2.9 Ensure VDS health check is disabled


The health check support in VDS helps you identify and troubleshoot configuration errors in a vSphere Distributed Switch. It is recommended that health check be turned off by default and confirmed that it is turned off when troubleshooting is finished.


vSphere Distributed switch health check once enabled, collects packets that contain information on host#, vds# port#, which an attacker would find useful.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Using the vSphere Web Client for each VDS:

Select a VDS

Go to Configure, expand Settings then select Health Check.

Click on Edit.

Set VLAN and MTU state to Disabled.

Set Teaming and failover state to Disabled.

Click OK.

Additionally, the following PowerCLI command can be used:

Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch 'False'})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}

Default Value:

By default, the vSphere Distributed Switch health check is not enabled and configured by default.

See Also
