0

Practical NSX: Flow Monitoring

NSX flow monitoring is  is a traffic analysis tool that provides a detailed view of the traffic to and from protected virtual machines. All sorts of traffic can be captured and various reports are generated. In this post we will go through enabling and using NSX Flow Monitoring.

Let’s first start by enabling flow monitoring as it’s disabled by default.

Navigate to: Networking & Security > Flow Monitoring > Configuration > Global Flow Collection Status > Click on Enable

Dashboard

The dashboard menu gives us an overview of the top flows, our top destinations and top sources. Useful to get an overview of what is happening in our network.

Note that the time interval can be changed.

Details by Service

Displays Allowed and Blocked Flows by service.

Allowed Follows lists the flows that have been allowed by either an ANY-ANY rule or by a specific rule. Blocked Flows lists all flows that have been blocked by the distributed firewall. You can add a rule to the Distributed Firewall to allow or block it from this screen.

Configuration

Here you can enable Flow Monitoring and allow exclusion flows that you are not interested in.

You can use IPFIX  configure flow monitoring to export flows to a 3rd party collector.

IPFIX will need to be enabled and a DomainID configured.

A collector IP/Port will need to specified.

Example Use Case

Let’s use Flow Monitoring to monitor the traffic for web01. I have created a firewall rule to block some traffic so we can see what it looks like.

Live Flow > Select > Web-01a

Click on Start button to start the monitoring

Traffic flows are highlighted in different colours:

Green : New and active flows.
Yellow : Existing flows that have changed their state.
Red : Flows that have been terminated.

Note that the flow can be filtered

Application Rule Manager

Application Rule Manager simplifies the process of microsegmenting an application by creating security groups and firewall rules for existing applications.

In Flow Monitoring, click on the Application Rule Manager menu then on Start New Session

Choose the workload to monitor

Once I press OK, Application Rule Manager will start collecting data on flows between the 3 selected VMs. After few minutes, I stopped the traffic collection.

Let’s get ARM to analyse the data that’s been gathered.

Below are the flows that we have been registered.

We can check the services that were involved.

We can create firewall rules based on the processed view

Most importantly, from the processed view we can created security groups and the firewall rules needed to secure applications traffic.

Security groups created.

Firewall rule created

Rule needs to be published to be active.

If navigate to the firewall section, we should find our section with the rule that we have created plublished.

I hope this was helpful. Thank you for reading.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

Sharing is caring!

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *