The arrows between the Group or VM nodes represent the network traffic flows that have occurred between the VMs during the selected time period.

Network traffic flows are based on the L3 distributed firewall (DFW) rules in place and the traffic flows that occurred during the selected time period. All network traffic flows that matched a stateful L3 DFW rule using IPv4 or IPv6 with TCP, UDP, GRE, ESP, and SCTP protocols are included in the visualization and flow details. TCP and UDP flows have IP and port level details and others have IP level details only.

The traffic flows are categorized into the following types.
Flow Type Graphic Description
Unprotected A dashed red-hued arrow indicates that the system detected that the traffic flow encountered a rule (Source: Any | Destination: Any | Action: Allow or Reject or Drop) and that more granular security policies are needed. This rule can be your default rule, or it can reside anywhere in the East-West distributed firewall.
Blocked A solid blue-hued arrow indicates that the system detected that the traffic flow encountered a 'Reject' or 'Drop' rule that is more granular than the one mentioned in the 'Unprotected' flow definition.
Allowed A solid green-hued arrow indicates that the system detected that the traffic flow encountered an 'Allow' rule that is more granular than the one mentioned in the 'Unprotected' flow definition.

To focus only on objects with certain types of traffic flows, use the Security view selection area to select which view type, and use the 'Flow Type' filter attribute to narrow down the selection.

If you deselect a flow type, the flow lines for that flow type are hidden from the displayed graph. Unless filters are in effect that exclude certain objects, all group or VM objects remain displayed regardless of the traffic flow types that have occurred with those objects during the selected time period. For example, if you deselect the ‘Allowed’ flow type, all the "Allowed" flow lines are hidden in the graph. However, all objects are still displayed, even those objects that only had ‘Allowed’ traffic flows during the selected time period.

A flow arrow's direction indicates the source and destination of the detected traffic flow. When in Groups view, a self-referencing arrow on a group node indicates that at least one VM was communicating with another VM within that same group. In a VMs view, a self-referencing arrow indicates that an NSX object in the VM communicated with another NSX object in the same VM.

When you point to a flow arrow, information about the flows involving the group or VM is displayed, as shown in the following example for Group G2.

When you click a flow arrow, the Flow Details dialog box is displayed. It shows the details about the completed and active flows that occurred during the selected time period. To get more detailed information about the flow's source, destination, type of service, and the type of flow, click the links in the table to see more details.