After system analysis is complete, the analyzed flow table is available in the Processed View. Users can further consolidate the flows by changing the source, destination, and service fields. See Customizing Services in Flow Records and Customizing Source and Destination in Flow Records.
Processed View
| Field | Options |
|---|---|
| Direction | IN - flow is coming into one of the VMs or vNICs selected as part of the input seed. OUT - flow is generated from one of the VMs or vNICs selected as part of the input seed. INTRA- flow is between the VM or vNIC selected as part of the input seed. |
| Source | VM Name, if the Source IP address of the flow record is resolved to one VM in the NSX inventory. Raw IP if there is no VM found for this source IP address in the NSX Inventory. Note than multicast and broadcast IPs will not be resolved to VMs. Number of VMs if IP address is an overlapping IP address mapped to multiple VMs in different networks. The user needs to resolve multiple VMs to one VM related to this flow record. |
| Destination | Same values as Source field. |
| Service | NSX defined service for protocol/port. Raw protocol/port, if there is no defined service in the NSX Manager. Number of services. If there is more than one service mapped to the same protocol/port and the user needs to resolve it to one service applicable to the flow record. |
Flow tables can be edited and the flows consolidated for easier rule creation. For example, the source field can be replaced with ANY. Multiple VMs receiving flows with HTTP and HTTPs can be replaced with “WEB-Service” service group, which includes both HTTP and HTTPs service. By doing so, Multiple flows may look similar and flow patterns may emerge that can be easily translated to a firewall rule.
Note that while each cell of the flow table can be modified, the cells are not auto-populated. For instance, if the IP address196.1.1.1 is added to the DHCP-Server IPSet, the subsequent occurrences of that IP are not auto-populated to show the DHCP-Server group. There is a prompt asking if you want to replace all instances of the IP address with the IPSet. This allows the flexibility to make that IP part of multiple IPSet groups.
Consolidated View
The consolidated view is accessed from the drop-down list in the right-hand corner. The consolidated view eliminates duplicate flows and displays the minimal number of flows. This view can be used to create firewall rules.
- for intra flows the corresponding IN and OUT flows with raw data are shown
- the original source IP, destination IP, port, and protocol information in all of the raw flows that were consolidated into the record
- for ALG flows, the corresponding data flow for the control flow is shown
