using and managing vmware nsx intelligence - vmware nsx ... · intelligence 1 to get started using...

Using and Managing VMware NSX Intelligence

Modified on 17 SEP 2020VMware NSX Intelligence 1.1

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright ©

2020 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

http://pubs.vmware.com/copyright-trademark.html

Contents

Using and Managing VMware NSX Intelligence 4

1 Getting Started with NSX Intelligence 5Tour of the NSX Intelligence Home Page 5

Getting Familiar with NSX Intelligence Graphic Elements 7

2 Understanding Views and Flows 10Working with the Groups View 11

Working with the VMs View 16

Working with Traffic Flows 20

3 Working with NSX Intelligence Recommendations 23Understanding NSX Intelligence Recommendations 23

Generate a New NSX Intelligence Recommendation 24

Rerun a Recommendation 27

Review and Publish a Generated Recommendation 29

4 Operations and Management 33Role-Based Access Control in NSX Intelligence 33

Backing Up and Restoring NSX Intelligence 35

Configure NSX Intelligence Backups 36

Create a Manual NSX Intelligence Backup 37

Set Up Recurring NSX Intelligence Backups 37

Restore NSX Intelligence Backups 38

Collect NSX Intelligence Support Bundles 39

Monitoring NSX Intelligence Alarms 40

Manage the NSX Intelligence Alarm Definitions 41

Manage NSX Intelligence Alarm States 43

Searching for NSX Intelligence Entities 45

Search for NSX Intelligence Entities 46

5 Troubleshooting NSX Intelligence Usage Issues 48Check the Status of the NSX Intelligence Appliance 48

Degraded Services Exist After a Successful Appliance Deployment 52

Inconsistencies in Incremental Topology Reporting 53

VMware, Inc. 3


The Using and Managing VMware NSX Intelligence document provides information about using and managing VMware NSX® Intelligence™ .

Intended Audience

This information is intended for anyone who has the permission to use and manage NSX Intelligence. The information is provided for experienced system administrators who are familiar with virtual machine technology and data center operations.

Technical Publications Glossary

VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions of terms as they are used in VMware technical documentation, go to https://www.vmware.com/topics/glossary.

Related Documentation

If necessary, refer to the VMware NSX-T™ Data Center documentation at https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html when you are using or managing NSX Intelligence. You must use the NSX Manager user interface to install the NSX Intelligence appliance and access NSX Intelligence features.

VMware, Inc. 4

https://www.vmware.com/topics/glossary

https://www.vmware.com/topics/glossary

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html

Getting Started with NSX Intelligence 1To get started using the VMware NSX® Intelligence™ features, familiarize yourself with the NSX Intelligence user interface after you install the NSX Intelligence appliance.

NSX Intelligence provides a visualization of the security posture of your on-premises VMware NSX-T™ Data Center environment. The visualization is based on the network traffic flows aggregated within a specific time period. NSX Intelligence also assists you with micro-segmentation planning by making recommendations that are based on analytics with enforcement on security policies.

Before you can begin using the NSX Intelligence, you must first install and configure the NSX Intelligence appliance. See Installing and Upgrading VMware NSX Intelligence.

After the NSX Intelligence appliance is installed and configured, the NSX Intelligence features are enabled in the Plan & Troubleshoot tab of the NSX Manager user interface (UI). In the Discover & Plan section, you use the Discover & Take Action tab to visualize your NSX-T data center entities and the Recommendations tab to obtain recommendations for micro-segmentation planning.

This chapter includes the following topics:

n Tour of the NSX Intelligence Home Page

n Getting Familiar with NSX Intelligence Graphic Elements

Tour of the NSX Intelligence Home Page

You access the NSX Intelligence home page by clicking Plan & Troubleshoot > Discover & Take Action in the NSX Manager user interface.

After you install and configure NSX Intelligence for the first time, when you click Discover & Take Action, NSX Intelligence begins to render some visualization after some network traffic data has been received from NSX Manager.

By default, when you click Discover & Take Action, you see the visualization of the security posture of all the groups in your on-premises NSX-T Data Center. These groups might have had allowed, blocked, and unprotected traffic flows between their virtual machine (VM) workloads in the last 24 hours. If there are no groups defined yet, there are no groups displayed. If there are VMs, but they do not belong to any group, you see the following icon for the Uncategorized VMs group.

VMware, Inc. 5

If you already have defined groups and captured traffic data, you might see a visualization similar to the following screenshot. The table that follows describe the numbered sections in the screenshot.

Section Description

1 The Security view selection area is where you select the type of security visualization to display. There are two types of Security views available: Groups and VMs. When you click Discover & Take Action, the default Security view displayed is the Groups view of the group objects in your NSX-T Data Center that had unprotected flow traffic within the last 24 hours.

n To select the VMs view, click the down arrow next to Groups and select VMs.

n To select the specific groups or VMs to include in the view, click the down arrow next to ALL, and select from the list.

n To clear your selection filters, click CLEAR on the top right-side of the page. If you click CLEAR when you are in the VMs view, the selection filters are cleared and you are placed in the Groups view.

See Working with the Groups View and Working with the VMs View for more information on how to work with the two view types.

2 In the Apply Filter area, you can refine the criteria used for the visualization. After you click the Apply Filter label, you can select the criteria to use for the visualization from the drop list. You can filter by object ID, object path, members, tags, flow types, source IP, destination IP, destination port, protocol, IPv4 CIDR notation, service name, rule ID, or rule name. You can specify multiple filters to apply by clicking the Apply Filter label again.


VMware, Inc. 6

Section Description

3 With the Flows section, you can select which traffic flow type to include in the visualization for the selected time period. The colors used in the visualization for the flow types are also shown in this section.

n Red-hued dashed line for Unprotected flows

n Blue-hued solid line for Blocked flows

n Green-hued solid line for the Allowed flows

By default, all the traffic flow types are selected for the current NSX Intelligence visualization. See Working with Traffic Flows for more information.

4 The display mode section defines what theme to use for the visualization. Light theme is the default display mode used.

n To use the dark theme mode, click the DARK icon. You can use the Dark theme only when you are viewing the visualization in full screen mode.

n To go into full screen mode, click in the viewing control section.

5 In this section, you select the time period to use to determine which network flow data is used to generate the desired visualization and recommendation. Your selection determines the historical data that is used in the Groups view or VMs view. The time period is relative to the current time and some time period in the past.

The Last 24 Hours is the default time period used. To change the selected time period, click the currently selected time period and select another from the drop list. You can select Last 1 hr, Last 12 hrs, Last 24 hrs, Last 1 week, or Last 1 month.

6 When you click the gear icon, the Private IP Range Settings for NSX Intelligence dialog box is displayed. NSX Intelligence categorizes an IP address belonging to one of the CIDR notations listed in the dialog box as a private IP address. Any IP address that does not belong to any of these CIDR notations is classified as a public IP address. If your VM's IP address does not fall into one of these CIDR notations, consider adding your CIDR notation using this dialog box.

7 This canvas section displays the visualization of the security status of the groups or VMs in your on-premises NSX-T Data Center. It also includes the visualization of the network traffic flows that occurred during the selected time period. In this section, you can point to a specific node or flow arrow to obtain details about that specific entity.

See Getting Familiar with NSX Intelligence Graphic Elements and Chapter 2 Understanding Views and Flows for more information.

8 This section includes the viewing controls to zoom in, zoom out, apply 1:1 aspect ratio, resize-to-fit the view, and go into or out of full-screen viewing mode. You can also use keyboard hotkeys to manage your viewing controls. To display the Keyboard Shortcuts Help window, press Shift+/.

To navigate to a previously viewed visualization, use your Web browser's back button. When you are in full-screen mode, click Back (at the top left of the screen) to perform the same back button navigation.

Getting Familiar with NSX Intelligence Graphic Elements

The NSX Intelligence user interface provides several graphic elements to help with the visualization of the NSX-T Data Center entities, traffic flows, and certain activities in your NSX-T Data Center environment.

The following table lists a glossary of NSX-T Data Center graphic elements that you might see in a NSX Intelligence visualization.


VMware, Inc. 7

Graphic Element Description

This icon represents a group, which is a collection of VMs where security policies, including East-West firewall rules, can be applied. See Working with the Groups View.

This icon represents a virtual machine (VM) that is part of your NSX-T Data Center. A VM can belong to more than one group. See Working with the VMs View.

This icon represents the public IPs in the Internet. If at least one VM in your NSX-T Data Center environment communicated with a public IP during the selected time period, that traffic flow is included in the current visualization.

This icon represents an IP address, such as a unicast, broadcast, or multicast IP, that participated in the network traffic activities during the selected time period.

This icon is used for the group of VMs that do not belong to a group.

An arrow represents a network traffic flow that occurred between two VMs during a selected time period. There are three different types of arrows.

n dashed red-hued arrow for an unprotected flow

n solid blue-hued arrow for a blocked flow

n solid green-hued arrow for an allowed flow

See Working with Traffic Flows for more information.

A node that has been selected as the current node in focus is surrounded with a dashed circle. It is the pinned node during the selection mode and the current view being displayed.

This icon appears on a group node's border if the group was added in the NSX-T Data Center inventory during the selected time period. If NSX-T Data Center discovered a VM during the selected time period, the icon appears on that VM node's border.


VMware, Inc. 8

Graphic Element Description

This icon appears on the group node's border if the group was deleted during the selected time period and the VM members were not deleted. On a VM node's border, this icon indicates that the VM was deleted during the selected time period. Although a VM or group has been deleted, it still appears in the current visualization to give a historical view that the VM or group was removed during the selected time period.

This icon appears whenever we see group and VMs together. For example, in a deep dive groups view or related VMs of a group.

The icon appears on a VM node's border in the following cases.

n if the VM was moved out of the currently viewed group during the selected time period

n if, at some point during the selected time period, the VM was part of the group you are currently viewing, but it is no longer a member of that same group


VMware, Inc. 9

Understanding Views and Flows 2The NSX Intelligence visualization is composed of the groups or VMs and the network traffic flows that occurred with those groups or VMs during the selected time period.

Important The visualization shown for a specific time period represents all the network traffic flows and workload activities that occurred in your NSX-T Data Center during that time period. These activities include the addition, deletion, or movement of VMs and groups. It is possible that a VM appears more than once in the visualization. For example, if a VM was attached to an ESXi host that was originally unmanaged and the host becomes managed by a VMware vCenter Server™ during the selected time period, the VM appears twice in the VMs view. Similarly, if an ESXi host is disconnected from vCenter Server and added back during the same selected time period, the VMs attached to the host appear as both deleted and new during the selected time period. In Groups view, if a VM was in the Uncategorized group and added in a group during the same selected time period, the VM appears in both the uncategorized group and in its new group.

NSX Intelligence supports groups with VM member types only. If you have groups with any other types of members, the Groups view might show correlated traffic flows between the groups with VM member types instead of actual groups in the security rule.

The visualization graph that is in display is automatically updated as the security posture changes in your NSX-T Data Center. For example, if a new group is added, a new group node is automatically displayed on the visualization canvas without you needing to refresh your web browser.

Use the information in this section to learn more about working with the Groups view, VMs view, and the different traffic flows.


n Working with the Groups View

n Working with the VMs View

n Working with Traffic Flows

VMware, Inc. 10

Working with the Groups View

The default view that is shown in the NSX Intelligence home page is the Groups view. This Groups view displays all the groups and the traffic flows that occurred in the last 24 hours.

Nodes and Arrows in a Groups View

A node in a Groups view represents NSX objects, such as VMs, IP sets, and so on, in your NSX-T Data Center environment. The following screenshot is a sample of a Groups view.

The following table lists the types of group nodes you might see in the Groups view.

Type of Group Node Icon Description

Regular Group A Regular Group node in NSX Intelligence represents any collection of NSX objects in your NSX-T Data Center environment. For this release, those NSX objects are VMs only and so NSX Intelligence supports Regular Groups with only VM member types. An NSX object can belong to more than one group and so a VM can appear in more than one group node.

Uncategorized Group An Uncategorized Group node represents a collection of VMs that do not belong to any group.


VMware, Inc. 11

Type of Group Node Icon Description

Unknown Group An Unknown Group node represents a set of miscellaneous objects that were not found in your NSX-T Data Center inventory. However, these objects are communicating to one or more NSX objects in your NSX-T Data Center environment.

Public IPs Group A Public IPs Group node represents a collection of public IP addresses (IPv4 or IPv6) that are communicating to NSX objects in your NSX-T Data Center. Any IP address that does not belong to any of the CIDR notations listed in the Private IP Range Settings for NSX Intelligence is classified as a public IP address.

The size of a node in the Groups view is based on the number of NSX objects, such as VMs, that belong to that group. The bigger the group's node, the more VMs belong to that group, for example. The name of the group and the total number of member VMs it has are displayed above the node.

The arrows between the group nodes represent the traffic flows that have occurred between the VMs in those connected group nodes, during the selected time period. A self-referencing arrow on a group node indicates that at least one VM was communicating with another VM within that same group. See Working with Traffic Flows for more information.

The color of the node's border indicates the types of traffic flows that have occurred with the VMs belonging to that group.

Group Node Type Description

A node with a red-hued border indicates that at least one unprotected flow occurred with a VM in the group, regardless of how many blocked or allowed flows were detected during the selected time period.

A blue-hued border on a node means that no unprotected traffic flows were detected, but at least one blocked flow was detected, regardless of how many allowed flows were detected during the selected time period.

A node with a green-hued border indicates that there were no unprotected or blocked flows detected during the selected time period, and at least one allowed flow was detected.

A node with a gray-hued border means that there were no traffic flows detected for the VMs belonging to that group during the selected time period.

If you are not seeing the Groups view, click the down arrow next to VMs label in the Security view selection area and select Groups. In the selection drop list displayed, you can select All Groups or specific groups from the list, and then click Apply. Use the Search text box to filter the selection list. If you click away from the selection drop list without making any selection or if you select All Groups in the drop list, the All Groups option is applied to the Groups view.


VMware, Inc. 12

If 100 or more group nodes and 1,000 or more traffic flows must be displayed, NSX Intelligence displays the group nodes into clusters. These group clusters are based on the connectivity between the VMs in those groups during the selected time period. Clustering the groups allows you to have a high-level view of the activities in your NSX-T Data Center during that selected time period. As you zoom in closer to the nodes and arrows, the group and traffic flow details become more visible and easier to select.

Note If you use any filter to determine what to display in the Groups view, the group clustering is not enabled.

The following image gives an example of this group cluster visualization. The different colors of the nodes and arrows correspond to the types of traffic flows that occurred with those groups during the selected time period. Groups that did not have any VM communication with any other group of VMs during the selected time period are placed together in a separate group cluster. Pointing to a specific group cluster displays a number above the cluster area. This number indicates how many groups there are in that particular cluster visualization.

Node Selection in Groups View

When you point to a group's node, information about that group is displayed, as shown in the following example for the group WINVM1_Group. The number and types of flows detected during the selected time period are also listed and the total number of flows. If the group was added during the selected time period, the green badge icon and the details of when the group was created are also displayed. Any recommendations available for the group are also included.


VMware, Inc. 13

When you click a group's node, a dashed circle marks the selection as a pinned group node. The other groups that are connected to the selected group node are also made more prominent in the view. All other nodes become dimmed. For example, in the following screenshot, the node UBUNTUVM5_Group is selected and becomes the pinned group node. Other groups that shared at least one traffic flow with UBUNTUVM5_Group during the selected time period are also made prominent. All the other groups that did not communicate with UBUNTUVM5_Group are faded out in the view.

To clear the pinned selection, click any empty area of the visualization canvas.

If you zoom out of the Groups view and the details on the nodes are no longer visible, point to any visible part of a node to display the details.

Available Actions in the Groups View

A contextual menu of available actions or information is displayed when you right-click a group's node, as illustrated in the following image.


VMware, Inc. 14

n Selecting Deep Dive:Group_Name surrounds the selected group's node with a dashed circle to mark it as the pinned group node or the current group in focus. The VMs that belong to the group are shown inside the group's node. All the groups that had traffic flows with the VMs in the pinned group during the selected time period are also placed in the Groups view. In the following example, group WinVM1_Group is the pinned group. The other groups are in the view because their VM members had traffic flows with the single VM in group WinVM1_Group during the selected time period.

n When you select Filter By, the current group is added to the visualization filter that is used for the current Groups view.

n When you select Recommendations, the table of available recommendations for the current group is displayed. From that Recommendations table, you can view the recommendation details and perform the available actions. See Chapter 3 Working with NSX Intelligence Recommendations for more information.

n Selecting VMs displays a table of all the VMs that belonged to the current group during the selected time period. From that View VMs table, you can see the details about the VMs that belong to the selected group and the other groups to which each VM also belongs. To add the VM to the current visualization filter, click the filter icon.


VMware, Inc. 15

n When you select Flow Details, the Flow Details table for the currently selected group is displayed, as shown in the following screenshot. It shows the details about the flows that have completed and flows that are currently active with the VMs that belong to the current group during the selected time period. The details include the flow type, the flow's source and destination information, when the flow ended, and the services that were used. You can click some of the detail links to obtain more information. See Working with Traffic Flows for more information.

n Selecting Start Recommendation displays the Start New Recommendation wizard that assists you with generating a new recommendation. See Generate a New NSX Intelligence Recommendation for details.

Working with the VMs View

A node in the VMs view represents a virtual machine (VM) in your on-premises NSX-T Data Center environment.

Nodes and Arrows in the VMs View

When you are in the VMs view, the group boundaries are not visible. Any node that is communicating with one of the VMs in your NSX-T Data Center environment, but was not identified as part of the NSX-T Data Center inventory, are also represented in the VMs view. The following illustrates a simple VMs view.


VMware, Inc. 16

The following table lists the types of VM nodes you might see in the Views view.

Type of VM Node Icon Description

Regular VM A Regular VM node represents a virtual machine (VM) that is part of your NSX-T Data Center environment. A VM can belong to more than one group.

Public IP A Public IP node represents a public IP address, either an IPv4 or IPv6 , that is communicating to or from your NSX-T Data Center environment.

IP An IP node represents an IP address that participated in the network traffic activities during the selected time period. An IP address can be a unicast, broadcast, or multicast IP.

If you are not seeing the VMs view, click the down arrow next to Groups in the Security view selection area and select VMs. In the selection drop list displayed, you can select All VMs or specific VMs from the list, and then click Apply. Use the Search text box to filter the selection list. If you click away from the drop list without making any selection or if you select All VMs in the drop list, the All VMs option is applied to the VMs view.

The arrows between the VM nodes represent the traffic flows that have occurred between the VMs during the selected time period. See Working with Traffic Flows for more information.


VMware, Inc. 17

If 100 or more VM nodes and 1,000 or more traffic flows must be displayed, NSX Intelligence displays the VM nodes into clusters. These VM clusters are based on the connectivity between the VMs during the selected time period. Clustering the VMs allows you to have a high-level view of the activities during that time period. As you zoom in closer to the nodes and arrows, the VM and traffic flow details become more visible and easier to select.

Note If you use any filter to determine what to display in the VMs view, the VM clustering is not enabled.

The following image gives an example of this VM cluster visualization. The different colors of the nodes and arrows correspond to the types of traffic flows that occurred with the VMs during the selected time period. VMs that did not have any communication with any other VMs during the selected time period are placed together in a separate cluster. Pointing to a specific cluster displays a number above the cluster area. This number indicates how many VMs there are in that particular cluster visualization.

Node Selection in VMs View

When you point to a VM's node, information about the node is displayed, as shown in the following example. The number and types of flows to the VM that were detected during the selected time period are also listed. If the group was added during the selected time period, the New badge icon and the details of when the VM was added are also displayed.


VMware, Inc. 18

When you click a VM's node, a dashed circle marks the selection as a pinned VM node. Other VM nodes that had traffic flows with that pinned VM node are also made more prominent in the VMs view. All other nodes become dimmed to make them less visible. To clear the pinned selection, click in any empty area of the VMs view.

When you zoom out of the VMs view and the details in the VM nodes are no longer visible, point to any visible part of the VM node. The VMs details are displayed.

Available Actions in the VMs View

A contextual menu of available actions is displayed when you right-click a VM's node, as illustrated in the following image.

Selection Description

Filter By The VM is added to the visualization filter that is used for the current VMs view.

Recommendations The table of recommendations for the current VM is displayed. From the Recommendations table, you can view the recommendation details and perform the available actions. See Chapter 3 Working with NSX Intelligence Recommendations for more information.

VM Information The details of the VM during the selected time period are displayed.

Note If a VM is attached to the segment profile as the default IP Discovery profile and has (Trust On First Use) TOFU enabled, the VM initially gets an IP address from DHCP. If the DHCP IP address is released and the VM's IP address is changed to a static IP address, both the DHCP and static IP addresses are displayed in VM Information. If TOFU was disabled in the default IP Discovery Profile, when the initially assigned DHCP IP address is released and the VM's IP address is changed to a static address, only the static IP address is displayed in VM Information.

Related Groups Displays the Groups table with information about groups to which the VM belonged during the selected time period.


VMware, Inc. 19

Selection Description

Flow Details Shows the details about the completed flows and the flows that are currently active with the VM during the selected time period.

Note The active flows during the selected time period are more than 2.5 minutes old at the time the details are displayed.

The details include the following.

n flow type

n flow's source and destination groups

n services that were used

n the type of the latest flow

n time the flow ended

You can click some of the details to obtain more information. See Working with Traffic Flows for more information.

Start Recommendation Displays the Start New Recommendations wizard. See Chapter 3 Working with NSX Intelligence Recommendations for more details.

Note If a VM is attached to the segment profile as the default IP Discovery profile and has (Trust On First Use) TOFU is enabled, the VM initially gets an IP address from DHCP. If the DHCP IP address is released and the VM's IP address is changed to a static IP address, both IP addresses are displayed in VM Information. If a VM is attached to the segment profile as default IP discovery profile and TOFU is disabled, the VM initially gets an IP address from DHCP. If the DHCP IP address is released and the VM's IP address is changed to a static address, only one IP address, the latest one configured, is displayed in VM Information.

Working with Traffic Flows

The arrows between the group or VM nodes represent the network traffic flows that have occurred between the VMs during the selected time period.

Network traffic flows are based on the L3 distributed firewall (DFW) rules in place and the traffic flows that occurred during the selected time period. All network traffic flows that matched a stateful L3 DFW rule using IPv4 or IPv6 with TCP, UDP, GRE, ESP, and SCTP protocols are included in the visualization and flow details. TCP and UDP flows have IP and port level details and others have IP level details only.

The traffic flows are categorized into the following types.


VMware, Inc. 20

Flow Type Graphic Description

Unprotected A dashed red-hued arrow indicates that the system detected that the traffic flow encountered a rule (Source: Any | Destination: Any | Action: Allow or Reject or Drop) and that more granular security policies are needed. This rule can be your default rule, or it can reside anywhere in the East-West distributed firewall.

Blocked A solid blue-hued arrow indicates that the system detected that the traffic flow encountered a 'Reject' or 'Drop' rule that is more granular than the one mentioned in the 'Unprotected' flow definition.

Allowed A solid green-hued arrow indicates that the system detected that the traffic flow encountered an 'Allow' rule that is more granular than the one mentioned in the 'Unprotected' flow definition.

To focus only on objects with certain types of traffic flows, use the Security view selection area to select which view type, and use the Flow > Type filter attribute to narrow down the selection.

If you deselect a flow type, the flow lines for that flow type are hidden from the displayed graph. Unless filters are in effect that exclude certain objects, all group or VM objects remain displayed regardless of the traffic flow types that have occurred with those objects during the selected time period. For example, if you deselect the ‘Allowed’ flow type, all the "Allowed" flow lines are hidden in the graph. However, all objects are still displayed, even those objects that only had ‘Allowed’ traffic flows during the selected time period.

A flow arrow's direction indicates the source and destination of the detected traffic flow. When in Groups view, a self-referencing arrow on a group node indicates that at least one VM was communicating with another VM within that same group. In a VMs view, a self-referencing arrow indicates that an NSX object in the VM communicated with another NSX object in the same VM.

When you point to a flow arrow, information about the flows involving the group or VM is displayed, as shown in the following example for Group G2.

When you click a flow arrow, the Flow Details dialog box is displayed. It shows the details about the completed and active flows that occurred during the selected time period. To get more detailed information about the flow's source, destination, type of service, and the type of flow, click the links in the table.


VMware, Inc. 21

When you zoom in on a VMs view, information about L4 ports and protocols appear on the flow lines. If there is more than one L4 detail, a link with the number of additional details also appear on the flow line. Click the number, as shown in the following image, and the list of L4 ports and protocols are displayed.


VMware, Inc. 22

Working with NSX Intelligence Recommendations 3NSX Intelligence can provide micro-segmentation recommendations that are based on the patterns of traffic flows that have occurred between the VMs in your NSX-T Data Center environment during a selected time period.


n Understanding NSX Intelligence Recommendations

n Generate a New NSX Intelligence Recommendation

n Rerun a Recommendation

n Review and Publish a Generated Recommendation

Understanding NSX Intelligence Recommendations

The recommendations that NSX Intelligence generates include security policies, policy security groups, and services for applications.

The recommendations are based on the traffic flow patterns that occurred between the VM members of a selected policy group or between the selected VM workloads, all on ESXi hosts managed by vCenter Server. The recommendations can assist you with enforcing a more dynamic security policy by correlating traffic patterns of communication that have occurred within your NSX-T Data Center environment.

The security policy recommendations are of the East-West distributed firewall (DFW) security policies in the application category. The security group recommendations consist of the VMs whose traffic flows were analyzed for the time period and the VM boundary you had specified. The service recommendations are service objects that were used by applications in the VMs you had specified, but the services are not yet defined in the NSX-T Data Center inventory.

There are multiple ways to request the recommendation, but the most straightforward one is by using Plan & Troubleshoot > Recommendations tab and clicking Start New Recommendation. You provide up to 1 group or 100 virtual machines (VMs) , or a combination of a group and VMs that comprise the application boundaries. The total number of VMs allowed in an input that includes a group and VMs cannot exceed 250 VMs. You also provide the time range in which the

VMware, Inc. 23

network traffic flows are to be analyzed for those specific VMs or group of VMs. After the recommendation analysis is finished, you can view the details of the recommendation and, if necessary, modify the recommendation before publishing it. See Generate a New NSX Intelligence Recommendation for more information.

Generate a New NSX Intelligence Recommendation

The NSX Intelligence Recommendations feature can provide you with recommendations to help you micro-segment your applications.

Generating an NSX Intelligence recommendation involves recommendations of security policies, policy security groups, and services for the application. The recommendations are made based on the traffic pattern of communication between VMs in your NSX-T Data Center.

You can generate a recommendation by selecting the input entities of up to 1 group or 100 virtual machines (VMs) , or a combination of a group and VMs. The total number of VMs that you can use in an input that includes a group and VMs cannot exceed 250 VMs.

Important You can only generate a new recommendation for a security group that was created in Policy mode. The security group must have at least one of the supported member types in order for NSX Intelligence to begin a recommendation analysis for that security group. The supported member types include virtual machines, virtual network interfaces (VIFs), logical ports, and logical switches. If at least one supported member type is present in the security group, the recommendation analysis can proceed, but unsupported member types are not considered during the recommendation analysis.

There are multiple ways to generate a recommendation using the NSX Intelligence user interface. The following procedure describes the available methods to use.

Prerequisites

n Install NSX Intelligence. See the Installing and Upgrading VMware NSX Intelligence document.

n Ensure you have the required privileges to generate recommendations. See Role-Based Access Control in NSX Intelligence for more information.

Procedure

1 From your browser, log in with the required privileges to an NSX Manager at https:<nsx-manager-ip-address>.


VMware, Inc. 24

2 Initiate the generation of a new recommendation using one of the following methods.

Where to Start Next Step

Select Plan & Troubleshoot > Recommendations.

Click Start New Recommendation.

For a recommendation for a group, select Plan & Troubleshoot > Discover & Take Action.

1 Verify the Groups view is selected in the Security view selection area.

2 Right-click the node for the group on which you want to generate a recommendation.

3 Select Start Recommendation.

For a recommendation for VMs, select Plan & Troubleshoot > Discover & Take Action.

For a single VM:

1 In the Security view selection area, click the down arrow next to Goups and select VMs.

2 Right-click the node for a VM and select Start Recommendation from the contextual menu.

For multiple VMs:

1 In the Security view selection area, click the down arrow next to Groups and select VMs.

2 If you want to include only specific VMs, click the down arrow next to ALL and select the VMs that comprise the application boundary you want to use. Otherwise keep ALL selected and click Apply.

3 Click the recommendation wand icon on the left-side of the Flows bar.

4 Select Start Recommendations or Start Recommendations for the filtered VMs.

3 In the Start New Recommendation wizard, change the default value for the Recommendation Name text box.

Give a name that reflects the application for which the segmentation is being done. The name is used as the prefix for the names of all the recommended groups and rules created during the recommendation analysis.

4 Change the default value for the Description text box to make it easier to recall the information about the recommendation.


VMware, Inc. 25

5 Define or modify the VMs that are to be used as the boundary for the security policy recommendation.

a In Selected Entities in Scope, click Select Entities or if you selected the group or VMs already, click the link to the number of groups or VMs .

b In the Select Entities dialog box, click Groups to select up to one group, if you want to use one. To select the VMs that you want to use as the boundary for the analysis, click VMs.

In NSX Intelligence 1.1, you can select up to one group and up to 100 VMs to use for the recommendation boundary. Deselect the ones you do not want included. You can also click Filter on the right-side and select the attributes to use to filter the group or VMs that you want selected.

c Click Save.

The number of selected groups or VMs or both is indicated in Selected Entitites in Scope.

6 Back in the Start New Recommendation wizard, expand More Options and change the default value for the Recommendation Output Mode, if necessary.

The default output mode used is Object Based, which means the DFW policy recommendation that is generated contains groups whose members are VM objects. If the IP Based recommendation output mode is selected, the DFW policy recommendation that is generated contains groups whose members are IPset objects. An IP-based recommendation is not tightly bound to a VM. If a VM is deleted and its IP address is assigned to a new VM, the new VM gets assigned to the same group automatically. The DFW policies for the group are applied to the new VM also.

7 If you want, change the current Time Range value to use to generate the recommendation.

The default time range value is Last 1 Month. The network traffic flows that occurred between the selected VMs or group of VMs are used during that time range is used during the recommendation analysis. Other values to select from are 1 hour, 12 hours, 24 hours, and 1 weeek.

8 To begin the recommendation analysis, click Start Discovery.

Recommendations are processed serially. On average, it can take anywhere from 3 to 4 minutes to finish each recommendation, depending on whether there are other recommendations that are waiting to be processed. If there is a large number of traffic flows between VMs that must be analyzed, the generation of a recommendation can take anywhere between 10–15 minutes.


VMware, Inc. 26

The recommendations that were initiated are listed in the Recommendations table, similar to what is shown in the following image.

9 Review the status of the recommendation that you initiated.

The statuses of the recommendation analysis can be tracked in the Status column of the Recommendations table. The status progresses from Waiting, to Discovery In Progress, and to Ready to Publish. If no recommendation was generated, the Status value is set to No Recommendations Available. If the recommendation analysis failed for some reason, the Failed status is displayed.

The Monitoring column indicates whether changes are being monitored for the original input entities used to generate the recommendation. This feature is available for recommendations with a status of Ready to Publish, No Recommendations Available, or Failed. You can toggle the Monitoring button on or off. When the toggle is on, changes in the scope of the input entities are checked every hour.

If any changes occurred with any of the input entities used, the change detected icon appears next to the Ready to Publish, No Recommendations Available, or Failed status. You can review the changes and rerun the recommendation. See Rerun a Recommendation for more information.

The table also displays the links to the input entities, the generated recommendation entities, and time interval that were used to generate the recommendation. When you click the

canvas icon on the rightmost side of the recommendation row, the visualization of the selected entities is displayed in the graphical canvas under the Plan & Troubleshoot > Discover and Take Action UI.

10 When the Status value is Ready to Publish, review the generated recommendation and decide whether to publish it. See Review and Publish a Generated Recommendation.

Rerun a Recommendation

If the change detected icon appears next to a Ready to Publish, No Recommendations Available, or Failed status, review the changes in the original scope of the recommendation input entities. Rerun the recommendation analysis, if needed.


VMware, Inc. 27

The change detected icon indicates that some changes occurred with the input entities that were used to generate the previous recommendation. For example, an input group's membership changed when a VM was removed from the group or when a new VM was added to the input group.

Prerequisites

n You must have previously generated a recommendation. See Generate a New NSX Intelligence Recommendation.

n Ensure you have the required privileges to rerun recommendations. See Role-Based Access Control in NSX Intelligence for more information.

Procedure


2 Select Plan & Troubleshoot > Recommendations.

3 To rerun the recommendation without reviewing the changes, select one of the following methods.

n Click the change detected icon to the right of the status and select Re-Run Recommendation.

n Click the three-dot menu on the leftmost side of the recommendation's row and select Re-run.

4 To review the detected changes before rerunning the recommendation analysis, select one of the following ways.

n Click the change detected icon to the right of the status and select View Changes in Scope.

n You can also click the three-dot menu on the leftmost side of the recommendation's row and select View Changes in Scope.

5 Review the changes in the View Changes in Scope dialog box.

A dialog box similar to the following is displayed.


VMware, Inc. 28

The visualization graph in the top half of the dialog box shows the VMs that were added or removed since the previous recommendation was generated. In the example, the VM nodes have either an add badge icon or a delete badge icon to indicate the change in status.

a Click the All Flows and All VMs tabs to review the flows and VMs considered for generating the recommendation.

b To review any changes in the VM used as input entities, click the Added VMs or Removed VMs tab.

c To exit the dialog box, click Dismiss.

d To generate another recommendation analysis, click Re-run Recommendation.

Results

After you select Re-run Recommendation, the previously generated recommendation is deleted and cannot be restored. NSX Intelligence regenerates the recommendation using the modified input entities as the recommendation boundary. Newly detected flows and VMs for the selected time period are also included in the recommendation analysis. Traffic flows for VMs that were deleted from the original input entities are not considered in the analysis.

What to do next

After the new recommendation has the Ready to Publish status, review the recommendation using the information in Review and Publish a Generated Recommendation.

Review and Publish a Generated Recommendation

After the generated NSX Intelligence recommendation reaches the Ready to Publish status, you can review the recommendation, modify it if necessary, and decide whether to publish it.

Prerequisites

n Generate a new recommendation. See Generate a New NSX Intelligence Recommendation.

n Ensure that you have the required privileges before you rerun the recommendations. See Role-Based Access Control in NSX Intelligence for more information.


VMware, Inc. 29

Procedure


2 Click Plan & Troubleshoot > Recommendations.

3 (Optional) To help narrow down the list of recommendations being displayed, click Filter on the top right of the UI. Click Apply Filter, and select one or more filters from the drop-down menu.

For example, after you click Apply Filter, select Basic Details > Monitoring > On to display only the recommendations that have monitoring parameter set to on.

4 (Optional) If you decide not to use the generated recommendation, click the three-dot menu icon and select Delete.

5 To begin reviewing and managing the details of the recommendation that has the status of Ready To Publish, click the recommendation's name.

The Recommendations wizard is displayed, similar to the following image. In the Review Recommendations pane, the details for the recommendations are displayed in a split view. The top half of the pane shows a visualization of the recommendations in a graphical format. The bottom half of the pane lists the recommendations in a tabular format.

6 In the Review Recommendations pane, use the top half of the pane to examine the graphical visualization of the recommendations.

You can click specific nodes and arrows to see the details for the recommendations. You can point to the arrow between two group nodes to see which policy rules have been applied between groups or what services have been created.


VMware, Inc. 30

You can right-click the node for a group recommendation, rename the group, or edit the VM members that belong in that group. You can also right-click a group node and select Filter to use the current group as the filter used to display details about the generated recommendation.

Changes made using the graphical view of the recommendations are reflected in the table in the bottom half of the pane. Similarly, changes made to the recommendations info in the table are reflected in the graphical visualization.

7 In the bottom half of the Review Recommendations pane, you can use the tabular view of the recommendations to see the details about the rules, groups, and services that are included in the recommendations.

You can examine and modify any of the recommendation details, by clicking the Rules, Groups, or Services tab.

In the Recommended Policies section, there are numbers displayed on the Rules, Groups, and Services tabs. These numbers indicate the number of rules, groups, and services that are being recommended. They did not exist in the NSX-T inventory at the time the recommendations were generated. For example, in the image above, the recommendation Services tab shows zero services being recommended. The services used by the groups existed in the NSX-T inventory at the time the recommendation was generated. So, there are no new services being recommended.

Any changes that are applied to the rules in the Rules tab (such as adding, deleting, or editing a rule or section) are reflected immediately in both the Rules table and in the graphical visualization pane.

a To define how the packets are to be handled when hitting the DFW rule, select Allow, Drop, or Reject in the Action column.

b To enable or disable the DFW rule, toggle the button on the right-side of the Action column. By default the rule that was generated is set to Enabled when the recommendation was published.

c To review the details about the groups in the recommendation, click Groups.

Before you delete a group, make sure that there are no rules using the group.

d Click the link in the Members column to review the details about the VMs and IPs that were set for the group recommendation.

e Click the three-dot menu icon next to the group's name and select Edit to modify the group recommendation.

f Click Services and review the details.

g Click the three-dot menu icon next to the service's name and select Edit to modify the name or description.

Before you delete a service, make sure that there are no rules using the service.


VMware, Inc. 31

8 To continue with publishing the recommendation, click Proceed.

Alternatively, click Continue Later to save any changes you have made and exit the recommendation review session.

9 In the Sequence & Publish pane, define the order in which the newly recommended security policies are to be applied in relation to the existing DFW rules.

a Select the row for the new security policy recommendation.

b Click the three-dot menu icon on the leftmost side of the row for one of the existing security policies listed.

c To move the selected row for the newly recommended security policy to a location above or below the row for the existing security policy, select Move selected policies above this policy or Move selected policies below this policy from the displayed menu.

Alternatively, you can drag the currently selected new policy recommendation row up or down to the order location that you want.

10 Click Publish.

To discontinue reviewing the recommendation, click Cancel.

11 In the Publish Recommendations dialog box, click Yes.

12 In the Policies published dialog box, click Dismiss to close the dialog box, or click View in Distributed Firewall Table to view the security policies that were just published in the Security > Distributed Firewall > All Rules tab.

Back in the Plan & Troubleshoot > Recommendations pane, the Status column for the recommendation you published is changed to Published in the Recommendations table.

Results

After the security policy recommendations have been published successfully, they are in read-only mode in the Plan & Troubleshoot > Recommendations tab. To view and manage the published rule recommendations, go to Security > Distributed Firewall.

Important After you have published the rule recommendations, the visualization continues to display the affected flows between the VMs as orange-hued arrows (Unprotected Flows) until new flows are generated between the affected VMs. The visualization only reports traffic flows based on the time when they occurred on the host and does not reflect the rule set published after the traffic flows occurred. After the rule set is published and new traffic flows are generated, the new flows are displayed as green-hued arrows (allowed flows).


VMware, Inc. 32

Operations and Management 4There are tools that you can use to perform a backup of the NSX Intelligence configuration or restore it, or help you find information about NSX Intelligence objects.


n Role-Based Access Control in NSX Intelligence

n Backing Up and Restoring NSX Intelligence

n Collect NSX Intelligence Support Bundles

n Monitoring NSX Intelligence Alarms

n Searching for NSX Intelligence Entities

Role-Based Access Control in NSX Intelligence

Role-based access control (RBAC) helps restrict access to NSX Intelligence features to certain authorized users only.

Because NSX Intelligence features are accessed using the NSX Manager user interface, the same NSX-T Data Center built-in roles assigned to users are used for NSX Intelligence RBAC and each role has specific permissions. For information on how to assign roles to users, see the NSX-T Data Center Administration Guide.

To view the NSX-T Data Center built-in roles, navigate to System > Users and Roles > Roles.

After an Active Directory (AD) user is assigned a role, if the user name is changed on the AD server, you must assign the role again using the new user name.

Roles and Permissions

The following are the types of permissions in NSX Intelligence. Included in the list are the abbreviations for the permissions that are used in the Table 4-1. NSX Intelligence Roles and Permissions table.

n Full access (FA) - For recommendations, full access include the ability to read, start, rerun, update, delete, and publish recommendations.

n Execute (E)

VMware, Inc. 33

n Read (R)

n None

NSX Intelligence recognizes the following built-in roles. You cannot add any new roles. Also included in the list are the abbreviations for the roles that are used in the Table 4-1. NSX Intelligence Roles and Permissions table.

n Enterprise Administrator (EA)

n Auditor (A)

n Security Engineer (SE)

n Security Operator (SO)

n Network Engineer (NE)

n Network Operator (NO)

n Guest Introspection (GI) Partner Administrator (GI Adm)

n Network Introspection (NETX) Partner Administrator (NI Adm)

n Load Balancer Administrator (LB Adm)

n Load Balancer Auditor (LB Aud)

n VPN Administrator (VPN Adm)

The following table shows the permissions that each built-in role has for the different NSX Intelligence operations.

Table 4-1. NSX Intelligence Roles and Permissions

Operation EA A SE SO NE NOGI Adm

NI Adm

LB Adm

LB Aud

VPN Adm

Deploy the NSX Intelligence appliance using System > Appliances > Add NSX Intelligence Appliance.

FA R R R R R None

None

None

None

None

Back up or restore the NSX Intelligence appliance using System > Backup & Restore.

FA None

None

None

None

None

None

None

None

None

None

Generate a support bundle using System > Support Bundle.

FA None

None

None

None

None

None

None

None

None

None

Upgrade the NSX Intelligence appliance using System > Upgrade or using the CLI.

FA None

None

None

None

None

None

None

None

None

None

Start/stop the data collection on transport nodes using System > Appliances > NSX Intelligence Appliance > Actions > Stop / Start Collecting Data

FA R R R R R None

None

None

None

None


VMware, Inc. 34

Table 4-1. NSX Intelligence Roles and Permissions (continued)

Operation EA A SE SO NE NOGI Adm

NI Adm

LB Adm

LB Aud

VPN Adm

Visualization of traffic flows using Plan & Troubleshoot > Discover & Take Action.

FA R R R R R None

None

None

None

None

Work with recommendations using Plan & Troubleshoot > Recommendations .

FA R FA R None

None

None

None

None

None

None

Manage the alarm definitions and alarm states using Home > Alarms

FA None

None

None

None

None

None

None

None

None

None

Search for flows using the Search bar

FA R R R R R None

None

None

None

None

Search for recommendation using the Search bar

FA R R R None

None

None

None

None

None

None

Backing Up and Restoring NSX Intelligence

If your current NSX Intelligence configuration becomes inoperable or if you want to restore it to a previous state, you can restore your configuration from a backup. Beginning with NSX Intelligence 1.1, the backup and restore workflows are supported using the NSX Manager user interface.

When you take a backup, NSX Intelligence only backs up the configuration files used by all the services that comprise the NSX Intelligence appliance. There is no visualization or recommendation data included in the backup.

If data loss or corruption occurs in NSX Intelligence, all the existing data for the correlated flows and recommendations are also lost. Reinstalling NSX Intelligence restarts the collection of network traffic data and the visualization of those newly collected data is available from that point onwards.

There are two backup methods available:

n Manual - You perform a one-time backup at any time.

n Automated - You create backups that are run based on a schedule that you set. To ensure that you have up-to-date backups, set automated backups.

The backup is encrypted, compressed, and stored at the remote server defined during the backup configuration. When you create a backup, the date and time the backup is taken are appended to the backup filename so that each backup file is unique. For example, config-backup-2020-03-21T21_06_07UTC.tar.

You can restore an NSX Intelligence configuration back to the state when a particular backup was captured. You must restore the backup to an NSX Intelligence appliance that is running the same version as the NSX Intelligence appliance from which the backup file was created.


VMware, Inc. 35

Configure NSX Intelligence Backups

You must configure a backup file server before you can take a backup of your NSX Intelligence configuration.

Prerequisites

n Ensure that you have the IP address or host name for the remote backup file server and the user name and password to access it.

n Obtain the absolute directory path to where the backup files are to be stored in the remote backup file server.

Procedure

1 From your browser, log in with enterprise administrator privileges to an NSX Manager at https://<nsx-manager-ip-address>.

2 Select System > Backup & Restore.

3 On the left-side of the NSX Intelligence Configuration pane, click Edit located under the SFTP Server label.

4 In the NSX Intelligence Configuration dialog box, enter the host name or IP address of the remote backup file server.

5 Change the default port value of 22, if needed.

6 In the Directory Path text box, enter the absolute directory path to where the backup files are to be stored.

The directory must exist. For example, /opt/mycompany/backups.

7 Enter the user name and password required to log in to the backup file server.

8 Click the SSH Fingerprint text box.

The generated SSH fingerprint is displayed in the SSH Fingerprint text box.

9 To encrypt the backups, enter a value in the Passphrase text box and confirm it in the Confirm Passphrase text box.

The passphrase is required to restore a backup. Use the passphrase requirement listed under the Passphrase text box.

10 Click Save.

Results

With a successful configuration, the remote backup server's IP address is displayed under the SFTP Server label.


VMware, Inc. 36

What to do next

After you have configured the backup file server, you can manually start a backup or set up a recurring backup schedule. See Create a Manual NSX Intelligence Backup or Set Up Recurring NSX Intelligence Backups for more info.

Create a Manual NSX Intelligence Backup

You can create an on-demand backup of your NSX Intelligence appliance configuration files and certificates using the NSX Manager user interface.

Prerequisites

Ensure that you have configured a backup file server. See Configure NSX Intelligence Backups.

Procedure



3 In the NSX Intelligence Configuration pane, click Start Backup.

4 Click Backup in the Confirm Backup dialog box.

On the NSX Intelligence Configuration pane, the status of the backup process is shown. Until the backup process is finished, you cannot perform any other actions on the same NSX Manager session.

If the backup is successful, the Backup process finished successfully message is displayed. A row is added in the Backup History table with the details about the NSX appliance used to create the backup and when it was created.

Note The backup can only be restored using an NSX Intelligence appliance that is attached to the same NSX Manager cluster that was used to create the backup.

Set Up Recurring NSX Intelligence Backups

Using the NSX Manager user interface, you can set up an automated schedule to back up your NSX Intelligence appliance configuration files.

Recurring backups help ensure that you have up-to-date backups to restore your NSX Intelligence appliance to a most recent stable state when it becomes inoperable.

Prerequisites

Ensure that you have configured a backup file server. See Configure NSX Intelligence Backups.

Procedure



VMware, Inc. 37


3 In the NSX Intelligence Configuration pane, under Schedule, click Edit.

4 In the Schedule Recurring Backup dialog box, click the Recurring Backup toggle.

5 In the Frequency text box, enter the backup frequency interval in minutes.

The minimum value is every 5 minutes and the maximum value is 60 minutes.

6 Click Save.

In the NSX Intelligence Configuration pane, the Enabled indicator next to Schedule is displayed. The value under Schedule is updated with the backup frequency that you had specified. For example, Every 10 minutes.

7 To see if the recurring backup process has created a backup, click Refresh at the bottom-left corner of the Backup History table.

Restore NSX Intelligence Backups

When you restore a backup, you are restoring the state of the NSX Intelligence configuration files and certificates at the time the backup was made. You restore a backup using the NSX Manager user interface.

You must restore a backup on an installation of the NSX Intelligence appliance that is the same version as the backup you are restoring.

Prerequisites

n Ensure that the NSX Intelligence appliance on which you plan to restore the backup is the same version as the appliance from which the backup was created.

n Ensure the NSX Intelligence appliance is associated to the same NSX Manager cluster used when the backup was generated.

n Verify that you have the host info and admin login credentials for the backup file server.

n Ensure that you have the passphrase assigned to the backup file.

n Identify which backup you want to restore.

Procedure



3 Navigate to the NSX Intelligence Configuration pane.

4 In the Backup History table, select the row for the backup file that you want to restore.


VMware, Inc. 38

5 Click Restore on the top-right corner of the Backup History table.

When the restore process is successful, the message Restore process finished successfully is displayed. If there are errors encountered, consult the Chapter 5 Troubleshooting NSX Intelligence Usage Issues. Afterwards, if given the option, you can click Retry to try to restore the same backup file again. If there are other backup files available, you can select another one to restore.

Collect NSX Intelligence Support Bundles

You can collect support bundles from your NSX Intelligence appliance using the NSX Manager user interface. You can download the bundle to your local system or upload them a remote file server.

The support bundle file contents do not include network traffic flow data or recommendations data.

Procedure


2 Select System > Support Bundle.

3 In the Request Bundle page, select NSX Intelligence from the Type drop-down menu.

4 From the Available pane, select the NSX Intelligence appliance node from which you want to collect the support bundle.

Only one NSX Intelligence appliance node is supported.

5 To move the selected node to the Selected pane, click the > icon.

6 In the Log age (days) text box, keep the default value of All or enter the specific number of days worth of logs that you want included in the support bundle.

7 (Optional) To specify if you want the core files and audit log files included in the support bundle, click the Include core files and audit logs toggle.

Ensure you read the information under the toggle and understand what it means when you include or exclude the core files and audit logs.

8 (Optional) Select the Upload bundle to remote file server check box if you want to upload the support bundle to a remote file server.

a Provide the remote file server's IP address or FQDN; port, and protocol to use.

b Enter the user name and password for the remote file server.

c Enter the absolute directory path to where the bundle is to be uploaded.

d If you want the NSX Manager perform the bundle upload, toggle Manager upload.

9 Click Start Bundle Collection.


VMware, Inc. 39

10 Monitor the status of the bundle collection process.

The Status page shows the progress of the support bundle collection. When collection finished successfully, the size of the bundle is displayed next to Support Bundle. The Details table displays the info about all the support bundles that were generated successfully or failed to finish.

11 To store the support bundle to a local folder, click Download. If you selected the Upload bundle to remote file server check box, the support bundle is uploaded to the file server you had specified.

Monitoring NSX Intelligence Alarms

NSX Intelligence sends alarm notifications to alert you about specific events that might require your immediate attention.

A system event that triggered an alarm can potentially affect the NSX Intelligence appliance's performance and operation. An alarm provides you with detailed information, such as the event that triggered the alarm, the specific message displayed, and the action you can take to resolve the alarm.

Information about NSX Intelligence alarms is displayed in the following two locations.

1 Alerts for NSX Intelligence alarms in the Open state are displayed on the top-right corner of the NSX Intelligence card under the System > Appliances pane, similar to what is shown in the following image.

2 NSX Intelligence alarms in all the different states are displayed on the Alarms dashboard in the Home page, similar to what is shown in the following image.


VMware, Inc. 40

For more information about the list of NSX Intelligence and other NSX-T Data Center alarm events, see "About Events and Alarms" in the NSX-T Data Center Administration Guide. For information on how to manage the different alarms states, see Manage NSX Intelligence Alarm States.

Manage the NSX Intelligence Alarm Definitions

You can view the default NSX Intelligence alarm definitions and modify them to fit your needs.

The NSX Intelligence alarm definitions provide the details about the type of events and other criteria that must be met to trigger an alarm. You can review and modify an alarm definition from the Alarms dashboard, using either the Alarms pane or the Alarm Definitions pane.

Procedure


2 To review and modify an alarm definition using one of the already reported alarms, select Home > Alarms > Alarms.

a Locate the alarm event whose definition you want to modify.

b From the Event Type column of the table of reported alarms, click the name of the reported event.

The alarm definition for the selected event type is displayed under the Alarm Definitions pane.


VMware, Inc. 41

3 To review and modify an alarm definition using the Alarms Definitions pane, select Home > Alarms > Alarm Definitions.

a List the NSX Intelligence alarm definitions only by clicking the filter text box on the right-side.

b Type intelligence and press Enter.

The Alarm Definitions table displays all the NSX Intelligence alarms, as shown in the following image.

c Select the alarm definition you want to modify.

4 To view the rest of the selected alarm's definition, expand its row.

The alarm details that are shown in the expanded row include the following.

Alarm Setting Description

Feature The NSX Intelligence component from where the alarm originated.

Event Type The specific type of error detected.

Severity The alarm level that was detected. Values are Medium, High, or Critical.

Enabled If set to Yes, the alarm is enabled. This setting is user-configurable.

Create Alarms If set to Yes, the system reports the alarm. This setting is user-configurable.

Create SNMP Traps If set to Yes, the system emits an SNMP trap when the alarm is detected or resolved. This setting is user-configurable.

Description Describes the condition that triggers the alarm.

SNMP OID For Event true The SNMP Object Identifier when the alarm event status is true.

SNMP OID For Event false The SNMP Object Identifier when the alarm event status is false.


VMware, Inc. 42

Alarm Setting Description

Threshold The value used as the threshold to determine whether a single sample is true.

Sensitivity The percentage value used with the threshold value to determine whether an alarm event instance status is true or false.

5 If needed, modify an alarm's configurable settings.

a Locate the alarm definition's row.

b Click the three-dot icon on the leftmost side of the row and select Edit.

The selected alarm definition's row is expanded and the details are displayed.

c Use the following table to modify the configurable alarm settings, as needed.

Setting How To Configure the Setting

Enabled To enable or disable the detection of the alarm, click the toggle.

Create Alarms To specify whether the alarm is to be created or not, click the toggle.

Create SNMP Traps To specify whether an SNMP trap is created when an alarm is detected or resolved, click the toggle.

Threshold Enter a numerical value that is used as the threshold to determine if a single sample is true.

Sensitivity(%) Enter a numerical value that specifies the percentage of the sample size to use when determining whether an alarm event is triggered. The sample size is system-defined and cannot be modified. The higher the numerical value, the more samples are used to ensure the accuracy of the detected event.

d To save any modified settings, click Save.

Manage NSX Intelligence Alarm States

You can manage all NSX Intelligence alarm notifications from the Home > Alarms pane.

When there is at least one critical alarm in the Open state, a red exclamation mark appears next to the Alarms tab label.

Procedure


2 From the Home page, select Alarms.


VMware, Inc. 43

3 List the NSX Intelligence alarms only.

a Click the filter text box on the right-side.

b Type intelligence and press Enter.

The following image shows the NSX Intelligence alarms in different states.

4 Navigate to the alarm that you want to manage and select the check box in the leftmost column.

5 For an alarm in the Open state, expand the alarm's row and use the information in the Recommended Action to try to resolve the issue that caused the alarm event.

Note You can also manage NSX Intelligence alarms that are in the Open state using the NSX Intelligence appliance card on the Systems > Appliances pane. Click the Alarms link on the top-right corner of the NSX Intelligence Appliance card and select the check box for the open alarm you want to manage.

6 Click Action and select the action you want applied to the selected alarm.

An alarm can be moved to one of the following states depending on the actions allowed for the current alarm state.

Action Description

Open The alarm is placed in an active, but unacknowledged state.

Acknowledge The alarm is acknowledged, but it remains open. Its Last Reported Time value continues to be updated until you move the alarm to another state.


VMware, Inc. 44

Action Description

Suppress When you suppress an alarm, you are prompted to specify how many hours you want the alarm suppressed. If after the specified suppress time has been reached and the alarm condition remains the same, the alarm's state is returned to the Open state. If during the suppress period the alarm's condition is resolved, the system automatically changes the alarm's state to Resolved.

Resolve You can manually resolve an alarm. Once an alarm is manually resolved, you can no longer change its state. If you resolve an alarm manually, but the problem persists, another similar alarm is opened. The system continuously monitors the system and can auto-resolve an alarm.

The value in the Alarm State column is updated accordingly.

Searching for NSX Intelligence Entities

Beginning with NSX Intelligence 1.1, the global search capability in NSX Data Center has been enhanced to recognize NSX Intelligence keywords.

You can use the NSX Manager search interface to find entities that are related to NSX Intelligence. You must have NSX Intelligence 1.1 appliance deployed on NSX-T Data Center 3.0 or later for the NSX Intelligence global search feature to be available for your use.

The search results are based on the current state of the NSX-T Data Center configuration and do not expose any historical data from NSX Intelligence.

Based on the search criteria, the search results can display information about entities related to NSX Intelligence, such as groups, virtual machines, flows, and recommendations. You can filter these results based on one or more related properties of the entities. Navigational links are included in the search results and enable you to view a selected result entity in the NSX Intelligence visualization canvas.

The supported NSX Intelligence resource types and their properties are listed in the following table.


VMware, Inc. 45

Supported Resource Type Properties

recommendations n context group path

n context vm display name

n context vm id

n display name

n effective vm display name

n effective vm id

n status

n ANALYSIS_IN_PROGRESS

n FAILED

n PUBLISHED

n READY_TO_PUBLISH

n WAITING

Search query example:

recommendation where status = READY_TO_PUBLISH and context group display name

= 'Linux'

flows n active only

n destination group display name

n destination group id

n destination vm display name

n destination vm id

n source group display name

n source group id

n source vm display name

n source vm id

n flow type

n ALLOWED

n BLOCKED

n UNPROTECTED

Search query example:

flows where source vm display name = 'Win10' and destination vm display name =

'AD Server'

Search for NSX Intelligence Entities

You can search for NSX Intelligence entities, such as groups, virtual machines, flows, and recommendations, using several supported criteria.

The results table displays the search results by their relevance. You can filter the results further by providing additional search criteria in your query.

Note If you have special characters in your search query that also function as operators, then you must add a leading backslash, \, before each special character. The characters that function as operators are: +, -, =, &&, ||, <, >, !, (, ), {, }, [, ], ^, '', ~, ?, :, /, \.


VMware, Inc. 46

Prerequisites

You must have NSX Intelligence 1.1 or later appliance deployed on NSX-T Data Center 3.0 or later.

Procedure


2 On the Home page, enter a search criteria for an NSX Intelligence entity.

As you enter your search criteria, the global search feature assists you by showing applicable keywords.

The results are listed in a table, similar to the following image.

You can expand each row to view more details for each specific search result. You can also click provided links to display additional information about that specific attribute. When you

click the graph icon and a link in the pop-up window, you can view more detailed information in the NSX Intelligence visualization canvas.

3 (Optional) To save your refined search criteria, click the save icon .

4 In the search bar, click the advanced search icon to display the Advanced section where you can enter additional criteria to refine your search query on the Advanced tab.

5 To view the list of your recent search queries criteria, click Recent.

You can click the search criteria and the results are displayed the results pane.

6 To view saved search criteria, click Saved.

7 (Optional) To reset your advanced search criteria, click Clear All.


VMware, Inc. 47

Troubleshooting NSX Intelligence Usage Issues 5If the NSX Intelligence appliance becomes unresponsive or you need more details about an error message you received while using the NSX Intelligence appliance, you can run specific commands to get the state of the NSX Intelligence services.

You can also collect support bundles to assist you and VMware support personnel in debugging issues you might have encountered.


n Check the Status of the NSX Intelligence Appliance

n Degraded Services Exist After a Successful Appliance Deployment

n Inconsistencies in Incremental Topology Reporting

Check the Status of the NSX Intelligence Appliance

If the NSX Intelligence appliance becomes unresponsive, check the status of the NSX Intelligence services.

Problem

The NSX Intelligence appliance has become unresponsive or you received an error message that indicates the appliance is not functioning as expected.

Cause

It is possible that one or more of the underlying NSX Intelligence services has stopped or is not in a healthy state.

Solution

1 Log in to the NSX Intelligence appliance CLI host using an account with an Enterprise Administrator role.

2 Check the status of the NSX Intelligence services using the get services command.

If all the NSX Intelligence services are functioning properly, you see an output similar to the following example.

my_nsx-intel> get services

Service name: druid

VMware, Inc. 48

Service state: running

Coordinator health: good

Broker health: good

Historical health: good

Overlord health: good

MiddleManager health: good

Service name: http


Session timeout: 1800

Connection timeout: 30

Redirect host: (not configured)

Client API rate limit: 100 requests/sec

Client API concurrency limit: 40

Global API concurrency limit: 199

Service name: kafka


Service health: good

Service name: liagent

Service state: stopped

Service name: mgmt-plane-bus


Service name: node-mgmt


Service name: nsx-config


Service name: nsx-message-bus


Service name: nsx-upgrade-agent


Service name: ntp


Start on boot: True

Service name: pace-server


Service name: postgres



Service name: processing


Service name: snmp


Start on boot: False


VMware, Inc. 49

Service name: spark



Service name: spark-job-scheduler


Service name: ssh


Start on boot: True

Service name: syslog


Service name: ui-service


Service name: zookeeper



my_nsx-intel>

A service state can either be running or stopped. A service health can be good or degraded.

3 You can also view the syslog file and search for the output of the pace-monitor.sh health-check script that logs the health of the NSX Intelligence services to the syslog file.

If all the services are functioning as expected, you see an output similar to the following sample output after running the get log-file syslog | find pace-monitor command.

my_nsx-intel> get log-file syslog | find pace-monitor

<13>1 2019-08-30T03:19:20.409899+00:00 my_nsx-intel pace-monitor.sh - - - "_self": {

<13>1 2019-08-30T03:19:20.410253+00:00 my_nsx-intel pace-monitor.sh - - - "href": "/node/

pace/appliance-health",

<13>1 2019-08-30T03:19:20.410623+00:00 my_nsx-intel pace-monitor.sh - - - "rel": "self"

<13>1 2019-08-30T03:19:20.410908+00:00 my_nsx-intel pace-monitor.sh - - - },

<13>1 2019-08-30T03:19:20.411162+00:00 my_nsx-intel pace-monitor.sh - - - "appliance-health": {

<13>1 2019-08-30T03:19:20.411416+00:00 my_nsx-intel pace-monitor.sh - - - "status":

"Following NSX Intelligence first boot services are either PENDING or FAILED - Token-

Registration",

<13>1 2019-08-30T03:19:20.411668+00:00 my_nsx-intel pace-monitor.sh - - - "sub-system-

status": {

<13>1 2019-08-30T03:19:20.411923+00:00 my_nsx-intel pace-monitor.sh - - - "app-services": {

<13>1 2019-08-30T03:19:20.412280+00:00 my_nsx-intel pace-monitor.sh - - - "services": [],

<13>1 2019-08-30T03:19:20.412528+00:00 my_nsx-intel pace-monitor.sh - - - "status": ""


<13>1 2019-08-30T03:19:20.413075+00:00 my_nsx-intel pace-monitor.sh - - - "base-infra-

services": {

<13>1 2019-08-30T03:19:20.413303+00:00 my_nsx-intel pace-monitor.sh - - - "services": [

<13>1 2019-08-30T03:19:20.413613+00:00 my_nsx-intel pace-monitor.sh - - - {

<13>1 2019-08-30T03:19:20.413848+00:00 my_nsx-intel pace-monitor.sh - - - "druid-

health": {

<13>1 2019-08-30T03:19:20.414146+00:00 my_nsx-intel pace-monitor.sh - - -


VMware, Inc. 50

"broker": "good",


"coordinator": "good",


"historical": "good",


"middlemanager": "good",


"overlord": "good"


<13>1 2019-08-30T03:19:20.415762+00:00 my_nsx-intel pace-monitor.sh - - - "service-

name": "druid"



<13>1 2019-08-30T03:19:20.416539+00:00 my_nsx-intel pace-monitor.sh - - - "health":

"good",


name": "kafka"




"good",


name": "postgres"




"good",


name": "spark"




"good",


name": "zookeeper"

<13>1 2019-08-30T03:19:20.420165+00:00 my_nsx-intel pace-monitor.sh - - - }

<13>1 2019-08-30T03:19:20.420496+00:00 my_nsx-intel pace-monitor.sh - - - ],

<13>1 2019-08-30T03:19:20.420786+00:00 my_nsx-intel pace-monitor.sh - - - "status": ""


<13>1 2019-08-30T03:19:20.421255+00:00 my_nsx-intel pace-monitor.sh - - - "first-boot-

services": {

<13>1 2019-08-30T03:19:20.421539+00:00 my_nsx-intel pace-monitor.sh - - - "services": [



"degraded",


name": "token-registration"


<13>1 2019-08-30T03:19:20.422770+00:00 my_nsx-intel pace-monitor.sh - - - ],

<13>1 2019-08-30T03:19:20.423012+00:00 my_nsx-intel pace-monitor.sh - - - "status":

"Following NSX Intelligence first boot, services are either PENDING or FAILED - Token-

Registration"




VMware, Inc. 51



<13>1 2019-08-30T03:19:20.972629+00:00 my_nsx-intel pace-monitor.sh - - - NSX Intelligence

health OK.

<30>1 2019-08-30T03:19:20.973076+00:00 my_nsx-intel pace-monitor 20804 - - <13>Aug 30 03:19:19

pace-monitor.sh: NSX Intelligence health OK.

<182>1 2019-08-30T03:23:23.857Z my_nsx-intel NSX 21752 - [nsx@6876 comp="nsx-cli" subcomp="node-

mgmt" username="admin" level="INFO"] CMD: get log-file syslog | find pace-monitor

If there is a problem with one of the services, you might see the following line when you run get log-file syslog | grep pace-monitor.

NSX Intelligence health DEGRADED. Return code not HTTP OK.

4 If you encounter one of the following outputs, restart the service using the restart service service-name command.

n After running the get services command, one of the services shows Service state: stopped or Service health: degraded.

n After running the get log-file syslog | grep pace-monitor command, the output shows something similar to the PACE health DEGRADED. Return code not HTTP OK. message.

For example, if the postgres service's state shows it is stopped, or if its state is running, but it has a degraded service health, run the following command.

restart service postgres

Important You must use the restart service service-name command to restart NSX Intelligence services. If you decide to use the stop service service-name and start service service-name commands instead, you have to also manually restart each of the services that depend on service-name. The following list shows the dependency order in which the NSX Intelligence services have to be restarted.

zookeeper > druid > kafka > spark > spark-job-scheduler > nsx-config > processing > pace-server

For example, if the nsx-config service is stopped and then started using the stop|start service service-name command, you must also use the restart service service-name command to restart the processing and pace-server services.

When a service restarts, other services that depend on it might briefly go into a degraded state. If no errors occur, those degraded services return to a stable state.

Degraded Services Exist After a Successful Appliance Deployment

The NSX Intelligence appliance deployed successfully, but there are some degraded services that exist.


VMware, Inc. 52

Problem

The NSX Intelligence appliance deployed successfully, but the appliance's health is reported as Degraded. This Degraded health status is reported either immediately after the NSX Intelligence appliance is deployed or at a later stage in the appliance's lifecycle .

Cause

The cause can be any of the following reasons.

1 Service startup on NSX Intelligence depends on the receipt of specific configuration information from the NSX Manager Unified Appliance. During the initial NSX Intelligence startup, this configuration might take some time to finish and the NSX Intelligence appliance is expected to remain in the Degraded state for approximately 15 minutes.

2 If this problem is observed during a different time in the NSX Intelligence appliance's lifecycle, the problem might be due to a resource contention on the NSX Intelligence appliance.

3 The NSX Intelligence appliance's certificate is incompatible with the certificate on the NSX Manager Unified Appliance.

Solution

The following possible solutions correspond accordingly to the problems listed in the preceding Problems section.

1 After the initial NSX Intelligence appliance deployment, you must wait for the initial configuration synchronization to finish. Wait for approximately 30 minutes after the system is powered on for the appliance to reach the Stable state. Refresh your web browser after the NSX Intelligence appliance is no longer in the Degraded state.

2 If the problem is due to a resource contention, allow about 30 minutes for the NSX Intelligence appliance's self-heal process to start.

3 Ensure that the certificates used for the NSX Manager Unified Appliance node or cluster are compatible with the certificate types listed in the "Preparing for NSX Intelligence Installation" topic in the Installing and Upgrading VMware NSX Intelligence document.

In the unlikely event that none of the above solutions work, contact your VMware representative for assistance.

Inconsistencies in Incremental Topology Reporting

There might be inconsistencies in the number of VMs or groups that are shown in the Groups or VMs view if you leave the visualization UI page for a long time.


VMware, Inc. 53

Problem

If you open the Groups view or VMs view, and you leave the visualization UI page open for a long time, new events are incrementally reported and merged into the view. There might be some inconsistencies in terms of the Group counts during the incremental reporting and merging. For example, if there are some configuration changes, such as changes in group VM membership that were triggered during the incremental reporting time, then you might observe the following inconsistencies in the visualizations being displayed.

1 An Uncategorized group node shows an incorrect VM count.

n The VM count displayed for an Uncategorized group is different from and is usually larger than the VM count shown when a new Groups view is displayed.

n The VM count displayed for an Uncategorized group is different from and is usually larger than the VM count returned when you right-click a group's node and select VM.

2 An Uncategorized group in a deep dive Groups view shows an inconsistent number of VMs.

n The Uncategorized group shown in a deep-dive Groups view might show more VMs than what is shown in a newly opened deep-dive Groups view.

n The Uncategorized group in a deep dive Groups view might show more VMs than what is listed when you right-click the Uncategorized group's node and select VM.

n A VM might get a live update in the Uncategorized group, even after it might have already been added to another group.

3 An unnamed VM might be shown on the Groups and VMs views.

n This problem is commonly seen on VM members that belong to the Unknown or Uncategorized group. There is also a small possibility that it appears in a normal group.

Cause

The real-time data reporting currently has some known inconsistencies that occur during incremental reporting.

Solution

To clear up any inconsistencies, reload the entire visualization canvas by refreshing your web browser.


VMware, Inc. 54

using and managing vmware nsx intelligence - vmware nsx ... · intelligence 1 to get started using...

Documents