FAQ - NSX Application Platform(NAPP)
search cancel

FAQ - NSX Application Platform(NAPP)

book

Article ID: 390932

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

This article addresses frequently asked questions related to NAPP, including common troubleshooting scenarios, configuration tips, and feature behavior clarifications.

 

Environment

All versions of NAPP.

Resolution

NAPP

 

1. What is the minimum CPU clock speed required for deploying NAPP and running the security features?

There are no strict minimum requirements for CPU clock speed. However, a clock speed of 2.2 GHz is recommended for optimal performance and to avoid potential timeouts during processing.

2. What is the recommended approach for upgrading vCenter, TKG, NSX, and NAPP?

It is recommended to upgrade NAPP first before upgrading the underlying infrastructure. For the underlying infrastructure, please open proactive tickets with the respective provider for assistance:

  • If Open Kubernetes is used, contact the Kubernetes administrator.
  • If Tanzu Kubernetes is used, open a ticket with Tanzu Broadcom Support.

3. What type of load balancer is used when deploying NAPP?

NAPP uses HAProxy, which is deployed as a separate VM within vCenter alongside the NAPP deployment.

4. Are there any specific URLs that need to be whitelisted for NAPP deployment?

Yes, please refer to the following KB article for detailed information: KB Article 372569.

5. Where can we check the TKR and vCenter compatibility matrix?

Please use Vmware Interoperability Matrix

Product Interoperability Matrix

 

6. When logging into the Guest Cluster Worker/Control plane nodes, we receive an error stating the password has expired for the user vmware-system-user via SSH directly to TKGS Guest Cluster nodes using vmware-system-user account. How can we fix this account expiry?

Please contact Broadcom Support for Assistance

 

7. What are the test commands to check connectivity for Helm Pull ?

4.1.2.1

helm pull oci://projects.registry.vmware.com/nsx_application_platform/helm-charts/cert-manager --version 4.1.2-1.0-23778081

4.1.2

helm pull oci://projects.registry.vmware.com/nsx_application_platform/helm-charts/cert-manager --version 4.1.2-0.0-23624714

4.2

helm pull oci://projects.registry.vmware.com/nsx_application_platform/helm-charts/napp-platform-advanced --version 4.2.0-0.0-24124105

 

8. Do we have any documentation on NSX Application Platform shutdown and start-up ?

 

Shutdown --> Shut Down a Virtual Infrastructure Workload Domain with vSphere with Tanzu

 

Startup --> Start a Virtual Infrastructure Workload Domain with vSphere with Tanzu

 

9. What algorithms do we support in NAPP certificates. ?

 1. sha256WithRSAEncryption
 2. sha256WithDSA
 3. sha256WithECDSA
 4. sha384WithECDSA
 5. sha384WithRSAEncryption
 6. sha512WithECDSA
 7. sha512WithRSAEncryption

 

Execute the below command to validate the alogorithm

root@nsxmanager:~# echo '' | openssl s_client -showcerts -connect nsxmanager.eng.vmware.com:443 2>/dev/null | openssl x509 -noout -text | grep "Signature Algorithm"

        Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

 

10. After removing NAPP, how can we clear Alarms related to IDS/IPS showing "Message Transmission failed"?

After removing NAPP, you might see Alarms related to IDS/IPS such as "Message Transmission failed".

Description : Transmission of data from ESX host <host-id> to messaging broker <NAPP-messaging-services>:9092 failed.

These Alarms can occur because IDS/IPS components may still attempt to communicate with the now-remove NAPP module.

Resolution:

  • Navigate to Security > IDS/IPS in the NSX Manager UI.
  • Disable the IDS/IPS feature.
  • Wait ~5 minutes to allow the Alarms to resolve automatically.
  • Re-enable the IDS/IPS feature.

11. Why changing the storage policy for NAPP isn't directly supported ?
   
 NAPP relies on Kubernetes Persistent Volumes (PVs) and Persistent Volume Claims (PVCs) for storage.  These PVs and PVCs are tied to a specific Storage Class defined by the vSphere storage policy at the time of creation.
Kubernetes itself doesn't offer a straightforward way to migrate existing PVs/PVCs to a different StorageClass or underlying datastore without significant disruption.
Therefore, NAPP cannot simply change its storage policy after deployment.
The current workaround to implement a different storage policy would involve a complete redeployment of the NAPP environment with the desired storage policy configured from the beginning. 

 

Security Intelligence :

1. Does security intelligence support the use case for building recommendations/policy for VMs sitting on standard vlan backed port group or do the VMs need to 
be on NSX vlan or overlay segments?

It works fine on VLAN as long as that VLAN has DFW enabled. We have plenty of customers using it now with VLAN backed segments created in NSX-T
 (so those segments are DFW enabled).

2. "We are looking to use NSX to secure VMs with legacy OSes and workloads, and using NSX Intelligence to determine rules that need to be set up in NSX.  How long can we expect it to take for Intelligence to have an adequate view of a given VM's data flow to be able create usable NSX rules? "
 
 
When the intelligence is activated to start collecting network flows, here's what happens:
Host Aggregation (5 minutes):
First, the system on the source host (the computer or device sending the data) needs time to gather information about its network activity.
This takes about 5 minutes. During this time, the host is collecting data about its network connections, like which services it’s connecting to, what data is being sent or received, etc.
It’s like the host is keeping track of all the details about the communication it’s involved in, but it’s not yet sending this data anywhere.

Processing Side Buffering (up to 7 minutes):
Once the host has gathered enough information, it sends the collected data to the processing side (like a central monitoring system).
The system on the processing side needs some time (up to 7 minutes) to combine and organize the data from both ends of the communication:
Source (sender) and destination (receiver).
Essentially, the system is waiting to match up data from the source and the destination, so it can see the complete picture of the network flow.
Think of it like trying to assemble a puzzle: you need pieces from both the sender and receiver, and the system takes time to match the pieces together to get the full view of the network activity.
 
 
So in short , 1 day is enough.

3. How to login to Database ?

For POSTGRES

(a) napp-k exec –it postgresql-ha-postgresql-0 -- /bin/bash

(b) After that grab the password for postgres by the below command
printenv | grep PASS

Note the POSTGRES_PASSWORD

(c) Run the below command now :
psql –d pace

Type the password obtained from (2)

 

For DRUID 

(a)  napp-k get pods | grep druid-broker

(b)  napp-k exec -it >druid-broker pod-name> -- /bin/bash
(c)  bin/dsql

 

4) Can we move the Security Intelligence data from NAPP (NSX Application Platform) to SSP (Security Services Platform) ?

 Migration of data and services from NAPP to SSP is planned to be introduced in a future release version.

 

 

 

NDR :

1. What pre-requisite is needed before activating NDR ?

For NDR Activaton , Check the reachability from  reputation pod to the  NTICS URL  "api.prod.nsxti.vmware.com"

2. Is setting up NDR via airgap mode possible ?

Yes , its possible in both NAPP and SSP

3. Can i forward NDR logs to a remote syslog server ?

Yes , the feature is introduced from NSX 4.2 / NAPP 4.2

 

 

NTA :

 

 

Malware Prevention :

1. What is the demo Malware Portal for testing Fake malwares ?

lastlinedemo.com

UN / PWD : lastline

2. Is setting up MPS via airgap mode possible ?

No , this is still a feature in progress

 

 



Powered by Wolken Software