Security Intelligence Groups shows long list of UUID's
search cancel

Security Intelligence Groups shows long list of UUID's

book

Article ID: 372111

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

1. In the visualization page, some groups are showing as a long list of uuids 

 

2. User is able to see flows for some groups in the landing page, but unable to see flows when filtering on those groups.
3. (Possible) One or more of the redis-cluster pods is restarting frequently.


Log:
Run the following command in NSX manager as root:

(1) Find maximum number of groups in a flow
napp-k exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select max(MV_LENGTH(srcGroupIds)) as maxSrcGroups,max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz"}'

(2) Find sources with more than 25 groups 
napp-k exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select srcVmId, max(MV_LENGTH(srcGroupIds)) as maxSrcGroups from correlated_flow_viz group by srcVmId having maxSrcGroups>25"}'

(3) Find destinations with more than 25 groups
napp-k exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select dstVmId, max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz group by dstVmId having maxDstGroups>25"}'

The values for maxSrcGroups and maxDstGroups should not exceed 25 ideally.

Environment

Nsx Intelligence 4.2

Cause

The system has limited support for flows where the source or destination belong to a large number of groups. There's a soft limit of approximately 25 groups that can be related to either the source and destination. If the number of groups exceed this number, the system will not be able to return the full list of groups.

Resolution

There's no fix at the moment.

Workaround:

Use the query in "Log" section to find the maxSrcGroups and maxDstGroups. 

If the values exceed 50, there's no support at the moment. User can choose to optimize the group membership so the same VM does not appear in more than 50 groups.

If values exceed 25 but below 50, you may use the following steps to tune the system:

1. Use the command 'napp-k edit cm visualization-app' and increase the field groupIdsAggregatorMaxStringLength. Increase the max length based on the max number of groups in a flow. You may use the calculation 40*(maxNumberOfGroups)
Increasing to more than 2048 is discouraged. 


2. Use the command 'napp-k rollout restart deployment visualization

Powered by Wolken Software