In VMware Aria Operations for Networks, you can view DFW IPFIX flows. You must enable DFW IPFIX flows in the NSX-T data source to view DFW IPFIX flows.

To enable VMware NSX-T IPFIX in VMware Aria Operations for Networks:

Prerequisites

  • Ensure that you have any one of the following privileges:
    • enterprise_admin
    • network_engineer
    • security_engineer
  • Ensure that the Distributed (DFW) firewall is enabled.
  • Ensure that priority 0 is available for the Operations for Networks IPFIX profile. If there is another IPFIX profile with priority 0, then you have to change it to some other value.
Note: From NSX version 4.1.2.2 and above, to receive DFW IPFIX flows, you must have one of the following license options enabled in NSX:
  • VMware Cloud Foundation component NSX Networking

    and

    VMware Cloud Foundation add-on: NSX Distributed Firewall or NSX Distributed Firewall with Advanced Threat Prevention
  • NSX Enterprise Plus license.

VMware Aria Operations for Networks will receive gateway firewall flows with the VMware Cloud Foundation license, and distributed firewall flows with the NSX Distributed Firewall or NSX Distributed Firewall with Advanced Threat Prevention license.

Procedure

  • Select Enable IPFIX when adding or editing an NSX-T Manager data source.

What to do next

After you enable IPFIX, VMware Aria Operations for Networks creates its own Operations for Networks Collector profile and Operations for Networks IPFIX profile on NSX-T. Ensure that you do not modify any of these profiles.

After enabling IPFIX on NSX-T, if the flows are not seen in VMware Aria Operations for Networks, then the following events may occur:
  • Operations for Networks Collector Profile is not registered in the NSX-T Manager.
  • Operations for Networks IPFIX Profile is not registered in the NSX-T Manager.
  • Operations for Networks IPFIX Profile port number has changed.
  • Operations for Networks Collector Profile does not match in the Operations for Networks IPFIX profile in the NSX-T Manager.
    Note: To resolve all the above issues, enable NSX-T IPFIX again.
  • Operations for Networks IPFIX Profile priority is not zero in the NSX-T Manager.

    To resolve this issue, log into NSX-T Manager and set the priority of Operations for Networks IPFIX Profile to zero.

  • Operations for Networks Collector IP cannot be added in existing Operations for Networks Collector Profile in the NSX-T Manager.

    Delete one of the collectors from the Operations for Networks Collector Profile in the NSX-T Manager and re-enable NSX-T IPFIX from data source page.

  • Distributed Firewall is deactivated in NSX-T Manager.

    Log into NSX-T Manager and enable the DFW firewall.

With NSX-T 2.4, after enabling IPFIX on NSX-T, if the flows are not seen in VMware Aria Operations for Networks, then the following events may occur:
  • Operations for Networks IPFIX Collector configuration is absent in NSX-T Manager collector profile.
  • DFW IPFIX Profile is absent in NSX-T Manager.
To resolve these issues, enable DFW IPFIX again.
Note: All the logical switches present in NSX-T are appended in the IPFIX profile within 10-15 minutes.