Network Functions Virtualization (NFV) enables agile and cost-effective deployment of multi-tenant network services on top of a cloud infrastructure. However, the multi-tenant and multilevel nature of NFV may lead to novel security challenges, such as stealthy attacks exploiting potential inconsistencies between different levels of the NFV stacks. Consequently, the security compliance of a multilevel NFV stack cannot be sufficiently established using existing solutions, which typically focus on one level. Moreover, the naive approach of separately verifying every level could be expensive or even infeasible. In this paper, we propose, NFVGuard, the first multilevel approach to the formal security verification of NFV stacks. Our key idea is to conduct the security verification at only one level, and then assure that verification result for other levels by verifying the consistency between adjacent levels. We integrate NFVGuard with OpenStack/Tacker, a popular platform for the NFV deployment, and experimentally evaluate its effectiveness.