SSP does not trigger data collection for existing powered on VMs.
search cancel

SSP does not trigger data collection for existing powered on VMs.

book

Article ID: 390664

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When a SSP is freshly installed, it does not collect information about OS versions of vms that are already powered on. Newly added vms are correctly polled.

Environment

SSP 5.0

Cause

The trigger for Context Engine's collection and sending of vm data is a change in the data collection setting in the host config profile message. VM data is sent to Intelligence when it changes from "disabled" to "enabled". Its looks like this setting is not registering as being changed the first time i.e, on a new installation of a SSP.

Resolution

1. In the PACE_HOST_CONFIG, disable data collection. ('enable_collection':false).

2. Then enable it again and wait for a while.

Note: It will be "true" by default. make it "false" and then "true" again. This API can be run on any REST client like Postman or curl.

API call: https://<NSX MANAGER ip>/policy/api/v1/infra/sites/default/intelligence/transport-node-profile

Method: PATCH

Data to disable data collection:

 {
   "enable_data_collection": true,
   "enable_flow_data_collection": true,
   "enable_context_data_collection": false,
   "enable_deep_packet_inspection": true,
   "enable_external_ip_aggregation": false,
   "flow_data_collection_interval": 5,
   "max_active_flow_count": 25000,
   "max_inactive_flow_count": 50000,
   "max_active_flow_count_bm": 12500,
   "max_inactive_flow_count_bm": 25000,
   "context_data_collection_interval": 5,
   "context_process_names": [],
   "context_process_hashes": [],
   "context_user_sids": [],
   "context_user_uids": [],
   "flow_exclusion_filter": [],
   "resource_type": "IntelligenceTransportNodeProfile",
   "id": "eef11b14-fdbf-4be3-a129-fd7ca588f60f",
   "display_name": "eef11b14-fdbf-4be3-a129-fd7ca588f60f"
}

Wait for a minute after this patch call. Run the patch call again with same url and following data to enable data collection

Data to enable data collection:

{
   "enable_data_collection": true,
   "enable_flow_data_collection": true,
   "enable_context_data_collection": true,
   "enable_deep_packet_inspection": true,
   "enable_external_ip_aggregation": false,
   "flow_data_collection_interval": 5,
   "max_active_flow_count": 25000,
   "max_inactive_flow_count": 50000,
   "max_active_flow_count_bm": 12500,
   "max_inactive_flow_count_bm": 25000,
   "context_data_collection_interval": 5,
   "context_process_names": [],
   "context_process_hashes": [],
   "context_user_sids": [],
   "context_user_uids": [],
   "flow_exclusion_filter": [],
   "resource_type": "IntelligenceTransportNodeProfile",
   "id": "eef11b14-fdbf-4be3-a129-fd7ca588f60f",
   "display_name": "eef11b14-fdbf-4be3-a129-fd7ca588f60f"
}

Equivalent curl commands for these PATCH APIs:

Toggle off:

curl -X PATCH https://<NSX MANAGER ip>/policy/api/v1/infra/sites/default/intelligence/transport-node-profile \
     -H "Content-Type: application/json" \
     -u admin:<Password> \
     -d '{
           "enable_data_collection": true,
           "enable_flow_data_collection": true,
           "enable_context_data_collection": false,
           "enable_deep_packet_inspection": true,
           "enable_external_ip_aggregation": false,
           "flow_data_collection_interval": 5,
           "max_active_flow_count": 25000,
           "max_inactive_flow_count": 50000,
           "max_active_flow_count_bm": 12500,
           "max_inactive_flow_count_bm": 25000,
           "context_data_collection_interval": 5,
           "context_process_names": [],
           "context_process_hashes": [],
           "context_user_sids": [],
           "context_user_uids": [],
           "flow_exclusion_filter": [],
           "resource_type": "IntelligenceTransportNodeProfile",
           "id": "eef11b14-fdbf-4be3-a129-fd7ca588f60f",
           "display_name": "eef11b14-fdbf-4be3-a129-fd7ca588f60f"
         }'

Toggle on:
curl -X PATCH https://<NSX MANAGER ip>/policy/api/v1/infra/sites/default/intelligence/transport-node-profile \
     -H "Content-Type: application/json" \
     -u admin:<Password> \
     -d '{
           "enable_data_collection": true,
           "enable_flow_data_collection": true,
           "enable_context_data_collection": true,
           "enable_deep_packet_inspection": true,
           "enable_external_ip_aggregation": false,
           "flow_data_collection_interval": 5,
           "max_active_flow_count": 25000,
           "max_inactive_flow_count": 50000,
           "max_active_flow_count_bm": 12500,
           "max_inactive_flow_count_bm": 25000,
           "context_data_collection_interval": 5,
           "context_process_names": [],
           "context_process_hashes": [],
           "context_user_sids": [],
           "context_user_uids": [],
           "flow_exclusion_filter": [],
           "resource_type": "IntelligenceTransportNodeProfile",
           "id": "eef11b14-fdbf-4be3-a129-fd7ca588f60f",
           "display_name": "eef11b14-fdbf-4be3-a129-fd7ca588f60f"
         }'

Powered by Wolken Software