Hello everyone!
I hope someone can help me out here.
We have deployed vRNI in our environment and i am (almost) in love with the tool.
It helped me alot in network troubleshooting.
I have a two questions about what is collected and shown by vRNI.
Are ICMP pakets collected? If so, how do I see them?
And how about not well known ports?
I have a VM (on a overly NSX-T network) where i successfully connect to an IP (outside of the SDDC) with Ports 22, 443 and 80. If I do that, I can see all the flows from that VM to the IP. But if I try to connect with port 7999 (for example) I dont see a flow with that port. The connection on port 7999 will not be established (destination not listening or blocked by outside firewall), but I should still see the flow from the VM (as it is the source and as it is connected to vRNI), right?
The NSX-T manager cluster and vCenter of the VM are configured as datasources in vRNI with everything enabled.
I am a bit uncertain in what to expect and that is not so nice for troubelshooting. I hope someone can clarify this for me.
Thanks!
Hi there,
vRNI currently logs TCP and UDP flows only, so you won't see ICMP in there.
Well-known ports are named (HTTPS, SSH, etc.), and non-well-known ports are indeed logged, but might not be named. It'll show you the port number, just perhaps not a name for it.
Flow generation (on vCenter or physical switches) only happens when there's an established connection. Flows that get blocked don't have an established connection and won't show up in vRNI. However, if the flow gets blocked by NSX or the native Azure security policies, there's a special integration that will show those flows. You can see blocked flows in the security planner or by searching for: flows where firewall action = deny
Hi there,
vRNI currently logs TCP and UDP flows only, so you won't see ICMP in there.
Well-known ports are named (HTTPS, SSH, etc.), and non-well-known ports are indeed logged, but might not be named. It'll show you the port number, just perhaps not a name for it.
Flow generation (on vCenter or physical switches) only happens when there's an established connection. Flows that get blocked don't have an established connection and won't show up in vRNI. However, if the flow gets blocked by NSX or the native Azure security policies, there's a special integration that will show those flows. You can see blocked flows in the security planner or by searching for: flows where firewall action = deny