If a compute entity has had traffic flows within the past 30 days, Security Intelligence attempts to classify that compute entity as either providing network infrastructure service or not. These infrastructure services include DNS, DHCP, LDAP, and Active Directory.

Purpose

By identifying the compute entities that provide network infrastructure services in your network, Security Intelligence can help you decide whether those compute entities should be included in the traffic flow visualization or included in the DFW policy recommendation analysis that you initiate.

注:

This feature is available only with a valid NSX Advanced Threat Prevention license or an equivalent license.

How it works

After you activate Security Intelligence 4.0.1 or later, each VM or physical server that is part of your network inventory is identified and listed in the [Classifications] table of the [Plan & Troubleshoot] > [Preferences] page.

At 2:00 AM your local time, an Security Intelligence cron job runs automatically in the background and again every 24 hours thereafter. If there are at least 30 days of correlated traffic flows and there are at least 5000 unique traffic flows identified, the cron job attempts to make inferences about the compute entities in your network. The cron job flags each compute entity that might be a network infrastructure based on the traffic flows that the compute entity was involved in during the past 30 days. To make the inferred infrastructure classifications, the Security Intelligence cron job uses a proprietary machine-learning algorithm.

After Security Intelligence makes the classification inferences, it stores the information and updates the [Classifications] table. Each classification is in a Not reviewed state until you accept or modify the inferred classification. To accept the classification, click [Accept]. To change the classification, click [Modify].

The following image shows an example of what the [Classifications] table might look like after the Security Intelligence infrastructure classifier job has run .

Image of of the Classifications table in the Plan &; Troubleshoot > Configurations UI page.

The following information, such as the compute entity name, the ID assigned to it, and the compute entity type, are listed for each network inventory item.

  • The [Name] column lists the compute entity name and its corresponding icon. To indicate that the system-inferred infrastructure classification needs your review, an orange-hued circular badge appears in the upper-right section of the compute entity icon displayed in the [Name] column. For example, the infrastructure icon appears as infrastructure icon with the orange-hued review badge and the non-infrastructure icon appears as VM icon with the orange-hued review badge.

  • The [ID] column lists the ID number assigned to the VM or physical server.
  • The [[Workload Classifications]] column can have one of the following values.
    Workload Classification Value Description
    Classification Pending The initial classification value assigned to each compute entity until you manually assign a classification or the Security Intelligence classification job makes an inferred classification.
    Infrastructure Service This value means the compute entity provides infrastructure services, such as DNS, DHCP, LDAP, and Active Directory. The value can be set by the system based on the inference classification cronjob or it can be set manually.
    Others (Non-infrastructure) This value means the compute entity does not provide any infrastructure service. The value can be set by the system based on the inference classification cronjob or it can be set manually.

  • The [Last Classified By] column initially has the Unknown value. The value then changes to System after the initial classification inference gets completed. When you manually classify a compute entity, the value for the column is set to User.

  • The [Last Updated at] column indicates when the displayed classification was made manually or by the system.
  • The [Type] column can be either Virtual Machine or Physical Server.
  • The [Review Status] column initially has the Not applicable status. It can have one of the following statuses.
    Review Status Description
    Not applicable Indicates that the information displayed for the compute entity is based on the initial inventory identification that Security Intelligence performed. You can manually classify each compute entity that is listed in the table by clicking [Modify] and selecting the classification.
    Not reviewed The Security Intelligence infrastructure classifier job has inferred a classification for the compute entity based on the traffic activity that occurred within the past 30 days. The system-inferred classification is listed in the [Workload Classification] column. Click [Accept] if the classification is correct or click [Modify] to change the inferred classification.
    User Modified This status gets displayed when you click [Accept] to accept the system-inferred classification or [Modify] to manually select the classification.

Reviewing the classification

Review the classifications inferred by the Security Intelligence infrastructure classification cronjob. Use the UI to accept or modify the inferred infrastructure classification. You can review the classifications using one of the following methods.

  • Click [Plan & Troubleshoot] > [Preferences]. Review the items in the table and click [Accept] or [Modify].

  • In the [Start New Recommendation] dialog box, if you toggled [Exclude Infrastructure Workloads] to [Activated], you can click [View all infrastructure workloads here] and use the [Infrastructure Service Workloads] dialog box to accept or modify the classifications.

  • In the Computes view of [Plan & Troubleshoot] > [Discover & Take Action], right-click a compute entity node, and select [<compute entity>] [Information] from the drop-down menu. In the [Infomation] dialog box for the VM or physical server, locate the [Workload Type] property. Next to the Classification Pending status, click [Accept] or [Modify].

  • In the [Plan & Troubleshoot] > [Discover & Take Action], click the gear icon settings gear icon in the upper-right section of the UI. In the [NSX Intelligence Related Settings] dialog box, click the [Plan & Troubleshoot][Preferences].

When you accept the infrastructure classification, Security Intelligence displays an infrastrcuture entity node for that compute entity in the visualization graph . You can also choose to exclude the infrastructure entity from the recommendation analysis when you are defining the new recommendation boundary in the [Start New Recommendation ]dialog box.

See Administer the Infrastructure Classifications in Security Intelligence for details.

Filtering the list of classifications

You can filter what compute entity gets displayed in the [Classifications] table. Click [Filter] and select one or more of the following criteria from the drop-down menu.

  • Name: [Physical Server Name] or [VM Name]

  • ID: [Physical Server ID] or [VM ID]

  • Basic Filters: [Classification], [Last Classified By], [Review Status], or [Type].

Sort the list of classified entities

To sort the list of entities in the [Classifications] table, click [Sort By], select [Last Updated at] and select [Ascending] or [Descending].