以下是高级查询的一些示例:

通信模式的流查询

  • 跨数据中心或站点的总流量(DCI 链接使用)

    sum(bytes) of flows where ( Dst Manager = 'abc' AND src manager = 'cba') OR ( Dst Manager = 'cba' AND src manager = 'abc')

  • VTEP 流量总计
    • sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP' VTEP traffic grouped by VMKNIC
    • sum(bytes) of flows where Flow Type = 'Src is VTEP' or Flow Type = 'Dst is VTEP' group by ip
  • 其他管理流量

    flows where Flow Type = 'Source is VMKNIC' or Flow Type = 'Destination is VMKNIC'

  • 用于扩展 L2 网络的流

    flows where flow type = 'Extended L2 Network' and Destination IP Address = 10.172.13.14

用于聚合和分组的流查询

  • Internet 流量总计(按源虚拟机)

    sum(bytes) of flows where Flow Type = 'Internet' group by src vm

  • 排名靠前的端口(按总字节数)

    sum(bytes) of flow group by port order by sum(bytes)

  • 排名靠前的子网对(按路由的流量)

    sum(bytes) of flow where Flow Type = 'Routed' group by Source Subnet Network, destination subnet network order by sum(bytes)

  • 虚拟机总计(按成对总字节数)

    sum(bytes) of flows group by src vm , dest vm order by sum(bytes)

  • 排名靠前的服务器虚拟机/端口(按总字节数)

    sum(bytes) of flows group by dest vm , port order by sum(bytes)

用于容量估算和大小调整的流查询

  • 由 ESX 分组的所有 vm-internet/internet-vm 流量的总字节数(Palo Alto 服务虚拟机大小调整)

    sum(bytes) of flows where flow type = 'internet' and (flow type = ' src is vm ' OR flow type = 'destination is vm ') group by host order by sum(bytes)

  • 用于匹配流的聚合流量系列(Palo Alto 服务虚拟机大小调整)

    series( sum(byte rate)) of flows where host = 'ddc1-pod2esx012.dm.democompany.net' and (Flow Type = 'Source is VM' OR flow type = 'Destination is VM')

应用程序的有用查询

  • 给定应用程序中的虚拟机

    VM where application = 'CRM'

  • 从给定应用程序路由的流

    Flows where source application = CRM and Flow Type = 'Routed'

  • 两层之间的流(单向)

    Flows where src tier = 'App' and Destination Tier = 'DB'

  • 两层之间的流(单向)

    Flows where ( src tier = 'App' and destination Tier = 'DB') OR (destination tier = 'App' and source tier = 'DB')

虚拟机和 ESX 的有用查询

  • Prod-Midtier-1 虚拟机的属性(MAC、IP、主机等)

    CPU Usage Rate, Network Rate, Memory Usage Rate, mac address, ip , vxlan , host of vm 'Quality control-VM26'

  • 具有最高虚拟机计数的网络分段

    vm group by l2 network

  • 数据存储具有最高虚拟机计数

    vm group by datastore

  • 主机(按 vSphere 版本)

    host group by version

  • 主机(按 vSphere 内部版本)

    host group by OS

  • 插入特定 UCS 机箱的所有主机/刀片上的所有虚拟机(嵌套查询)

    vm where host in (host where Blade like 'sys/chassis-1')

有用的查询:一般容量

  • 数据中心数:

    count of datacenter

  • 集群数

    count of cluster

  • 主机数

    count of host

  • 虚拟机数

    count of vm

  • 网络数

    count of vlan

有用的查询:路由

  • VNI(按主控制器)

    vxlan group by Primary Controller

  • 提供程序 Edge 3 的路由

    routes where vrf = 'Provider Edge 3'

  • DMZ DLR 的路由

    NextHop Router of routes where VRF = 'LDR-DMZ'

  • 将给定路由器作为下一跃点的路由

    routes where NextHop Router = 'California-Edge'

有用的查询:防火墙规则

  • 两个虚拟机之间的防火墙规则

    firewall rules from 'Prod-Midtier-1' to 'Prod-Db-1'

  • 具有 ANY 源的规则

    firewall rules where Service Any = true

  • 给定规则的虚拟机

    vm where Firewall Rule = 'Prod MidTier to Prod DB - DBService '

  • 允许任何端口的防火墙规则

    firewall rule where action = allow and service any = true

  • 命中特定防火墙规则的流

    flows where firewall rule = 'Admin to Prod and Lab - SSH'

  • 系统中已拒绝的流

    flows where firewall action = deny

  • 查看网关防火墙

    Firewall Rule where firewall type = 'GatewayFirewall'

  • 查看分布式防火墙

    Firewall Rule where firewall type = 'Distributed Firewall'

有用的查询:一般流量模式

  • 东西向和南北向流量计数、交换流量计数、路由流量计数以及虚拟机到虚拟机流量计数

    plan security in last 7 days

有用的查询:来自安全镜头的流量

  • 通信最多者虚拟机详细信息

    top 7 vm group by name, Vlan order by sum(Total Network Traffic) in last 7 days

  • 承载最多流量的网络

    top 7 vlan group by Vlan id, vm count order by sum(Total Network Traffic) in last 7 days

  • 大多数通信位于 VLAN 内的网络(不跨越物理防火墙或 L3 边界)

    top 7 flow where Flow Type = 'Switched' group by Subnet Network order by sum(Bytes) in last 7 days

  • 大多数通信都通过 VLAN 的网络(可能会导致物理防火墙出现瓶颈问题)

    top 7 flow where Flow Type = 'Routed' group by Source Subnet Network, Destination Subnet Network order by sum(Bytes) in last 7 days

  • 在国家/地区外通信的虚拟机

    top 7 flow where Destination Country != 'United States' group by Source VM, Destination Country order by sum(Bytes) in last 7 days

  • 经历最多存储延迟的数据存储

    avg(Read Latency), avg(Write Latency) of top 7 vm group by Datastore, vlan order by avg(Write Latency) in last 7 days

有用的查询:合规性/漏洞

  • 易受攻击的操作系统详细信息

    vm where Operating System like 'Microsoft Windows Server 2003' or Operating System like 'Microsoft Windows Server 2008' or Operating System like 'Red Hat Enterprise Linux 6' or Operating System like 'Red Hat Enterprise Linux 5' or Operating System like 'SUSE Linux Enterprise 10' group by vlan, Operating System

  • 易受攻击的操作系统计数

    count of vm where Operating System like 'Microsoft Windows Server 2003' or Operating System like 'Microsoft Windows Server 2008' or Operating System like 'Red Hat Enterprise Linux 6' or Operating System like 'Red Hat Enterprise Linux 5' or Operating System like 'SUSE Linux Enterprise 10'

  • 由于旧操作系统造成的总攻击面

    vm where vlan in (vlan of vm where os in ('Microsoft Windows Server 2003', 'Microsoft Windows Server 2008', 'Red Hat Enterprise Linux 6', 'Red Hat Enterprise Linux 5', 'SUSE Linux Enterprise 10')) group by Vlan

    count of vm where vlan in (vlan of vm where os in ('Microsoft Windows Server 2003', 'Microsoft Windows Server 2008', 'Red Hat Enterprise Linux 6', 'Red Hat Enterprise Linux 5', 'SUSE Linux Enterprise 10'))
    注: 要获取针对易受攻击的操作系统的建议防火墙规则,请参见 建议的防火墙规则用于保护易受攻击的操作系统