7.7 Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector


The vSphere VDS can export Netflow information about traffic crossing the VDS. These exports are not encrypted and can contain information about the virtual network making it easier for a Man in the Middle attack to be executed successfully.

NOTE: This is only valid if utilizing VMware vCenter


If Netflow export is required, verify that all VDS Netflow target systems are approved collectors by confirming the IP's are set correctly.

NOTE: This is only valid if utilizing VMware vCenter

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Using the vSphere Web Client

Go to the Networking section of vCenter

After selecting each individual switch you will need to perform the following.

Go to Configure then expand Settings.

Click on Netflow.

Click on Edit.

Enter the Collector IP address and Collector port as required.

Click OK.

Additionally, the following PowerCLI command may be used

'# Disable Netfow for a VDPortgroup
$DPortgroup = <name of portgroup>
Get-VDPortgroup $DPortGroup | Disable-PGNetflow

#Function for Disable-PGNetflow
#From: http://www.virtu-al.net/2013/07/23/disabling-netflow-with-powercli/

Function Disable-PGNetflow {
Param (
Process {
Foreach ($PG in $DVPG) {
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $PG.Extensiondata.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false

$PGView = Get-View -Id $PG.Id

See Also