NSX – Monitor and analyze virtual machine traffic with Flow Monitoring

Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic to and from protected virtual machines. When flow monitoring is enabled, its output defines which machines are exchanging data and over which application. This data includes the number of sessions and packets transmitted per session. Session details include sources, destinations, applications, and ports being used. Session details can be used to create firewall allow or block rules.

You can view TCP and UDP connections to and from a selected vNIC. You can also exclude flows by specifying filters.

Flow Monitoring can thus be used as a forensic tool to detect rogue services and examine outbound sessions.

Configure Flow Monitoring

Flow collection must be enabled for you to view traffic information. You can filter the data being displayed by specifying exclusion criterion. For example, you may want to exclude a proxy server to avoid seeing duplicate flows. Or if you are running a Nessus scan on the virtual machines in your inventory, you may not want to exclude the scan flows from being collected.

Procedure

1. Log in to the vSphere Web Client.

2. Select Networking & Security from the left navigation pane and then select Flow Monitoring.

3. Select the Configuration tab.

4. Ensure that Global Flow Collection Status is Enabled. All firewall related flows are collected across your inventory except for the objects specified in Exclusion Settings.

5. To specify filtering criterion click the tab corresponding to the flows you want to exclude.

6. Click Save.

View Flow Monitoring Data

You can view traffic sessions on virtual machines within the specified time span. The last 24 hours of data are displayed by default, the minimum time span is one hour and the maximum is two weeks. Flow monitoring data is only available for virtual machines in clusters that have the network virtualization components installed and firewall enabled.

1. Log in to the vSphere Web Client.

2. Select Networking & Security from the left navigation pane and then select Flow Monitoring.

3. Ensure that you are in the Dashboard tab.

4. Click Flow Monitoring.

The page might take several seconds to load. The top of the page displays the percentage of allowed traffic, traffic blocked by firewall rules, and traffic blocked by SpoofGuard. The multiple line graph displays data flow for each service in your environment. When you point to a service in the legend area, the plot for that service is highlighted.

Traffic statistics are displayed in three tabs:

  • Top Flows displays the total incoming and outgoing traffic per service over the specified time period based on the total bytes value (not based on sessions/packets). The top five services are displayed. Blocked flows are not considered when calculating top flows.
  • Top Destinations displays incoming traffic per destination over the specified time period. The top five destinations are displayed.
  • Top Sources displays outgoing traffic per source over the specified time period. The top five sources are displayed.

5. Click the Details by Service tab.

Details about all traffic for the selected service is displayed. Click Load More Records to display additional flows. The Allowed Flows tab displays the allowed traffic sessions and the Blocked Flows tab displays the blocked traffic.

You can search on service names.

6. Click an item in the table to display the rules that allowed or blocked that traffic flow.

7. Click the Rule Id for a rule to display the rule details.

View Live Flow

You can view UDP and TCP connections from and to a selected vNIC. In order to view traffic between two virtual machines, you can view live traffic for one virtual machine on one computer and the other virtual machine on a second computer. You can view traffic for a maximum of two vNICs per host and for 5 vNICs per infrastructure.

Viewing live flows can affect the performance of NSX Manager and the corresponding virtual machine.

1. Log in to the vSphere Web Client.

2. Select Networking & Security from the left navigation pane and then select Flow Monitoring.

3. Click the Live Flow tab.

4. Click Browse and select a vNIC.

5. Click Start to begin viewing live flow.

The page refreshes every 5 seconds. You can select a different frequency from the Refresh Rate drop-down.

6. Click Stop when your debugging or troubleshooting is done to avoid affecting the performance of NSX Manager or the selected virtual machine.

 

Leave a Reply

Your email address will not be published. Required fields are marked *