UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ESXi host must configure virtual switch security policies to reject promiscuous mode requests.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258773 ESXI-80-000218 SV-258773r959010_rule Medium
Description
When promiscuous mode is enabled for a virtual switch, all virtual machines (VMs) connected to the Portgroup have the potential to read all packets across that network (only the virtual machines connected to that Portgroup). Promiscuous mode is disabled by default on the ESXi Server, and this is the recommended setting. Promiscuous mode can be set at the vSwitch and/or the Portgroup level. Switch-level settings can be overridden at the Portgroup level.
STIG Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62513r933378_chk )
This control addresses ESXi standard switches. Distributed switches are addressed in the vCenter STIG. If there is no standard switch on the ESXi host, this is not applicable.

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> Virtual Switches.

On each standard switch, click the '...' button next to each port group and select "Edit Settings".

Click the "Security" tab. Verify that "Promiscuous Mode" is set to "Reject" and that "Override" is not checked.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VirtualSwitch | Get-SecurityPolicy
Get-VirtualPortGroup | Get-SecurityPolicy | Select-Object *

If the "Promiscuous Mode" policy is set to "Accept" (or "true", via PowerCLI) or the security policy inherited from the virtual switch is overridden, this is a finding.
Fix Text (F-62422r933379_fix)
From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> Networking >> Virtual Switches.

On each standard switch, click "Edit" and select Security.

Set "Promiscuous Mode" to "Reject". Click "OK".

For each port group, click the '...' button and select "Edit Settings" then Security.

Set "Promiscuous Mode" to "Reject" and uncheck the "Override" box. Click "OK".

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuous $false
Get-VirtualPortGroup | Get-SecurityPolicy | Set-SecurityPolicy -AllowPromiscuousInherited $true