SSP Security Segmentation Report Showing Incorrect Figures
search cancel

SSP Security Segmentation Report Showing Incorrect Figures

book

Article ID: 410321

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When generating a Security Segmentation Report in Security Services Platform (SSP), you may observe incorrect or unexpected values in the report.

For example, you may observe report showing large number of infrastructure servers (e.g., LDAP, DNS, DHCP, NTP)/workloads listed in the report however you may feel that those many number of Infrastructure servers are not actually present in your environment.

Environment

Security Services Platform (SSP) version >= 5.0

Cause

This behavior is due to how SSP classifies workloads as infrastructure servers. The system identifies VMs as "infrastructure" if they respond to traffic on specific service ports, such as:

  • 53 (DNS)

  • 389, 636 (LDAP)

  • 67 (DHCP)

  • 123 (NTP)

As a result:
  • The VMs/Domain Controllers legitimately appear with high flow counts, since almost every workload communicates with them.
  • Many other VMs may show up with only 1–2 flows on these ports (e.g., occasional DNS lookup or LDAP authentication request).
  • This inflates the infrastructure server count in the segmentation report.

Resolution

To know the exact number of distinct infrastructure VMs and workloads in your environment, additional queries need to be run against the SSP database from the CLI of the SSP-Installer VM using root credentials.

Since this requires backend access and specialized queries, Broadcom Support can assist you with retrieving this information.

Please open a ticket with Broadcom Support, and our engineers will help validate the report findings by executing the necessary queries on your behalf.

Powered by Wolken Software