NSX Network Detection and Response service receives the network traffic data sent from the distributed firewall on the standalone hosts and clusters of hosts. If necessary, you can optionally stop data collection from a standalone host or cluster of hosts. Network data from these hosts or clusters will no longer be processed to detect the suspicious network traffic events.
Prerequisites
- To manage the data collection settings, you must have the Enterprise Admin role.
- The NSX Network Detection and Response feature must be activated on the NSX Application Platform.
Procedure
- From your browser, log in with Enterprise Administrator privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
- On the NSX Manager user interface, select .
- To configure data ingestion or data retention on all standalone hosts and cluster of hosts, perform one of the following steps.
-
-
Pause flow ingestion until storage is available
-
Temporarily suspends the flow of data ingestion when analytics and data storage disk is nearing the maximum capacity. When the disk usage exceeds a threshold, the flow of data ingestion is paused across all clusters and standalone hosts.
The threshold is determined by the daily average usage, which is calculated by the current disk usage divided by the number of days of data in storage. The predicted usage is based on the existing usage. When the predicted usage drops below the threshold, the flow of data ingestion is resumed.
There are two ways to resume the flow of data ingestion.
- Scale-out to increase the data storage disk volume and the threshold.
- Select the Reduce flow data retention dynamically option to reduce the data retention period and the data size.
See the Scale Out the NSX Application Platform topic in the Deploying and Managing the VMware NSX Application Platform guide.
-
-
Reduce flow data retention dynamically
-
Reducing flow data retention decreases the number of days the data is stored in the database. This option prunes old data and saves storage space. The data retention is calculated based on two key factors: the size of the data and the average amount of data received per day.
To illustrate, here are some data retention scenarios:
- Scenario 1: If initial data retention is configured for 30 days, and by day 15, the disk is full. The data retention is set to 15 days.
- Scenario 2: If initial data retention is configured for 30 and very little data is received for the first 14 days. Then, on day 15, there is a data influx, causing the disk to become full. The data retention is reduced to 15 days.
- Scenario 3: If initial data retention is configured for 30 days, the disk is full on day two. The data retention is reduced to two days.
You can view the data retention period and number of existing flows.
- Select and scroll to the Druid Average Retention Days.
- Select and scroll to the Total Flows and Unique Flows.
- To manage traffic data collection for one or more hosts, perform one of the following steps.
- To stop traffic data collection, select the host or hosts in the Standalone Host section, click Deactivate, and click Confirm when prompted if you are sure.
- To start traffic data collection, select the host or hosts, click Activate, and click Confirm when prompted if you are sure.
The system updates the Collection Status value for each affected host to Deactivated or Activated, depending on the data collection mode you had set.
- To manage traffic data collection for one or more clusters of hosts, perform one of the following steps.
- To stop data collection for one or more clusters, select the cluster or clusters in the Cluster section, click Deactivate, and click Confirm when prompted if you are sure.
- To start traffic data collection, select the cluster or clusters, click Activate, and click Confirm when prompted if you are sure.
Results
The system updates the Collection Status value for each affected cluster to Deactivated or Activated, depending on the data collection mode you had set.