If a compute entity has had traffic flows within the past 30 days, Security Intelligence attempts to classify that compute entity as either providing network infrastructure service or not. These infrastructure services include DNS, DHCP, LDAP, and Active Directory.
Purpose
By identifying the compute entities that provide network infrastructure services in your network, Security Intelligence can help you decide whether those compute entities should be included in the traffic flow visualization or included in the DFW policy recommendation analysis that you initiate.
This feature is available only with a valid NSX Advanced Threat Prevention license or an equivalent license.
How it works
After you activate Security Intelligence 4.0.1 or later, each VM or physical server that is part of your network inventory is identified and listed in the Classifications table of the page.
At 2:00 AM your local time, an Security Intelligence cron job runs automatically in the background and again every 24 hours thereafter. If there are at least 30 days of correlated traffic flows and there are at least 5000 unique traffic flows identified, the cron job attempts to make inferences about the compute entities in your network. The cron job flags each compute entity that might be a network infrastructure based on the traffic flows that the compute entity was involved in during the past 30 days. To make the inferred infrastructure classifications, the Security Intelligence cron job uses a proprietary machine-learning algorithm.
After Security Intelligence makes the classification inferences, it stores the information and updates the Classifications table. Each classification is in a Not reviewed state until you accept or modify the inferred classification. To accept the classification, click Accept. To change the classification, click Modify.
The following image shows an example of what the Classifications table might look like after the Security Intelligence infrastructure classifier job has run .
The following information, such as the compute entity name, the ID assigned to it, and the compute entity type, are listed for each network inventory item.
The Name column lists the compute entity name and its corresponding icon. To indicate that the system-inferred infrastructure classification needs your review, an orange-hued circular badge appears in the upper-right section of the compute entity icon displayed in the Name column. For example, the infrastructure icon appears as and the non-infrastructure icon appears as .
- The ID column lists the ID number assigned to the VM or physical server.
-
The Workload Classifications column can have one of the following values.
Workload Classification Value Description Classification Pending The initial classification value assigned to each compute entity until you manually assign a classification or the Security Intelligence classification job makes an inferred classification. Infrastructure Service This value means the compute entity provides infrastructure services, such as DNS, DHCP, LDAP, and Active Directory. The value can be set by the system based on the inference classification cronjob or it can be set manually. Others (Non-infrastructure) This value means the compute entity does not provide any infrastructure service. The value can be set by the system based on the inference classification cronjob or it can be set manually. The Last Classified By column initially has the Unknown value. The value then changes to System after the initial classification inference gets completed. When you manually classify a compute entity, the value for the column is set to User.
- The Last Updated at column indicates when the displayed classification was made manually or by the system.
- The Type column can be either Virtual Machine or Physical Server.
-
The Review Status column initially has the Not applicable status. It can have one of the following statuses.
Review Status Description Not applicable Indicates that the information displayed for the compute entity is based on the initial inventory identification that Security Intelligence performed. You can manually classify each compute entity that is listed in the table by clicking Modify and selecting the classification. Not reviewed The Security Intelligence infrastructure classifier job has inferred a classification for the compute entity based on the traffic activity that occurred within the past 30 days. The system-inferred classification is listed in the Workload Classification column. Click Accept if the classification is correct or click Modify to change the inferred classification. User Modified This status gets displayed when you click Accept to accept the system-inferred classification or Modify to manually select the classification.
Reviewing the classification
Review the classifications inferred by the Security Intelligence infrastructure classification cronjob. Use the UI to accept or modify the inferred infrastructure classification. You can review the classifications using one of the following methods.
Click Accept or Modify.
. Review the items in the table and clickIn the Start New Recommendation dialog box, if you toggled Exclude Infrastructure Workloads to Activated, you can click View all infrastructure workloads here and use the Infrastructure Service Workloads dialog box to accept or modify the classifications.
In the Computes view of <compute entity>" Information from the drop-down menu. In the Infomation dialog box for the VM or physical server, locate the Workload Type property. Next to the Classification Pending status, click Accept or Modify.
, right-click a compute entity node, and select "In the NSX Intelligence Related Settings dialog box, click the Plan & TroubleshootPreferences.
, click the gear icon in the upper-right section of the UI. In the
When you accept the infrastructure classification, Security Intelligence displays an infrastrcuture entity node for that compute entity in the visualization graph . You can also choose to exclude the infrastructure entity from the recommendation analysis when you are defining the new recommendation boundary in the Start New Recommendation dialog box.
See Administer the Infrastructure Classifications in Security Intelligence for details.
Filtering the list of classifications
You can filter what compute entity gets displayed in the Classifications table. Click Filter and select one or more of the following criteria from the drop-down menu.
Name: Physical Server Name or VM Name
ID: Physical Server ID or VM ID
Basic Filters: Classification, Last Classified By, Review Status, or Type.
Sort the list of classified entities
To sort the list of entities in the Classifications table, click Sort By, select Last Updated at and select Ascending or Descending.