FAQ - Security Services Platform ( SSP)

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

This article addresses frequently asked questions related to SSP, including common troubleshooting scenarios, configuration tips, and feature behavior clarifications.

Environment

security services platform (SSP) 5.0

Resolution

SSP ( SECURITY SERVICES PLATFORM )

GENERAL

1. Can we restore SSP on a different datastore ?

Eg : IF customer backs up their SSP which is currently running on DATASTORE A
Later they choose to uninstall SSP
and then reinstall SSP on DATASTORE B
and now try to restore the backup which was taken , will it work ?

Yes, restore should not have any dependency on datastore.

Steps -
1. Deploy SSP on NFS datastore[ Steps to deploy on NFS datastore are same as any SSP deployment - Add NFS datastore, Create Datatore tag-category pair, Apply the tag to NFS datastore, Create a Tag based storage policy on VC] , On-Board NSX mgr , Configure SFTP server on SSP for BnR
2. Take Backup of the SSP
3. Off-Board NSX mgr, Delete SSP instance
4. Deploy SSP instance with the same SSP build ( same as the build which is deployed in step 1 ) from SSP I on vsan datastore, after successful deployment, On-Board the same NSX site ( here, understand that our GUI do not allow to go to any other GUI page unless we on board the NSX )
5. Configure the same SFTP server with the same Directory path as configured in step1
6. Goto Backup and Restore page on SSP , Click on "Restore" button which will fetch the previously taken backups
7. Select the desired backup and restore.

NOTE : This also applies to new Storage Policy

2. What configurations are backed up during B&R process ?

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/security-services-platform/5-0/onboarding-and-managing-platform/backup-and-restore-ssp/backup-and-restore.html

Note : Security Services Platform (SSP) backup and restore operations are not supported on the Evaluation deployment type.

3. As per Ports and Protocols page , LDAP uses the ports 389 / 636. Can this be customised and the Global Catalog Port 3269 be used instead ?

Yes , this is possible and supported also.

4. How to add multiple LDAP authentication providers ?

You can only configure one identity source at a time and this is mentioned in the below doc

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/security-services-platform/5-0/onboarding-and-managing-platform/configuring-platform-user-management/add-platform-user-role-assignment.html

5. Unable to configure SFTP server backup on SSP on a Windows Server

Failed to create sftp client Error creating SFTP connection to server

sftp: problem parsing server host public key: ssh: no key found

As of today , only Linux based servers are supported for Backup

Windows server is being tested and will be updated once certified.

6. Can SSP be deployed on a VSAN stretched storage cluster ?

Yes SSP can be deployed on VSAN stretched storage cluster

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/security-services-platform/5-0/security-services-platform-installer/deploy-on-a-stretched-vsan-configuration.html

7. Can multiple SSP instances be deployed on the same vCenter server ?

Yes , multiple SSP instances be deployed on the same vCenter server

8. Can we modify Site name for NSX after SSP deployment ?

Setting site-name on NSX manager is a one-time-only operation. The reason site renaming typically requires uninstalling and reinstalling the SSP (Site Services Platform) is due to the way site-name is tightly coupled with various configurations and data structures in NSX. The site-name is used throughout the NSX environment and is part of the initial configuration setup. It’s embedded into different aspects of the NSX deployment (such as clusters, backups, and other components), and changing it can create a mismatch in the configuration data, leading to possible errors, conflicts, or corrupted states.

Note : This issue has been fixed in SSP 5.1

9. How to enable SSH on SSP Installer VM?

Log in to the console with root credentials and execute systemctl start ssh

There might be situations where SSP-I ova could have been deployed without selecting the "Enable SSH" option during the deployment process. This will serve as an alternative to enable SSH.

10. When SSP UI fails to load with error "Failed to fetch form factor",

Its an expected behaviour, It can be because any worker node is in not ready status. ,Please check MachineHealthCheck (MHC) once.

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/security-services-platform/5-0/security-services-platform-installer/configuring-instance-management/high-availability-of-security-services-platform.html

11. Query:

When the vCenter certificate is changed, we understand that a reconnection to vCenter from the SSPI UI is required. Following this reconnection, both pods and nodes are recreated as part of the process.
We would like to clarify: Does every certificate change on vCenter necessitate node recreation, or is there a grace period before the vsphere-csi driver times out and triggers CLBO (Container Linux Boot Option)?

Response:

The vCenter certificate thumbprint is statically embedded within the node template specification used by SSPI. When a certificate rotation in vCenter causes a thumbprint mismatch, reconnecting SSPI to vCenter initiates template regeneration.

As a result, all nodes built from the outdated template are decommissioned, and new nodes are provisioned using the regenerated template that includes the updated certificate thumbprint. This behavior is by design and ensures the security and trustworthiness of services integrated with vSphere, such as the vSphere CSI driver.

Regarding Timeout or Grace Period:

The vSphere CSI driver does not incorporate a grace period or automatic timeout mechanism for certificate mismatches. As soon as a mismatch is detected:

CSI pods will immediately fail to initialize, and
Node regeneration must be explicitly triggered to adopt the updated certificate thumbprint.

This process is essential for maintaining secure and reliable communication with vCenter services.

12. Query:

Why are there frequent vCenter events related to container volume and storage activities such as:

Update container volume
Delete virtual storage object
Detach container volume
Retrieve virtual storage object
Attach virtual disk

What is causing these events, and should they be a cause for concern?

Response:

These events are generated by the SSP (Service Software Platform), which has deployed an upstream Kubernetes cluster integrated with vCenter.

Reason for Occurrence:
These events are expected and normal within a Kubernetes environment using the vSphere Container Storage Interface (CSI). Specifically:

When a pod is created with a PersistentVolumeClaim (PVC), it initiates requests to vCenter to create and attach the necessary container volumes.
If that pod is deleted or recreated (due to rescheduling, restarts, rolling updates, etc.), the SSP interacts with vCenter via the CSI driver to:
- Locate the existing container volume
- Detach and reattach the volume to the appropriate worker node or container

These standard actions trigger volume-related events in vCenter, which explains the observed activity logs.

Is this a concern?
No. These events represent standard CSI-driven workflows and do not indicate any errors or malfunctions within the environment.

13.Query :

A : The recommended storage is significantly higher than the minimum required storage. Could you clarify which storage components (e.g., VM, content library,Persistent Volume Storage) are expected to grow and contribute to this increased recommendation?

Response: The Minimum Storage is the baseline required to pass pre-deployment validation checks.

The Recommended (Maximum) Storage accounts for future scale-out scenarios.

As you scale out:

--> More VMs are added (each consuming 200 GB local storage)

--> Replica counts increase, leading to higher usage of Persistent Volumes

Note:

-->The Content Library and Reservation buffer remain constant.

-->The VM local storage and PV storage are what grow over time as part of scaling operations.

B. In the storage breakdown under "Content Library and VM Storage" (1650 GB), does this imply that 250 GB is allocated to the Content Library and the remaining 1400 GB is for VM storage (assuming 7 nodes with 200 GB each)? Could you confirm this interpretation?

Response:

The Content Library is hosted on the vCenter and typically requires approximately 50 GB of storage. Each virtual machine node—whether control plane or worker—is allocated 200 GB of local storage.

For an Advanced deployment consisting of 7 nodes (3 control plane and 4 worker nodes), the storage allocation is as follows:

7 nodes × 200 GB per node = 1400 GB
200 GB reserved as a buffer for future use
50 GB allocated for the Content Library

Total storage requirement: 1650 GB

For a larger Advanced deployment with 13 nodes (3 control plane and 10 worker nodes), the breakdown is:

13 nodes × 200 GB per node = 2600 GB
200 GB reserved buffer
50 GB for the Content Library

Total storage requirement: 2850 GB

Additionally, storage is required for Persistent Volumes (PV):

Minimum storage for PV: 1600 GB
Maximum storage for PV: 3000 GB

So at full scale (13 nodes + max PV), the total storage requirement is:

2850 GB (Content Library + VM storage) + 3000 GB (PV) = 5850 GB

This breakdown ensures sufficient storage capacity for both system components and workload persistence.

C: : What data is stored in the Content Library, and what is its primary purpose in this deployment?

Response: The Content Library contains the ISO image utilized for deploying worker nodes. Its primary purpose is to facilitate and standardize the provisioning process by offering a centralized and consistent installation source.

MPS

1. If MPS-specific pods are down , will detections still work ?

It will work headless with limited abilities with whatever it has in ASDS cache, but there will be no events seen in UI. This is achieved via the SVM's.

E.g. if a known malicious file is downloaded on a guest VM, it will be prevented/deleted by the SVM, but this event will not show up in the UI. Even if you see new files in future, even though we will analyse those files in the backend and cloud, their verdicts will not get registered in MPS

NDR

1.Does SSP NDR has capability to import IPFIX from network devices and analyze the traffic.?

SSP-NDR operates on events generated by its integrated detectors: IDPS, NTA, and Malware Prevention. Therefore, IPFIX is not relevant to NDR event processing. IPFIX concerns flow data for Intelligence, which is currently limited to Transport Nodes exporting data via DFW. Direct IPFIX support from network devices is not available

2. Can SSP NDR integrate with EDR Platform (If it is then which providers) to detect threats in both ways to enrich threat detection ?

Currently, SSP-NDR is designed exclusively for NSX environments, limiting interoperability with other platforms. VMware does not presently offer an EDR solution that integrates with NDR. Future releases may explore expanded interoperability and integration capabilities.