To get started using the VMware NSX® Intelligence™ feature, you must activate it and then familiarize yourself with the NSX Intelligence user interface.


Beginning with version 3.2, NSX Intelligence has transitioned from being a VM-based appliance to a modern application that is hosted on the VMware NSX® Application Platform, a platform based on a microservices architecture.

The NSX Intelligence feature provides a visualization of the security posture of your on-premises VMware NSX-T Data Center™ environment. The visualization uses the network traffic flows aggregated within the time period that you specified.

The NSX Intelligence feature also assists you with micro-segmentation planning by making firewall rule recommendations that use network traffic analytics with enforcement on security policies.

Additionally, the NSX Suspicious Traffic feature and the VMware NSX® Network Detection and Response™ feature are available for you to use beginning with the NSX Intelligence 3.2 release. These two features use network traffic analytics to detect suspicious network traffic activities that are occurring in your NSX-T Data Center 3.2 or later environment. You must have a valid license equivalent to NSX Firewall with Advanced Threat Prevention Edition to use these features.


Before you can use the available NSX Intelligence functionalities, you must activate the NSX Intelligence feature on the NSX Application Platform. You also need to configure from which hosts or clusters of hosts the NSX Intelligence feature should be collecting the network traffic data. By default, the NSX Intelligence feature collects network traffic data from all known hosts and clusters of hosts in your NSX-T Data Center environment. See Activating and Upgrading VMware NSX Intelligence for more information.

Start Using the NSX Intelligence Feature

After you activate and configure the NSX Intelligence feature, the visualization, recommendation, and suspicious traffic functionalities become available in the NSX Manager UI.

  • To see the visualized NSX-T entities and traffic flows that occurred between them, click Plan & Troubleshoot > Discover & Take Action. See Understanding NSX Intelligence Views and Flows.

  • To obtain distributed firewall rule recommendations for micro-segmentation planning, use the Plan & Troubleshoot > Recommendations. See Working with NSX Intelligence Recommendations.

  • To use the NSX Suspicious Traffic feature to detect suspicious traffic events, click Security > Suspicious Traffic. If the NSX Network Detection and Response feature is activated, detected suspicious events are flagged and sent to the VMware NSX® Advanced Threat Prevention cloud service. If detection events are found to be related, they are correlated into a campaign, which you can investigate further using the NSX Network Detection and Response user interface. See Detecting Suspicious Network Traffic in NSX-T Data Center for details.