NSX flow monitoring is is a traffic analysis tool that provides a detailed view of the traffic to and from protected virtual machines. All sorts of traffic can be captured and various reports are generated. In this post we will go through enabling and using NSX Flow Monitoring.
Let’s first start by enabling flow monitoring as it’s disabled by default.
Navigate to: Networking & Security > Flow Monitoring > Configuration > Global Flow Collection Status > Click on Enable
The dashboard menu gives us an overview of the top flows, our top destinations and top sources. Useful to get an overview of what is happening in our network.
Note that the time interval can be changed.
Details by Service
Displays Allowed and Blocked Flows by service.
Allowed Follows lists the flows that have been allowed by either an ANY-ANY rule or by a specific rule. Blocked Flows lists all flows that have been blocked by the distributed firewall. You can add a rule to the Distributed Firewall to allow or block it from this screen.
Here you can enable Flow Monitoring and allow exclusion flows that you are not interested in.
You can use IPFIX configure flow monitoring to export flows to a 3rd party collector.
IPFIX will need to be enabled and a DomainID configured.
A collector IP/Port will need to specified.
Example Use Case
Let’s use Flow Monitoring to monitor the traffic for web01. I have created a firewall rule to block some traffic so we can see what it looks like.
Live Flow > Select > Web-01a
Click on Start button to start the monitoring
Traffic flows are highlighted in different colours:
Green : New and active flows.
Yellow : Existing flows that have changed their state.
Red : Flows that have been terminated.
Note that the flow can be filtered
Application Rule Manager
Application Rule Manager simplifies the process of microsegmenting an application by creating security groups and firewall rules for existing applications.
In Flow Monitoring, click on the Application Rule Manager menu then on Start New Session
Choose the workload to monitor
Once I press OK, Application Rule Manager will start collecting data on flows between the 3 selected VMs. After few minutes, I stopped the traffic collection.
Let’s get ARM to analyse the data that’s been gathered.
Below are the flows that we have been registered.
We can check the services that were involved.
We can create firewall rules based on the processed view
Most importantly, from the processed view we can created security groups and the firewall rules needed to secure applications traffic.
Security groups created.
Firewall rule created
Rule needs to be published to be active.
If navigate to the firewall section, we should find our section with the rule that we have created plublished.
I hope this was helpful. Thank you for reading.
How useful was this post?
Click on a star to rate it!
Average rating / 5. Vote count:
My name is Amine El Badaoui and I currently live in Aylesbury, a small town in the south east of England
I have been working in the IT industry for few years now and specialise in VMware virtualisation, data centre infrastructure and cloud technologies. Over the years I have obtained numerous industry certifications from Microsoft, Netapp and VMware.I currently work as a VMware Product Engineer @ https://www.rackspace.com/
This blog represents my random technical notes and thoughts. The thoughts expressed here do not reflect my current employer in anyway.