Overriding Security Configuration

About this task

To override the VM interface security configuration:

Procedure

  1. Select Security.
    Click to expand in new window
    Profile Overrides - VM Interfaces Security Screen
    GUID-68EAB433-A589-4489-885F-3B4F38F570B1-low.png
  2. Refer to the Access Control field.

    As part of the VM interface‘s security configuration, IPv4 and IPv6 Inbound and MAC Inbound address firewall rules are required.

    You will use the drop-down menus to select the firewall rules to apply to this profile‘s VM interface configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.

  3. Use the IPv4 Inbound Firewall Rules drop-down menu to select the IPv4 specific firewall rules to apply to this profile‘s VM interface configuration.

    IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.

  4. Use the IPv6 Inbound Firewall Rules drop-down menu to select the IPv6 specific firewall rules to apply to this profile‘s VM interface configuration.
  5. If there is no firewall rule that meets the data protection needs of the target VM interface configuration, click the Create icon to define a new rule configuration, or click the Edit icon to modify an existing firewall rule configuration.
  6. Refer to the Trust field to define or override the following:

    Trust ARP Responses

    Select this option to enable ARP trust on this VM interface. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices. This option is disabled by default.

    Trust DHCP Responses

    Select this option to enable DHCP trust on this VM interface. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default.

    ARP Header Mismatch Validation

    Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. This option is enabled by default.

    Trust 802.1p COS values

    Select this option to enable 802.1p COS values on this VM interface. This option is enabled by default.

    Trust IP DSCP

    Select this option to enable IP DSCP values on this VM interface. This option is disabled by default.

  7. Set the following IPv6 Settings:

    Trust ND Requests

    Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this VM interface. This option is disabled by default.

    Trust DHCPv6 Responses

    Select this option to trust all DHCPv6 responses on this VM interface. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link. This option is enabled by default.

    ND Header Mismatch Validation

    Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This option is disabled by default.

    RA Guard

    Select this option to enable router advertisements or ICMPv6 redirects from this VM interface. Router advertisements are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is disabled by default.

  8. Click OK to save the changes and overrides made to the VM interface configuration.

    Click Reset to revert to the last saved configuration.