Skip to main content
Version: Next

Top Traffic Destinations for NSX Distributed Firewall (10119 / 20119)

Description

This Module utilizes Distributed Firewall data and provides a list of most popular destinations measured by the traffic. Top destinations are reported by ESXi Host and by Destination Port over a time interval T. Only TCP/IP and UDP traffic is accounted for. The number of reported top destinations (N) and the observation interval (T, sec) are configurable.

This information is provided per ESXi Host (NetFlow exporter).

Parameters

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) listList of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.e.g. 80, 443
N – number of reported VMsTop N (number of reported destinations)min = 0, max = 100000, default = 50 (0 indicates all VMs are reported)
Enable (1) or disable (0) reporting by destination portIf set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)default = 0
Enable (1) or disable (0) reporting VM MoRefIf set to 1, enable reporting VM MoRef. If set to 0, dest_vm_id field will be omitteddefault = 0
Enable (1) or disable (0) reporting VM UUIDIf set to 1, enable reporting VM UUID. If set to 0, dest_vm_uuid field will be omitteddefault = 0
Enable (1) or disable (0) reporting VM vCenter UUIDIf set to 1, enable reporting VM vCenter UUID. If set to 0, dest_vm_vc_id field will be omitteddefault = 0
Enable (1) or disable (0) reporting VM vNIC keyIf set to 1, enable reporting VM vNIC key. If set to 0, dest_vm_vnic_key field will be omitteddefault = 0
Enable (1) or disable (0) reporting Distributed Switch port group nameIf set to 1, enable reporting Distributed Switch port group name. If set to 0, dest_pg_name field will be omitteddefault = 0
List of vCenter VMsList of records {ESXi VM MAC address, VM IPv4 address, VM IPv6 address, VDS Port ID, vNIC key, Port Group name, VM name, VM MoRef, VM instance UUID, vCenter UUID}This watch list is populated by External Data Feeder for NFO Agent by connecting to one or several vCenters

Inputs

IPFIX from NSX Distributed Firewall.

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier“nfc_id=20119”
exp_ipNetFlow exporter IPv4 address<IPv4_address>
dest_ipDestination VM IPv4 address<IPv4_address>
dest_ip6Destination VM IPv6 address<IPv6_address>
[dest_host]Destination host name<string>, included when FQDN is on
[dest_vm_name]Destination VM name<string>, included when destination IP is a known VM
[dest_vm_id]Destination VM MoRef<string>, included when destination IP is a known VM and ‘reporting VM MoRef’ parameter is enabled
[dest_vm_uuid]Destination VM UUID<string>, included when destination IP is a known VM and ‘reporting VM UUID’ parameter is enabled
[dest_vm_vc_id]Destination VM vCenter UUID<string>, included when destination IP is a known VM and ‘reporting VM vCenter UUID’ parameter is enabled
[dest_vm_vnic_key]Destination VM vNIC key<number>, included when destination IP is a known VM and ‘reporting VM vNIC key’ parameter is enabled
[dest_pg_name]Destination VM Port Group name<string>, included when destination IP is a known VM and ‘reporting Distributed Switch port group name’ parameter is enabled
dest_portDestination port number (e.g. 80 for http)<number>
created_countCreated flows count<number>
denied_countDenied flows count<number>
bytesBytes total (Traffic)<number>
percent_of_totalPercent of Total (Traffic)<decimal>, e.g. 25.444% is 25.444
t_intObservation time interval, msec<number>