NSX DFW integrates with SpoofGuard which protects against IP spoofing in a virtual environment. If a virtual machine has been compromised, the IP address can be spoofed and malicious traffic can bypass the firewall using the spoofed IP address. SpoofGuard will protect against this as every time the virtual machine's IP addresses changes, the SpoofGuard database must be updated or approved with the new detected IP. If an IP address of a VM has changed, an NSX administrator must acknowledge the new IP so that the virtual machine can send and receive traffic with the new IP.
The IP detection mechanism can be used via VMware Tools, DHCP snooping, and/or ARP snooping. Only vNIC to IP association of the virtual machine is tracked ...