Top Policy Violators for NSX Distributed Firewall (10120 / 20120)
Description
This Module utilizes Distributed Firewall data and provides a list of firewall policies violators. Top violators are reported by ESXi Host and by Destination Port over a time interval T. Only TCP/IP and UDP traffic is accounted for. The number of reported top violators (N) and the observation interval (T, sec) are configurable.
This information is provided per ESXi Host (NetFlow exporter).
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 600 sec, default = 30 sec |
| Application protocol (l4_dst_port) list | List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports. | e.g. 80, 443 |
| N – number of reported VMs | Top N (number of reported destinations) | min = 0, max = 100000, default = 50 (0 indicates all VMs are reported) |
| Enable (1) or disable (0) reporting by destination port | If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0) | default = 0 |
| Enable (1) or disable (0) reporting VM MoRef | If set to 1, enable reporting VM MoRef. If set to 0, src_vm_id and dest_vm_id fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM UUID | If set to 1, enable reporting VM UUID. If set to 0, src_vm_uuid and dest_vm_uuid fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM vCenter UUID | If set to 1, enable reporting VM vCenter UUID. If set to 0, src_vm_vc_id and dest_vm_vc_id fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM vNIC key | If set to 1, enable reporting VM vNIC key. If set to 0, src_vm_vnic_key and dest_vm_vnic_key fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting Distributed Switch port group name | If set to 1, enable reporting Distributed Switch port group name. If set to 0, src_pg_nameand dest_pg_name fields will be omitted | default = 0 |
| List of vCenter VMs | List of records {ESXi VM MAC address, VM IPv4 address, VM IPv6 address, VDS Port ID, vNIC key, Port Group name, VM name, VM MoRef, VM instance UUID, vCenter UUID} | This watch list is populated by External Data Feeder for NFO Agent by connecting to one or several vCenters |
Inputs
IPFIX from NSX Distributed Firewall.
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20120” |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| src_ip | Source VM IPv4 address | <IPv4_address> |
| src_ip6 | Source VM IPv6 address | <IPv6_address> |
| [src_host] | Source host name | <string>, included when FQDN is on |
| [src_vm_name] | Source VM name | <string>, included when source IP is a known VM |
| [src_vm_id] | Source VM MoRef | <string>, included when source IP is a known VM and ‘reporting VM MoRef’ parameter is enabled |
| [src_vm_uuid] | Source VM UUID | <string>, included when source IP is a known VM and ‘reporting VM UUID’ parameter is enabled |
| [src_vm_vc_id] | Source VM vCenter UUID | <string>, included when source IP is a known VM and ‘reporting VM vCenter UUID’ parameter is enabled |
| [src_vm_vnic_key] | Source VM vNIC key | <number>, included when source IP is a known VM and ‘reporting VM vNIC key’ parameter is enabled |
| [src_pg_name] | Source VM Port Group name | <string>, included when source IP is a known VM and ‘reporting Distributed Switch port group name’ parameter is enabled |
| dest_ip | Destination VM IPv4 address | <IPv4_address> |
| dest_ip6 | Destination VM IPv6 address | <IPv6_address> |
| [dest_host] | Destination host name | <string>, included when FQDN is on |
| [dest_vm_name] | Destination VM name | <string>, included when destination IP is a known VM |
| [dest_vm_id] | Destination VM MoRef | <string>, included when destination IP is a known VM and ‘reporting VM moRef parameter is enabled |
| [dest_vm_uuid] | Destination VM UUID | <string>, included when destination IP is a known VM and ‘reporting VM UUID’ parameter is enabled |
| [dest_vm_vc_id] | Destination VM vCenter UUID | <string>, included when destination IP is a known VM and ‘reporting VM vCenter UUID’ parameter is enabled |
| [dest_vm_vnic_key] | Destination VM vNIC key | <number>, included when destination IP is a known VM and ‘reporting VM vNIC key’ parameter is enabled |
| [dest_pg_name] | Destination VM Port Group name | <string>, included when destination IP is a known VM and ‘reporting Distributed Switch port group name’ parameter is enabled |
| dest_port | Destination port number (e.g. 80 for http) | <number> |
| denied_count | Denied flows count | <number> |
| t_int | Observation time interval, msec | <number> |