Flow monitoring

NSX Flow monitoring is a feature that allows detailed traffic monitoring to and from protected virtual machines. Flow monitoring can uniquely identify different machines and different services that are exchanging data and when enabled can identify which machines are exchanging data over specific applications. Flow monitoring also allows live monitoring of TCP and UDP connections and can be used as an effective forensic tool.

Flow monitoring can only be turned on for NSX deployments where a firewall is enabled.

Flow monitoring data can be polled to a set interval and then analyzed. The default period is 24 hours and the minimum is one hour while the maximum data collection interval is two weeks. Keep an eye on the disk space being consumed by NSX Manager as the polling interval is set.

To view the flow monitoring data, follow these steps:

  1. Log in to your vCenter web client and navigate to Networking & Security | Flow Monitoring:
  1. Click Flow Monitoring under the Dashboard tab:
Courtesy - VMware
  1. To change the time interval for the flow, click on the icon on the right:
  1. You will see the Flows Allowed, Blocked By Rule, and Blocked By Spoofguard metrics:
  1. The Top Flows tab shows the total incoming and outgoing traffic over the specified period of time:
  1. The Top Destinations tab shows the incoming traffic per destination while the Top Sources tab shows the specified outgoing traffic per source:
  1. The Top Sources tab, as in the following screenshot, shows the outgoing traffic per source:
  1. The Details By Service tab shows the allowed and blocked flows including the number of sessions for each type of flow. You can click on a service to view the traffic flow and the rules that apply. You can also choose to edit a rule by clicking Edit Rule in the Actions column or you can add a rule by clicking Add Rule in the Actions column:

One of the most interesting features is the ability to see a live flow for a selected vNIC. You can monitor all live TCP and UDP connections to a vNIC using the live flow feature. To do so, perform the following set of steps:

You can monitor a maximum of two vNICs per host and a maximum of five vNICs per vCenter.
  1. Log in to the vCenter web client and go to Networking & Security | Flow Monitoring.
  2. Click on the Live Flow tab in the dashboard:
  1. Click Browse to select a vNIC and click Start when done:

The refresh rate can be set accordingly.

  1. Click Stop when done:
Using Live flow increases NSX Manager's resource consumption so this feature should be used sparingly.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.200.197