pipeline input? false
Accept wildcard characters? false
-Publish [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? named
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-NsxSpoofguardPolicy test | Get-NsxSpoofguardNic -NetworkAdapter (Get-vm evil-vm | Get-NetworkAdapter|
select -First 1) | Grant-NsxSpoofguardNicApproval -IpAddress 1.2.3.4 -Publish
Grant approval for the first NIC on VM Evil-VM to use the IP 1.2.3.4 and
publish immediately
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-NsxSpoofguardPolicy test | Get-NsxSpoofguardNic -NetworkAdapter (Get-vm evil-vm | Get-NetworkAdapter|
select -First 1) | Grant-NsxSpoofguardNicApproval --ApproveAllDetectedIps -Publish
Grant approval for the first NIC on VM Evil-VM to use all IPs detected by
whatever IP detction methods are available and publish immediately.
Note: This *may* include 'local' IPs (such as fe80::/64) which may not be
allowed if the policy is not enabled with 'AllowLocalIps'. In this case
this operation will throw a cryptic error (Valid values are {2}) and not
succeed. In this case you must either change the policy to allow local IPs,
or manually approve the specific IPs you want. This issue affects the NSX
UI as well.
RELATED LINKS