Monitor security policies with Activity Monitoring and ensure they are being enforced correctly
In order to run any Activity monitoring you must first enable data collection on the Virtual Machine(s). Also, another prerequisite is that vShield Endpoint must be installed, or a domain must be registered with NSX Manager. You can either enable Data collection on a single VM, or multiple VMs, but the process is different between the two. Once that is complete, you should wait at least 5 minutes before running the report or there may not be any data.
Enable Data Collection on Virtual Machine(s)
Step 1. To enable Data collection on a single Virtual Machine navigate to the VM -> Manage -> Settings -> NSX Activity Monitor then click Edit to enable.
Alternatively, to enable Data Collection on multiple virtual machines, navigate to Networking & Security -> Service Composer -> Security Groups tab, then click the Add new Security Group button
Step 2. Define a Name and Description, then click Next
Step 3. Specify Membership criteria. This is where you get to be really creative, and specify members by Computer OS Name, Computer Name, VM Name, Security Tag, or Entity. I wanted both of my Web Servers included, so I used VM Name contains “Web”. You can add multiple membership Criterias, or just use one.
Step 4. Specify any additional Objects to include Objects can be a wide variety of things, so I won’t specify them all, but they can include Security Tag, Resource Pool, vNIC, Logical Switch, Cluster, or much more Click Next
Step 5. Select the Objects to exclude then click Next
Step 6. Click Finish
Step 7. Finally, depending on your criteria, you can confirm how many Security Policies, Guest Introspection Services, Firewall Rules, Network Introspection Services, Virtual Machines are part of the Security Group. In my instance, two Virtual Machines matched my criteria.
View Activity Monitor Reports
Step 8. Log into the vSphere Web Client and navigate to Networking & Security -> Activity Monitoring
From here there are several different types of activity Monitoring you can perform:
VM Activity: Traffic to or from specific virtual machines in your environment
Inbound Activity: All inbound traffic to a virtual machine where the source can be a server pool, security group, or even an AD group
Outbound: View what applications are run by a server pool, or security group and what client applications are making these outbound connections. You can also find all groups and users who are accessing a specific application.
Inter Container Interaction: Traffic between two containers you have defined. These containers can include server pools, security groups, or even AD groups.
Outbound AD Group Activity: Traffic between members of AD groups
For more information, please see VMware Documentation on Activity Monitoring.