The NSX-T Manager must enable the global FIPS compliance mode for load balancers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251800 | TNDM-3X-000103 | SV-251800r810403_rule | Medium |
| Description |
|---|
| If unsecured protocols (lacking cryptographic mechanisms) are used for load balancing, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data at risk of compromise. |
| STIG | Date |
|---|---|
| VMware NSX-T Manager NDM Security Technical Implementation Guide | 2022-09-01 |
Details
| Check Text ( C-55260r810401_chk ) |
|---|
| From the NSX-T Manager web interface, go to the Home >> Monitoring Dashboards >> Compliance Report. Review the compliance report for code 72024 with description Load balancer FIPS global setting disabled. Note: This may also be checked via the API call GET https:// If the global FIPS setting is disabled for load balancers, this is a finding. |
| Fix Text (F-55214r810402_fix) |
|---|
| Execute the following API call using curl or another REST API client: PUT https:// Example request body: { "fips": { "lb_fips_enabled": true }, "resource_type": "GlobalConfig", "_revision": 2 } The global setting is used when the new load balancer instances are created. Changing the setting does not affect existing load balancer instances. To update existing load balancers to use this setting, do the following: From the NSX-T Manager web interface, go to the Networking >> Load Balancing and then click "Edit" on the target load balancer. In the attachment field, click the "X" to detach the load balancer from its current Gateway and click "Save". Edit the target load balancer again, reattach it to its Gateway, and then click "Save". Caution: Detaching a load balancer from the tier-1 gateway results in a traffic interruption for the load balancer instance. |