Monitor security policies with Activity Monitoring and ensure they are being enforced correctly

 
In order to run any Activity monitoring you must first enable data collection on the Virtual Machine(s). Also, another prerequisite is that vShield Endpoint must be installed, or a domain must be registered with NSX Manager. You can either enable Data collection on a single VM, or multiple VMs, but the process is different between the two. Once that is complete, you should wait at least 5 minutes before running the report or there may not be any data.
 

Enable Data Collection on Virtual Machine(s)

 
Step 1. To enable Data collection on a single Virtual Machine navigate to the VM -> Manage -> Settings -> NSX Activity Monitor then click Edit to enable.
 
2
 
Alternatively, to enable Data Collection on multiple virtual machines, navigate to Networking & Security -> Service Composer -> Security Groups tab, then click the Add new Security Group button
 
3
 
Step 2. Define a Name and Description, then click Next
 
3.5
 
Step 3. Specify Membership criteria. This is where you get to be really creative, and specify members by Computer OS Name, Computer Name, VM Name, Security Tag, or Entity. I wanted both of my Web Servers included, so I used VM Name contains “Web”. You can add multiple membership Criterias, or just use one.
 
4
 
Step 4. Specify any additional Objects to include Objects can be a wide variety of things, so I won’t specify them all, but they can include Security Tag, Resource Pool, vNIC, Logical Switch, Cluster, or much more Click Next
 
5
 
Step 5. Select the Objects to exclude then click Next
 
6
 
Step 6. Click Finish
 
7
 
Step 7. Finally, depending on your criteria, you can confirm how many Security Policies, Guest Introspection Services, Firewall Rules, Network Introspection Services, Virtual Machines are part of the Security Group. In my instance, two Virtual Machines matched my criteria.
 
8
 

View Activity Monitor Reports

 
Step 8. Log into the vSphere Web Client and navigate to Networking & Security -> Activity Monitoring
 
1
 
From here there are several different types of activity Monitoring you can perform:
 
VM Activity: Traffic to or from specific virtual machines in your environment
 
Inbound Activity: All inbound traffic to a virtual machine where the source can be a server pool, security group, or even an AD group
 
Outbound: View what applications are run by a server pool, or security group and what client applications are making these outbound connections. You can also find all groups and users who are accessing a specific application.
 
Inter Container Interaction: Traffic between two containers you have defined. These containers can include server pools, security groups, or even AD groups.
 
Outbound AD Group Activity: Traffic between members of AD groups
 
For more information, please see VMware Documentation on Activity Monitoring.
 

7 Comments

  1. mokhtar -  June 6, 2015 - 4:33 pm 146

    Dear Sean ,
    please advise as per vmware Documentation , Activity Monitoring. security group already defined so no need to add new security group ??

    BR
    Mokhtar

    Reply
    • Sean Whitney -  June 8, 2015 - 9:35 am 150

      Hi Mokhtar,

      Yes, Activity Monitoring already has a default security group.

      Thanks,
      Sean

      Reply
  2. mokhtar -  June 26, 2015 - 8:51 am 187

    Dear Sean

    i think source VMand destination VM you must enable data collection in both ??

    Reply
    • Sean Whitney -  June 28, 2015 - 8:01 am 188

      You don’t have to, depending on what you are trying to do. What are you trying to accomplish, data security between two VMs? Then yes..

      Reply
  3. Rajeev -  March 1, 2016 - 8:16 pm 430

    Hi Sean

    In my environment i don’t have vShield Endpoint.
    So in this case if i need to use Activity monitoring, is it sufficient if i can integrate my NSX Manager with my active directory.
    At present my NSX Manager is not integrated with Domain (Active Directory) & i am not able to enable data collection on any of my VM.

    Reply
  4. Rajeev -  March 2, 2016 - 6:48 pm 434

    Hi Sean

    Further to the above question will the Guest Introspection will work for only guest VM with Windows.
    Will it not work for Guest VM with Linux. I am using NSX version 6.1.4

    Reply
  5. Rajeev -  March 3, 2016 - 1:21 am 435

    Hi Sean

    One more question. Can the activity monitoring be enabled continuously or it can be enabled only on need basis.
    Is it for continuous monitoring or can be used only whenever we require the monitoring data.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top