There are several guardrails limiting the number of flows and entities displayed in Security Intelligence's Security Explorer canvas. Users may see discrepancy in flow counts of allowed, blocked, and unprotected flows between the landing page and when filters are applied, or between the canvas and flow details dialog, when these guardrails are hit.

Security Intelligence' Security Explorer is located at Monitor & Plan → Visibility & Planning → Security Explorer.

• When the "groups" option is is selected in the drop down, the canvas shown is the "group view".
• When the "computes" option is selected in the drop-down, the canvas shown is the "compute view".
• When right clicking on a compute or group entity and selecting "Flow Details", the dialog shown is the "flow details".

By default, the following guardrails are in effect:

1. Max number of unique flows displayed on compute view: 1,000,000
2. Max number of unique group flows displayed on group view: 2,000,000
3. Max number of connections displayed on compute view or group view: 500,000
4. Max number of entities (computes or IPs) involved in flows: 100,000
5. Max number of source and destination groups shown per unprotected flow on group view without filters applied: 3
6. Max number of source and destination groups shown per flow on group view when filters are applied: 25

     A group flow is the result of pairing the source and destination groups in a unique flow. For example, a flow where the source belongs to groups [g1, g2] and the destination belongs to groups [g3, g4] is shown as 4 group flows [ g1 → g3, g1 → g4, g2 → g3, g2 → g4 ]

     A connection represents a line on the graph, which is an aggregation of the flows between the two entities . For example, a line between two computes or a line between two groups.

Discrepancy between the canvas's landing page and flow details, or between the canvas's landing page and when filters are applied

     To verify if guardrail 1,2,3 is hit

Find the visualization pod with the following command. The target pod's name has the pattern "visualization-<###>". There may be another pod with the prefix "visualization-create-kafka-topic-job-", but is not related.

k -n nsxi-platform get pods -l app.kubernetes.io/component=visualization

Check the logs of the visualization pod with the following command. If the group flow count, compute flow count, or connection count exceeds the limits mentioned above, only partial data will be shown on the canvas.

     # For checking group flow count

k -n nsxi-platform logs <visualization-pod-name> | grep -i "Total Group flow Records"

      # For checking compute flow count

k -n nsxi-platform logs <visualization-pod-name> | grep -i "Total Compute Flow records

     # For checking whether unordered connection limit is exceeded

k -n nsxi-platform logs <visualization-pod-name> | grep -i "Topology partial result"

     Below are examples of output

k -n nsxi-platform logs visualization-688dd748f7-zs8ff | grep -i "Total Group flow Records"
2025-02-25T05:33:52,787 INFO  [https-jsse-nio-172.xx.xx.xx-8443-exec-7] c.v.n.p.v.VisualizationServiceImplV2: INTELLIGENCE [nsx@6876 comp="nsx-manager" level="INFO" subcomp="nsxi"] Total Group flow Records: 2103261, requestLimit: 10000
 
k -n nsxi-platform logs visualization-688dd748f7-zs8ff | grep -i "Total Compute Flow records"
2025-02-25T05:40:34,123 INFO  [https-jsse-nio-172.xx.xx.xx-8443-exec-9] c.v.n.p.v.VisualizationServiceImplV2: INTELLIGENCE [nsx@6876 comp="nsx-manager" level="INFO" subcomp="nsxi"] Total Compute Flow records: 2196, NodeLimit: 10000
 
k -n nsxi-platform logs visualization-688dd748f7-zs8ff | grep -i "Topology partial result"
2025-02-25T05:34:03,103 INFO  [https-jsse-nio-172.xx.xx.xx-8443-exec-7] c.v.n.p.v.GraphTopologyConverterV2: INTELLIGENCE [nsx@6876 comp="nsx-manager" level="INFO" subcomp="nsxi"] Topology partial result true, exceed unordered connections limit 500000 true, exceed flow limit true

     To verify if guardrail 6 is hit

     Use the following commands to check the maximum number of groups in a flow, and which entities have more than 25 groups.

     (1) Find maximum number of groups in a flow

k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select max(MV_LENGTH(srcGroupIds)) as maxSrcGroups,max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz"}' 

     (2) Find sources with more than 25 groups

k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select srcVmId, max(MV_LENGTH(srcGroupIds)) as maxSrcGroups from correlated_flow_viz group by srcVmId having maxSrcGroups>25"}'

     (3) Find destinations with more than 25 groups

k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select dstVmId, max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz group by dstVmId having maxDstGroups>25"}'

     Below are examples of output

k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select max(MV_LENGTH(srcGroupIds)) as maxSrcGroups,max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz"}'
[{"maxSrcGroups":341,"maxDstGroups":341}]
 
k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select srcVmId, max(MV_LENGTH(srcGroupIds)) as maxSrcGroups from correlated_flow_viz group by srcVmId having maxSrcGroups>25"}'
[{"srcVmId":"004ec270-eed8-47e3-8323-fb7dbd2a2668","maxSrcGroups":168},{"srcVmId":"006169ee-95a5-4a3f-b2dc-f0dc50b24fd6","maxSrcGroups":174}]
 
k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select dstVmId, max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz group by dstVmId having maxDstGroups>25"}'
[{"dstVmId":"004ec270-eed8-47e3-8323-fb7dbd2a2668","maxDstGroups":168},{"dstVmId":"006169ee-95a5-4a3f-b2dc-f0dc50b24fd6","maxDstGroups":174},{"dstVmId":"0081cf0d-0e4a-41c0-ba58-4d397a9b9e67","maxDstGroups":157}]

 To verify if guardrail 5 is hit

  Right click on a group and select "Filter By". Since the guardrail only affects the landing page, the unprotected flow count of a group when filters are applied would be higher than the unprotected flow count of the same group in the landing page.

 Discrepancy between the canvas when filters are applied and flow details

  Use the methods above to verify if guardrails 1,2,3 or 6 are hit. 

     It is not recommended to modify most of the guardrails.

     If guardrail 2 or 6 is hit, you can choose to optimize the group membership so the same VM does not appear in too many groups.

     If guardrail 6 is hit, and the max number of groups in a flow exceeds 25 but below 50, you may also open a case with Broadcom support to tune the system.

     If guardrail 3 or 4 is hit, it might be helpful to review and optimize the Private IP Ranges in SSP. it is recommended to set them as granular as possible.