The Application Rule Manager (ARM) tool simplifies the process of microsegmenting an application by creating security groups and firewall rules for existing applications.

Flow monitoring is used for long term data collection across the system, while the application rule manager is used for a targeted modeling of an application. During a flow monitoring phase, ARM learns about flows coming in and out of the application being profiled, as well as flows in between application tiers. It also learns about any Layer 7 Application Identity for the flows being discovered

There are three steps in the application rule manager workflow:
  1. Select virtual machines (VM) that form the application and need to be monitored. Once configured, all incoming and outgoing flows for a defined set of VNICs (Virtualized Network Interface Cards) on the VMs are monitored. There can be up to five sessions collecting flows at a time.
  2. Stop the monitoring to generate the flow tables. The flows are analyzed to reveal the interaction between VMs. The flows can be filtered to bring the flow records to a limited working set. After flow analysis, ARM automatically recommends:
    • Security Groups & IP set recommendation of the workloads based on the flow pattern and services used
    • Firewall policy based on the analyzed flow for a given ARM session
    • Layer 7 Application identity of the flow
  3. Once a flow is analyzed with security group & policy recommendations, the policy for the given application can be published as a section in the firewall rule table. The recommended firewall rule also limits the scope of enforcement (applied to) to VM’s associated with the application. Users can also modify the rules, especially naming of the groups and rule to make it more intuitive and readable.