The microsegmentation recommendations that the NSX Intelligence feature generates include security policies, policy security groups, and services for applications.

Feature overview

The NSX Intelligence recommendations are based on the network traffic flow patterns that occurred between the compute members of a selected policy group, VMs, or physical servers. The recommendations can assist you with enforcing a more dynamic security policy by correlating traffic patterns of communication that have occurred within your NSX environment.

  • The security policy recommendations are of the East-West distributed firewall (DFW) security policies in the application category.

  • The security group recommendations consist of the VMs or physical servers whose traffic flows were analyzed for the time period and the boundary you had specified.

  • The service recommendations are service objects that were used by applications in the VMs or physical servers that you had specified, but the services are not yet defined in the NSX inventory.

Workflow for generating a recommendation

The following describes, at a high level, how a microsegmentation recommendation is generated by NSX Intelligence.

  1. While logged in with the required privileges to an NSX Manager, initiate the new recommendation analysis.

    There are multiple ways to request the NSX Intelligence recommendations, but the most straightforward way is to click the Plan & Troubleshoot > Recommendations tab and click Start New Recommendation.

  2. Provide the minimum required information to generate a new NSX Intelligence DFW recommendation.

    • Any compute entities (groups, VMs, or physical servers) in your NSX environment to use as input. If the groups that you select are associated with existing L4 or L7 DFW sections, you also specify whether to use one or more of the existing DFW sections for the recommendation analysis or have the system create a new DFW section. The system can recommend updates to rules in existing DFW sections and give better protection in vulnerable areas for ingress, egress, or intra-application traffic flows between the workloads.

    • The time range in which the network traffic flows are to be analyzed for the provided compute entities or existing security policy rules. You can modify the default time range of Last 1 Month.

  3. (Optional)

    Modify the default values used in the Advanced Options section.

    See Generate a New NSX Intelligence Recommendation for details.

  4. Click Start Discovery.

  5. Once the recommendation analysis job status becomes Ready to Publish, review the generated DFW recommendation and publish it.

    After the recommendation analysis is finished, you can view the details of the recommendation and, if necessary, modify the recommendation before publishing it. See Review and Publish Generated NSX Intelligence Recommendations for details.

  6. (Optional)

    Export a generated NSX Intelligence recommendation into a JSON-formatted file or a CSV-formatted file.

    If necessary, modify that JSON file using an external REST API tool before submitting it to NSX Policy Manager for processing. For more information, see Export an NSX Intelligence Recommendation as a JSON File and Export an NSX Intelligence Recommendation as a CSV File.

See the following information on how NSX Intelligence generates recommendations.