The arrows shown between group nodes or compute entity nodes in the Security Intelligence visualization canvas represent the network traffic flows that have occurred between the compute entities in your NSX environment during the selected time period.
Network traffic flows are based on the L3 and L7 distributed firewall (DFW) rules that are in place and the traffic flows that occurred during the selected time period. All network traffic flows that matched a stateful L3 DFW rule using IPv4 or IPv6 with TCP, UDP, GRE, ESP, and SCTP protocols are included in the visualization details and flow details. TCP flows and UDP flows have the IP and port level details and others have the IP level details only.
Flow types
Flow Type |
Graphic |
Description |
---|---|---|
Unprotected |
A dashed red-hued arrow indicates that the Security Intelligence detected that the traffic flow encountered a rule (Source: Any | Destination: Any | Action: Allow or Reject or Drop) and that more granular security policies are needed. This rule can be your default rule, or it can reside anywhere in the East-West distributed firewall. |
|
Blocked |
A solid blue-hued arrow indicates that Security Intelligence detected that the traffic flow encountered a 'Reject' or 'Drop' rule that is more granular than the one mentioned in the 'Unprotected' flow definition. |
|
Allowed |
A solid green-hued arrow indicates that Security Intelligence detected that the traffic flow encountered an 'Allow' rule that is more granular than the one mentioned in the 'Unprotected' flow definition. |
View flow details
To view the details about the traffic flows in which a particular group or compute entity participated, right-click the node for the group or compute entity in the visualization graph and select Flow Details. You can also right-click a traffic flow line between two group nodes to see the details for a traffic flow that occurred between two groups.
- The source and destination information for the flow.
- The groups and compute entity the flows belong to, if known.
- Information about the services used, if any.
- The type (unprotected, blocked, allowed) of the latest flow.
When you expand a row, as shown in the above image, more information is presented, such as any Layer 7 (L7) application ID and FQDN information; when the flow ended; the total count of Receive/Transmit packets from the source and destination; and the source and destination IP addresses. You can click the detail links provided in the table to obtain more information. For example, if External IPs participated in a flow, you can click the External link to see the actual external IP addresses. Also included is a list of current information about the firewall rules in effect when the flow occurred. For more information, see Viewing Related Firewall Rules in Security Intelligence.
Right-clicking on a flow line and selecting Flow Details from the contextual menu displays the Flow Details table with information about the completed flows and active flows that occurred between the two compute entities that shared the flow line (communicated with each other) during that selected time period.
Flow direction
The direction of a flow arrow indicates the source and destination of the detected traffic flow. When in Groups view, a self-referencing arrow on a group node indicates that at least one compute entity communicated with another compute entity within that same group.
Filter flow types
To focus only on compute entities with certain types of traffic flows, use the Discover view selection area to select the view type, and use the filter attribute to narrow down your selection.
If you exclude a flow type from the Flows section, the lines for that flow type are hidden from the displayed visualization graph. Unless filters are in effect that exclude certain objects, all group or compute entities remain displayed regardless of the traffic flow types that have occurred with those entities during the selected time period. For example, if you excluded the Allowed flow type, all the Allowed flow lines are hidden from the graph.