An error occurred:

VMware NSX 4.x Manager NDM STIG Version Comparison

VMware NSX 4.x Manager NDM Security Technical Implementation Guide

Comparison

There are 1 differences between versions v1 r1 (Aug. 7, 2024) (the "left" version) and v1 r2 (Jan. 30, 2025) (the "right" version).

Check NMGR-4X-000102 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The NSX Manager must be configured as a cluster.

Check Content

From the NSX Manager web interface, go to System >> Configuration >> Appliances. Verify three NSX Managers are deployed, a VIP or external load balancer is configured, and the cluster is in a healthy state. If there are not three NSX Managers are not deployed, a VIP or external load balancer is not configured, and the cluster is not in a healthy state, this is a finding.

Discussion

Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the SDN controller. Preserving network element state information helps to facilitate continuous network operations minimal or no disruption to mission-essential workload processes and flows.

Fix

To add additional NSX Manager appliances do the following: From the NSX Manager web interface, go to System >> Configuration >> Appliances, and then click "Add NSX Appliance". Supply the required information to add additional nodes as needed, up to three total. To configure NSX with a cluster VIP or external load balancer, do the following: From the NSX Manager web interface, go to System >> Configuration >> Appliances, and then click "Set Virtual IP", enter a VIP that is part of the same subnet as the other management nodes, and then click "Save". To configure NSX with an external load balancer, setup an external load balancer with the following requirements: - Configure the external load balancer to control traffic to the NSX Manager nodes. - Configure the external load balancer to use the round robin method and configure source persistence for the load balancer's virtual IP. - Create or import a signed certificate and apply the same certificate to all the NSX Manager nodes. The certificate must have the FQDN of the virtual IP and each of the nodes in the SAN. Note: An external load balancer will not work with the NSX Manager VIP. Do not configure an NSX Manager VIP if using an external load balancer. If the cluster status is not in a healthy state, identify the degraded component on the appliance and troubleshoot the issue with the error information provided.