ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Security Analytics Virtual Appliance may not receive VLAN tagged traffic


Article ID: 168455


Updated On:


Security Analytics


The Security Analytics system can capture and index VLAN-tagged traffic.

When running Security Analytics (SA) as a virtual appliance under ESX, the virtual networking components of ESX, by default, will discard VLAN-tagged traffic before it reaches the SA VM. Therefore that traffic will not be found in the SA.


Within the configuration of an ESX vSwitch, the default behavior of a Virtual Machine Port Group is to discard incoming VLAN-tagged traffic before it gets to the VM.  For more detail on Virtual Machine Port Groups, please see VMware's ESXi or vSphere documentation.



For each vSwitch being used to send Capture traffic to the SA VMs, click "Properties...":

ESX vSwitch overview

Select the Virtual Machine Port Group for the SA VM's capture interface(s), and select "Edit...":

ESX vSwitch properties page

Modify the port group's VLAN ID field to pass either the single desired VLAN ID (a number between 1 and 4094) that the SA VM needs to capture, or, set it to "All (4095)" to pass all VLAN-tagged traffic to the SA VM. Click OK to save changes.

ESX Virtual Machine Port Group properties

The SA VM should now see the desired VLAN-tagged traffic on its Capture interface(s).