VMware NSX Intelligence 1.2.0 | 30 OCT 2020 | Build 17065669
Check regularly for additions and updates to these release notes.
VMware NSX® Intelligence™ is a distributed analytics platform that leverages granular workload and network context unique to NSX to deliver converged security policy management, analytics, and compliance with data center–wide visibility. NSX Intelligence provides a user interface via a single management pane within NSX Manager and provides the following features:
- Real-time flow visibility for compute workloads in your environment.
- Correlation of live or historic network traffic flows, user-defined firewall configurations, and compute workload inventory.
- Ability to view past information about network traffic flows, user-defined firewall configurations, and compute workload inventory.
- Automated micro-segmentation planning by recommending firewall rules, groups, and services.
What's in the Release Notes
The release notes cover the following topics:
- What's New
- System Requirements
- Compatibility Notes
- Available Languages
- API and CLI Resources
- Revision History
- Resolved Issues
- Known Issues
What's New in This Release
NSX Intelligence 1.2.0 introduces the following new features and enhancements for real-time network traffic flow visualizations and firewall rule planning.
NSX Intelligence Visualizations
- Visibility for compute workload types now include physical servers.
- Support for visualization of Group of IP addresses is added.
- Context correlation and visualization support are now available for endpoint context (processes), user context (user login), and network context (Layer 4 and Layer 7 AppID).
- Flow visibility is enhanced.
- Advanced filtering options in the NSX Intelligence user interface now include L7 flows, Groups, and more.
NSX Intelligence Recommendations
- Security recommendations now support correlation to existing firewall rules and groups.
- Security recommendations now also include support for recommending firewall rules and groups for physical servers.
- Permissive Mode support is provided.
- Connectivity strategy (Allow/Deny list) is introduced.
- Reuse of existing groups and objects is now allowed.
- Recommendation output validation is available.
- Layer 7 Content Profile recommendations based on the APP ID has been added.
NSX Intelligence Platform
- NSX Intelligence appliance resize is now supported.
- Certificate management enhancements are introduced, including support for new certificate types.
- Alarms for high disk usage and high storage latency are now available.
- Health status for NSX Intelligence services are now provided.
- NSX Intelligence license usage reporting is available.
Network Traffic Analysis (Tech Preview)
The following Threat Detections, as represented in MITRE Enterprise Attack Framework, are provided as a Tech Preview only in the NSX Intelligence 1.2 release.
Note: The Network Traffic Analysis feature is not supported for production use. If you enabled this Tech Preview feature, ensure that it is disabled before using NSX Intelligence in production mode.
- Persistence - Traffic drop
- Credential Access - LLMNR/NBT-NS Poisoning and Relay (MITRE ID: T1171)
- Discovery - Network Service Scanning (MITRE ID: T1046)
- Lateral Movement - Remote Services (MITRE ID: T1021)
- Lateral Movement - Remote Desktop Protocol (MITRE ID: T1076)
- Command and Control - Uncommonly Used Ports (MITRE ID: T1509)
- For system requirements information, see the Installing and Upgrading VMware NSX Intelligence document.
- For information about ports and protocols required for NSX Intelligence, see VMware Ports and Protocols at https://ports.vmware.com/home/NSX-Intelligence.
- For NSX Intelligence and NSX-T Data Center interoperability information, see VMware Product Interoperability Matrices.
- NSX Intelligence does not support Kubernetes Pods, Namespace, or Cluster visualization.
- NSX Intelligence does not support NSX Federation deployments. For deployments with NSX Federation, if an NSX Intelligence instance is deployed with the Local Manager on a specific site, you will see groups and flows from the Global Manager. However, the visualization will not reflect specifics from other sites. NSX Intelligence recommendations will also not function across various sites because NSX Intelligence does not integrate with the Global Manager of NSX-T Data Center.
- When installing the NSX Intelligence 1.2.0 appliance using NSX-T Data Center 2.5.x, you must use the instructions provided for the NSX Intelligence 1.0.x release, which was released with NSX-T Data Center 2.5.x. See Download and Unpack the NSX Intelligence Installer Bundle and Install the NSX Intelligence Appliance. You can use the same commands to unpack the NSX Intelligence 1.2.0 installer OVA file that you download from the VMware Products Download portal.
API and CLI Resources
NSX Intelligence has been localized into multiple languages: English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, and Spanish. Because NSX Intelligence localization utilizes the browser language settings, ensure that your settings match the desired language.
Document Revision History
30 October 2020. First edition.
18 December 2020. Added known issues 2685222 and 2682610.
07 January 2021. Added known issue 2673869.
21 January 2021. Added reference to known issue 2694784.
- Fixed Issues 2541816 - Some persistent load situation might cause recommendations to be in the Waiting state for a long time, or the VMs/Groups views to not work.
If there is a persistent high load on the NSX Intelligence appliance, you might see 1 or more recommendations to be in the Waiting state for a long time, or the VMs/Groups views to not function as expected.
- Fixed Issue 2543655 - SSL handshake failure might occur between a transport node and a Kafka Broker in NSX Intelligence.
If flow and context information are missing from a transport node, incorrect information might appear in the NSX Intelligence visualization shown on the NSX Manager user interface. In the /var/log/kafka/server.log file, you might see a continuous logging of the SSL handshake failed error message.
- Fixed Issues 2396630, 2533563, and 2548387 - Delete transport node operation may fail when NSX intelligence appliance is deployed.
If a transport node is being deleted while the NSX Intelligence appliance is being deployed, the deletion can fail because the transport node is referred by NSX-INTELLIGENCE-GROUP NSGroup. To delete a transport node, the force delete option is required when NSX Intelligence appliance is deployed.
- Issue 2368926 - Recommendations job fails if user reboots appliance while job is in progress.
If you reboot the NSX Intelligence appliance while a recommendations job is in progress, the job goes to a failed state. You can start a recommendation job for a set of context VMs. The reboot deletes the context and the job fails as a result.
Workaround: After reboot, repeat the recommendations job for the same set of VMs.
- Issue 2369802 - NSX Intelligence appliance backup excludes event/flows datastore backup.
This functionality is not supported in NSX Intelligence versions 1.0.x, 1.1.x, and 1.2.x.
- Issue 2389691 - Publish recommendation job fails with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
If you try to publish a single recommendation job that contains more than 2,000 objects, it will fail with error "request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
Workaround: Reduce the number of objects to fewer than 2,000 in the recommendation job and retry the publication.
- Issue 2370660 - NSX Intelligence shows inconsistent data for specific VMs.
This is likely caused by those VMs having the same IP address in the data center. This is currently not supported by NSX Intelligence.
Workaround: None. Avoid assigning the same IP address to two VMs in the data center.
- Issue 2410224 - After completing NSX Intelligence appliance registration, refreshing view may return a 403 Forbidden error.
After completing NSX Intelligence appliance registration, if you click Refresh to View, the system may return a 403 Forbidden error. This is a temporary condition caused by the time required for the NSX Intelligence appliance to access the interface.
Workaround: If you receive this error, wait a few moments and try again.
- Issue 2374229 - NSX Intelligence appliance runs out of disk space.
The NSX Intelligence appliance has a default data retention period of 30 days. If the amount of flow data is larger than the anticipated amount within 30 days, the appliance might run out of disk space prematurely and become partially or completely non-operational.
Workaround: See VMware Knowledge Base article 76523 for more details and workaround.
- Issue 2385599 - Groups of static IPs not supported in NSX-T Intelligence recommendations.
VMs and workloads that are not recognized in the NSX-T inventory, if they have intranet IP addresses, may be still be subject to recommendation analysis as a group of static IPs, including recommendation-defined rules containing these groups. However, NSX Intelligence does not support such groups and as a result, visualization shows traffic sent to them as sent to "Unknown" instead of the recommended group. However, the recommendation feature is functioning correctly. This is a display issue.
- Issue 2366599 - Rules for VMs with IPv6 addresses not enforced.
If a VM uses an IPv6 address, but IPv6 snooping is not enabled for that VIF via the IP discovery profile, the IPv6 address is not populated in the rule for that VM in the data path. As a result, that rule is never enforced.
Workaround: Verify that IPv6 discovery profile is enabled at either the VIF or logical switch whenever IPv6 addresses are used.
- Issue 2374231 - Port scan with nmap tool generates flow with service as UNKNOWN and port as 0.
NSX Intelligence does not support source or destination port parsing for GRE, ESP, and SCTP protocol flows. NSX Intelligence provides full header parsing for TCP and UDP flows along with flow related statistics. For other supported protocols (such as GRE, ESP, and SCTP) NSX Intelligence can only provide IP information without protocol specific source or destination ports. For these protocols, the source or destination port will be zero.
- Issue 2410096 - After rebooting the NSX Intelligence appliance, flows collected in the last 10 minutes prior to reboot may not be displayed.
This is caused by an indexing issue, where the data is lost if the indexer could not persist the data. Rebooting the NSX Intelligence appliance might result in the data that was collected in the last 10 minutes to be lost.
- Issue 2531845 - Group visualization is incorrect immediately after upgrading the NSX Intelligence appliance.
After upgrading NSX Intelligence from version 1.0.x to version 1.2.0 or from version 1.1.x to verison 1.2.0, the Groups view displays an Uncategorized group with a large and incorrect number of VM members.
Workaround: Wait at least 1 hour after you upgrade NSX Intelligence from version 1.0.x to version 1.1 before using the NSX Intelligence features.
- Issue 2539217 - LDAP users who are not part of any LDAP group are unable to access the NSX Intelligence UI
LDAP users who are not part of any LDAP group cannot access the NSX Intelligence user interface, even when they have roles assigned in NSX-T Data Center.
Workaround: Users can assign roles to LDAP groups or assign roles to users that are part of LDAP groups only.
- Issue 2529161 - Using the same SFTP folder for backing up an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster results in a mixed list of backups.
If an SFTP folder is shared between an NSX-T cluster, an NSX Intelligence node, and a Global Manager cluster, then a mixed list of all the backups that were generated using those clusters are listed in the NSX Intelligence Backup user interface. Only backups generated by NSX Intelligence should be listed.
Workaround: Use a unique SFTP folder when backing up each of the NSX-T cluster, NSX Intelligence appliance, or Global Manager cluster.
- Issue 2536593 - The Recommended Action information provided for a Certificate Expired alarm event is not accurate for NSX Intelligence.
If the Certificate Expired alarm event occurs, using the information provided in the Recommended Action does not resolve the alarm on the NSX Intelligence appliance.
- Issue 2628443: New configuration changes like Policy Groups, VMs, and traffic flows will not get reflected on NSX Intelligence user interface.
When you run the following CLI command using the virtual IP of an NSX Manager appliance, new configuration changes made for policy groups, VMs, and traffic flows are not reflected in the NSX Intelligence user interface.
set intelligence manager-node
Workaround: If in case you use the NSX Manager appliance's virtual IP in set intelligence manager-node CLI command, use the following steps to correct the situation.
- Connect to the NSX Intelligence appliance using the admin user account: ssh admin@intelligence-ip and run the following command:
update intelligence manager node host-ip-addr <nsx-mgr-ip-addr-arg> cert-thumbprint <nsx-mgr-thumbprint-arg>
- While still in the same ssh session as admin, run the following command:
set intelligence manager-node <nsx-mgr-ip-address> cert-id <uuid> cert-b64-encoded-pem <pem>
- Connect to the NSX Intelligence appliance using the the root user account: ssh root@intelligence-ip and run the following command:
- Connect to the NSX Intelligence appliance using the admin user account: ssh admin@intelligence-ip and run the following command:
- Issue 2599301: Some active sessions are not visible on the NSX Intelligence user interface for the Last 1 Hour view and are not picked up by the Recommendations module for recommending policies.
There are active traffic flows running on compute hosts, but these traffic flows are not visible in the Last 1 Hour view on the NSX Intelligence user interface. Starting a recommendation analysis for the involved compute hosts does not generate any recommendations for those traffic flows even though those traffic flows are unsegmented.
Workaround: Synchronize the timestamps between the NSX Intelligence appliance and all the compute hosts that are exporting data to NSX Intelligence.
- Issue 2629403: New policy configuration changes such as Group and DFW will not get reflected correctly on NSX Intelligence UI.
After upgrading from NSX Intelligence 1.0.x to NSX Intelligence 1.2, if the NSX Intelligence node and localhost-subscriber certificates have changed, then the configuration synchronization from NSX Manager to the NSX Intelligence appliance might not work.
Workaround: See VMware Knowledge Base article 81318 for more details and workaround.
- Issue 2621892: IPv6 traffic flows are not being reported for physical servers using OVS in Windows.
With the Stateful Firewall service enabled on NSX-T Data Center, physical servers that are using Open vSwitch (OVS) in Windows are unable to report IPv6 traffic flows to NSX-T Data Center. As a result, those IPv6 traffic flows are not reflected in the NSX Intelligence user interface.
- Issue 2631724: Some NSX Intelligence deployments might be assigned less CPUs even when the Large form factor is selected during installation.
On installations using earlier NSX Intelligence versions, even when the large form factor (LFF) appliance size is selected during installation, a small form factor (SFF) size gets assigned because of the reduced number of CPUs available in the host that is specified during configuration. This SFF assignment will result in a degraded performance at scale. In NSX Intelligence 1.2.0, if not enough CPUs are available to accommodate the requested LFF appliance size request, the issue is detected during the deployment process and the user interface displays the Registration failed error. In the NSX Intelligence appliance's /var/log/node-manager/node-manager-service.INFO.log file, the following exception is recorded:
Exception: Insufficient CPU resources to support requested form factor
Workaround: When deploying a large form factor NSX Intelligence appliance, use the Resource Pool option in the installation wizard, instead of the Host option.
- Issue 2609372 - NSX Intelligence fails to detect invalid IP address for the NSX Manager appliance.
If you added the NSX Manager certificate information to NSX Intelligence, but provided an incorrect IP address for the NSX Manager, the /var/log/pace-server.log file contains error messages that indicate a connection attempt to the NSX Manager appliance has timed out.
Workaround: See VMware Knowledge Base article 80158 for more details and workaround.
- Issue 2662537 - The NSX Intelligence appliance might reach a degraded state under a heavy load.
After installing an NSX Intelligence small form factor appliance and operating it for an extended period of time, you might see that the appliance's status as degraded from time to time. In particular, this can happen when the number of traffic flow records is high and if the Network Traffic Analysis (Tech Preview) feature is enabled.
Workaround: Disable the Network Traffic Analysis (Tech Preview) feature or resize the NSX Intelligence appliance to a large form factor. See Resize the NSX Intelligence Appliance topic in the Using and Managing VMware NSX Intelligence document.
- Issue 2649781 - The 'spark' service remains in a degraded state after the NSX Intelligence appliance is rebooted and an extended period has passed.
In a resource-limited NSX Intelligence setup, the spark service might remain in an unhealthy state even after more than 30 minutes have passed. New traffic flows are not displayed in the visualization canvas because of the degraded state of the spark service.
- Log in to the NSX Intelligence CLI as admin user.
- Verify the state of the spark service using the following command:
- If the spark service is in a stopped or degraded state, use the following command to restart the spark service.
restart service spark
- Issue 2658502 - NSX Intelligence encounters an error if the NSX Manager cluster certificate or the NSX Intelligence appliance certificate contains a carriage return character (as part of newline).
- If the NSX Manager certificate contains a carriage return character, the deployment of the NSX Intelligence appliance might fail or the NSX Intelligence appliance might get stuck in a degraded state after it has been deployed.
- If the NSX Manager certificate or NSX Intelligence certificate that has a carriage return character is updated after the NSX Intelligence appliance has been deployed, and when multiple manager services are restarted simultaneously, some of the services might fail to initialize.
Workaround: Use one of the following information to work around the issue.
- Use a certificate that does not contain a carriage return character.
- Check to see if manager service is in a Down or degraded state and restart it using the following information.
- Navigate to System > Appliances.
- Locate the affected NSX Appliance and click View Details.
- Locate MANAGER in the Operational Status section and verify that it is in a DOWN state.
- If it is down, log in to the respective NSX Manager appliance CLI as admin user and restart the manager service using the following command.
restart service manager
- Issues 2665452 and 2694784 - NSX Intelligence visualization is slow to load in the UI or recommendation jobs fail under heavy load when Guest Introspection is in use.
When specifying a time range that is greater than one hour, the Groups view in the Plan & Troubleshoot > Discover & Take Action user interface is very slow to load in the visualization canvas or recommendation jobs fail. In addition, the /var/log/druid/sv/overlord-service.log file shows Druid compaction job failures for context tables. The issue is due to Druid segments growing faster than expected because compaction or rollup is not occurring properly.
Workaround: See VMware Knowledge Base article 81370 for more details and workaround.
- Issue 2685222: The web browser with an unsupported non-English locale setting crashes after an attempt to access the Plan and Troubleshoot > Recommendations page is made.
If your web browser is set to use an unsupported non-English locale, for example nl-NL, and you try to access the Plan and Troubleshoot > Recommendations page, the web browser crashes. An error message is displayed, similar to the following.
InvalidPipeArgument: Missing locale data for the locale "nl-NL".' for pipe 't'
Workaround: Change your web browser's locale setting to English or any of the currently supported locales. The supported locales are German (de-DE), English (en-US), Spanish (es-ES), French (fr-FR), Japanese (ja-JP), Korean (ko-KR), Simplified Chinese (zh-CN), and Traditional Chinese (zh-TW). For example, go to the following URL for information on how to change the locale used by a Chrome web browser.
- Issue 2682610 - After upgrading to NSX-T Data Center 3.1.x from either NSX-T Data Center 2.5.x or 3.0.x, the context service is not started on the NSX Intelligence appliance.
After you upgrade from NSX-T Center 2.5.x or 3.0.x to NSX-T Data Center 3.1.x, the context engine related data does not get generated. The context feature is available, but is not enabled after the NSX Intelligence appliance upgrade process because the context feature is tied to the NSX-T Data Center version, which in this case has to be 3.1.x.
Workaround: See VMware Knowledge Base article 81201 for more details and workaround information.
- Issue 2673869: The processing pipeline for NSX Intelligence can get slow, which results in no traffic flow information to be displayed on the visualization canvas for the 1-hour time period.
In the NSX Intelligence visualization canvas, there is no traffic flow information displayed when the 1-hour time period is selected, even though network traffic flows are reported from the hosts. When you use the following command to check the Kafka consumer lag, the lag number is big and is increasing over time.
# /opt/kafka_2.12-2.6.0/bin/kafka-consumer-groups.sh --bootstrap-server 127.0.0.1:9092 --command-config /opt/kafka_2.12-2.6.0/config/kafka_adminclient.props --group raw_flow_group --describe
Workaround: See VMware Knowledge Base article 81979 for more details and workaround.