After a flow monitoring session has been collected, the results are analyzed and can be filtered for use in grouping objects and firewall rules. ARM automatically recommends firewall rules and security groups based on analyzed flows.

Analyzed flows can be filtered to limit the number of flows in a working set. The filter option icon is next to the Processed View drop-down menu on the right.


Before analysis, a flow monitoring session must have been collected from selected vNICs or VMs.


  1. After flows have been collected, click Analyze.
    Defined services are resolved, the IP address to VM translation begins, and duplicates are removed.
  2. Once analyzed, the following data is provided for flows:
    Field Options

    IN - flow is coming into one of the VM and VNIC selected as part of the input seed.

    OUT - flow is generated from one of the VM and VNIC selected as part of the input seed.

    INTRA- flow is between VM- and VNIC selected as part of the input seed.


    VM Name, if the Source IP address of the flow record is resolved to one VM in the NSX inventory. Note that IP address can be resolved to VM, only if VM Tools has been enabled on those VMs.

    Raw IP, if there is no VM found for this source IP address in NSX Inventory. Note that multicast and broadcast IP addresses will not be resolved to VMs.

    Number of VMs (Ex:2 Virtual Machines) if the IP address is an overlapping IP address mapped to multiple VMs in different networks, the user needs to resolve Virtual machines to the correct Virtual Machine related to this flow record.

    Destination Same values as Source field.

    NSX defined service for protocol/port.

    Raw protocol/port, if there is no defined service in the NSX Manager.

    Number of services. If there is more than one service mapped to the same protocol/port and the user needs to resolve it to one service applicable to the flow record.

  3. Select the Firewall Rules tab to view the automatically recommended ARM grouped workflows and policy creation, and created firewall rules based on the selected flows. Users can modify the recommended rules, especially the naming of the groups and rules to make them more intuitive.
    After flow analysis, ARM automatically recommends
    • Grouping and IP set recommendations of the workflows based on the flow pattern and services. For example, with a 3-tier application, the outcome would be four recommended security groups - one for each of the application tires and one groups for all the VMs in that application. ARM also recommends IP sets for destination based on services used by application VMs such as DNS/NTP servers if the destination IPs are outside of the vCenter domain.
    • Security group recommendation based on analyzed flow data. A 3-tier application outcome could be four rules with LB to WEB on https, WEB to APP on http, APP to DB on MYSQL, and common rule for infra services such as DNS.
    • Identify the Application Context (Layer 7) to the flow between application tiers. For example, L7 application running irrespective of TCP/UDP ports used and TLS version used for https.
  4. Click Publish to publish the policy for the given application as a section in the firewall rule table. Or, modify the rules as needed. Note that the recommended firewall rule limits the scope of enforcement (applied to) to VM’s associated with the application. Enter the firewall rule section name and click the checkbox to enable the following optional parameters:
    Option Description
    Enable TCP Strict Enables you to set TCP strict for each firewall section.
    Enable Stateless Firewall Enables stateless firewall for each firewall section.