以下是進階查詢的一些範例:

用於通訊模式的流程查詢

  • 跨資料中心或站台的流量總計 (DCI 連結使用)

    sum(bytes) of flows where ( Dst Manager = 'abc' AND src manager = 'cba') OR ( Dst Manager = 'cba' AND src manager = 'abc')

  • VTEP 流量總計
    • sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP' VTEP traffic grouped by VMKNIC
    • sum(bytes) of flows where Flow Type = 'Src is VTEP' or Flow Type = 'Dst is VTEP' group by ip
  • 其他管理流量

    flows where Flow Type = 'Source is VMKNIC' or Flow Type = 'Destination is VMKNIC'

  • 已延伸 L2 網路的流量

    flows where flow type = 'Extended L2 Network' and Destination IP Address = 10.172.13.14

用於彙總和群組的流程查詢

  • 網際網路流量總計 (依來源虛擬機器)

    sum(bytes) of flows where Flow Type = 'Internet' group by src vm

  • 前幾個連接埠 (依總位元組數)

    sum(bytes) of flow group by port order by sum(bytes)

  • 前幾個子網路配對 (依路由的流量)

    sum(bytes) of flow where Flow Type = 'Routed' group by Source Subnet Network, destination subnet network order by sum(bytes)

  • 虛擬機器總計 (依配對總位元組數)

    sum(bytes) of flows group by src vm , dest vm order by sum(bytes)

  • 前幾個伺服器虛擬機器/連接埠 (依總位元組數)

    sum(bytes) of flows group by dest vm , port order by sum(bytes)

用於容量估計和大小調整的流程查詢

  • 由 ESX 分組的所有 vm-internet/internet-vm 流量的總位元組數 (Palo Alto 服務虛擬機器大小調整)

    sum(bytes) of flows where flow type = 'internet' and (flow type = ' src is vm ' OR flow type = 'destination is vm ') group by host order by sum(bytes)

  • 用於相符流程的彙總流量系列 (Palo Alto 服務虛擬機器大小調整)

    series( sum(byte rate)) of flows where host = 'ddc1-pod2esx012.dm.democompany.net' and (Flow Type = 'Source is VM' OR flow type = 'Destination is VM')

應用程式的有用查詢

  • 指定應用程式中的虛擬機器

    VM where application = 'CRM'

  • 從指定應用程式路由的流程

    Flows where source application = CRM and Flow Type = 'Routed'

  • 兩層之間的流程 (單向)

    Flows where src tier = 'App' and Destination Tier = 'DB'

  • 兩層之間的流程 (單向)

    Flows where ( src tier = 'App' and destination Tier = 'DB') OR (destination tier = 'App' and source tier = 'DB')

虛擬機器和 ESX 的有用查詢

  • Prod -Midtier-1 虛擬機器的內容 (MAC、IP、主機等)

    CPU Usage Rate, Network Rate, Memory Usage Rate, mac address, ip , vxlan , host of vm 'Quality control-VM26'

  • 具有最高虛擬機器計數的網路區段

    vm group by l2 network

  • 資料存放區具有最高虛擬機器計數

    vm group by datastore

  • 主機 (依 vSphere 版本)

    host group by version

  • 主機 (依 vSphere 組建版本)

    host group by OS

  • 插入特定 UCS 機箱的所有主機/刀鋒型伺服器上的所有虛擬機器 (巢狀查詢)

    vm where host in (host where Blade like 'sys/chassis-1')

有用的查詢:一般容量

  • 資料中心數目:

    count of datacenter

  • 叢集數目

    count of cluster

  • 主機數目

    count of host

  • 虛擬機器數目

    count of vm

  • 網路數目

    count of vlan

有用的查詢:路由

  • VNI (依主要控制器)

    vxlan group by Primary Controller

  • 提供者 Edge 3 的路由

    routes where vrf = 'Provider Edge 3'

  • DMZ DLR 的路由

    NextHop Router of routes where VRF = 'LDR-DMZ'

  • 將指定路由器做為下一個躍點的路由

    routes where NextHop Router = 'California-Edge'

有用的查詢:防火牆規則

  • 兩個虛擬機器之間的防火牆規則

    firewall rules from 'Prod-Midtier-1' to 'Prod-Db-1'

  • 具有 ANY 來源的規則

    firewall rules where Service Any = true

  • 指定規則的虛擬機器

    vm where Firewall Rule = 'Prod MidTier to Prod DB - DBService '

  • 允許任何連接埠的防火牆規則

    firewall rule where action = allow and service any = true

  • 叫用特定防火牆規則的流程

    flows where firewall rule = 'Admin to Prod and Lab - SSH'

  • 系統中已拒絕的流程

    flows where firewall action = deny

  • 檢視閘道防火牆

    Firewall Rule where firewall type = 'GatewayFirewall'

  • 檢視分散式防火牆

    Firewall Rule where firewall type = 'Distributed Firewall'

有用的查詢:一般流量模式

  • 東西向和南北向流量計數、交換的流量計數、路由的流量計數,以及虛擬機器到虛擬機器的流量計數

    plan security in last 7 days

有用的查詢:來自安全鏡頭的流量

  • 高流量者虛擬機器詳細資料

    top 7 vm group by name, Vlan order by sum(Total Network Traffic) in last 7 days

  • 傳輸最多流量的網路

    top 7 vlan group by Vlan id, vm count order by sum(Total Network Traffic) in last 7 days

  • 其中大部分通訊是在 VLAN 內進行的網路 (不跨越實體防火牆或 L3 邊界)

    top 7 flow where Flow Type = 'Switched' group by Subnet Network order by sum(Bytes) in last 7 days

  • 其中大部分通訊是跨越 VLAN 進行的網路 (可能會導致實體防火牆出現瓶頸問題)

    top 7 flow where Flow Type = 'Routed' group by Source Subnet Network, Destination Subnet Network order by sum(Bytes) in last 7 days

  • 在國家/地區外通訊的虛擬機器

    top 7 flow where Destination Country != 'United States' group by Source VM, Destination Country order by sum(Bytes) in last 7 days

  • 發生最大儲存區延遲的資料存放區

    avg(Read Latency), avg(Write Latency) of top 7 vm group by Datastore, vlan order by avg(Write Latency) in last 7 days

有用的查詢:合規性/漏洞

  • 易受攻擊的作業系統詳細資料

    vm where Operating System like 'Microsoft Windows Server 2003' or Operating System like 'Microsoft Windows Server 2008' or Operating System like 'Red Hat Enterprise Linux 6' or Operating System like 'Red Hat Enterprise Linux 5' or Operating System like 'SUSE Linux Enterprise 10' group by vlan, Operating System

  • 易受攻擊的作業系統計數

    count of vm where Operating System like 'Microsoft Windows Server 2003' or Operating System like 'Microsoft Windows Server 2008' or Operating System like 'Red Hat Enterprise Linux 6' or Operating System like 'Red Hat Enterprise Linux 5' or Operating System like 'SUSE Linux Enterprise 10'

  • 由舊作業系統引起的攻擊面總計

    vm where vlan in (vlan of vm where os in ('Microsoft Windows Server 2003', 'Microsoft Windows Server 2008', 'Red Hat Enterprise Linux 6', 'Red Hat Enterprise Linux 5', 'SUSE Linux Enterprise 10')) group by Vlan

    count of vm where vlan in (vlan of vm where os in ('Microsoft Windows Server 2003', 'Microsoft Windows Server 2008', 'Red Hat Enterprise Linux 6', 'Red Hat Enterprise Linux 5', 'SUSE Linux Enterprise 10'))
    備註: 若要取得易受攻擊的作業系統的建議防火牆規則,請參閱 保護易受攻擊的作業系統的建議防火牆規則