UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must disable the distributed virtual switch health check.


Finding ID Version Rule ID IA Controls Severity
V-63961 VCWN-06-000012 SV-78451r1_rule Low
Network Healthcheck is disabled by default. Once enabled, the healthcheck packets contain information on host#, vds#, port#, which an attacker would find useful. It is recommended that network healthcheck be used for troubleshooting, and turned off when troubleshooting is finished.
VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide 2015-12-09


Check Text ( C-64713r1_chk )
From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> Health Check. View the health check pane and verify both checks are disabled.


From a PowerCLI command prompt while connected to the vCenter server run the following commands:

$vds = Get-VDSwitch

If the health check feature is enabled on distributed switches and is not on temporarily for troubleshooting purposes, this is a finding.
Fix Text (F-69891r1_fix)
From the vSphere Web Client go to Networking >> Select a distributed switch >> Manage >> Settings >> Health Check. Click the edit button and disable both health checks.


From a PowerCLI command prompt while connected to the vCenter server run the following command:

Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}