Working with Traffic Flows in Security Intelligence

The arrows shown between group nodes or compute entity nodes in the Security Intelligence visualization canvas represent the network traffic flows that have occurred between the compute entities in your NSX environment during the selected time period.

Network traffic flows are based on the L3 and L7 distributed firewall (DFW) rules that are in place and the traffic flows that occurred during the selected time period. All network traffic flows that matched a stateful L3 DFW rule using IPv4 or IPv6 with TCP, UDP, GRE, ESP, and SCTP protocols are included in the visualization details and flow details. TCP flows and UDP flows have the IP and port level details and others have the IP level details only.

Flow types

The traffic flows are categorized into the following types.

Flow Type	Graphic	Description
Unprotected		A dashed red-hued arrow indicates that the Security Intelligence detected that the traffic flow encountered a rule (Source: Any \| Destination: Any \| Action: Allow or Reject or Drop) and that more granular security policies are needed. This rule can be your default rule, or it can reside anywhere in the East-West distributed firewall.
Blocked		A solid blue-hued arrow indicates that Security Intelligence detected that the traffic flow encountered a 'Reject' or 'Drop' rule that is more granular than the one mentioned in the 'Unprotected' flow definition.
Allowed		A solid green-hued arrow indicates that Security Intelligence detected that the traffic flow encountered an 'Allow' rule that is more granular than the one mentioned in the 'Unprotected' flow definition.

View flow details

To view the details about the traffic flows in which a particular group or compute entity participated, right-click the node for the group or compute entity in the visualization graph and select Flow Details. You can also right-click a traffic flow line between two group nodes to see the details for a traffic flow that occurred between two groups.

The following image displays the Flow Details Between Groups dialog box for two groups.

The table includes the Completed Flows tab and the Active Flows tab. The Completed Flows tab shows some details about the respective flows that have completed during the selected time period. The details include the following.

The source and destination information for the flow.
The groups and compute entity the flows belong to, if known.
Information about the services used, if any.
The type (unprotected, blocked, allowed) of the latest flow.

When you expand a row, as shown in the above image, more information is presented, such as any Layer 7 (L7) application ID and FQDN information; when the flow ended; the total count of Receive/Transmit packets from the source and destination; and the source and destination IP addresses. You can click the detail links provided in the table to obtain more information. For example, if External IPs participated in a flow, you can click the External link to see the actual external IP addresses. Also included is a list of current information about the firewall rules in effect when the flow occurred. For more information, see Viewing Related Firewall Rules in Security Intelligence.

When you point to a flow arrow, some information is displayed about the flows involving the group or the compute entity, as shown in the following example node.
image of the contextual menu displayed when pointing to a traffic flow arrow.

image of the contextual menu displayed when pointing to a traffic flow arrow.

When in the Computes view, information about L4 and L7 ports and protocols appear on the flow lines when you zoom in on a flow line. If there is more than one L4 or L7 detail, a link with the number of additional details also appear on the flow line. Click the number, as shown in the following image, and the list of L4 and L7 ports and protocols are displayed.
Image of what is shown when clicking on the number displayed on the traffic flow line. The previous text describes what gets displayed.

Image of what is shown when clicking on the number displayed on the traffic flow line. The previous text describes what gets displayed.

Alternatively, you can right-click on the flow line and select Connection Info (L4/L7) from the contextual menu, as illustrated in the following image.

contextual menu when right-click flow line in Computes view

The Connection Info (L4/L7) dialog box is displayed for the selected time period.

Right-clicking on a flow line and selecting Flow Details from the contextual menu displays the Flow Details table with information about the completed flows and active flows that occurred between the two compute entities that shared the flow line (communicated with each other) during that selected time period.

Flow direction

The direction of a flow arrow indicates the source and destination of the detected traffic flow. When in Groups view, a self-referencing arrow on a group node indicates that at least one compute entity communicated with another compute entity within that same group.

Filter flow types

To focus only on compute entities with certain types of traffic flows, use the Discover view selection area to select the view type, and use the Flow > Type filter attribute to narrow down your selection.

If you exclude a flow type from the Flows section, the lines for that flow type are hidden from the displayed visualization graph. Unless filters are in effect that exclude certain objects, all group or compute entities remain displayed regardless of the traffic flow types that have occurred with those entities during the selected time period. For example, if you excluded the Allowed flow type, all the Allowed flow lines are hidden from the graph.