On-demand enablement or disablement of optional Security Stats coming from ESX TNs in Security Services Platform (SSP)
Article ID: 413809
Updated On:
Products
Issue/Introduction
Currently some metrics collected on SSP (sent from Host TNs) are disabled by default. User may want to enable them for debugging/troubleshooting use cases.
Environment
NSX (4.2.2 or newer) with SSP 5.1 and newer
Cause
Various security monitoring related metrics coming from Host TNs are disabled in various NSX versions. If these metrics are of interest, they can be enabled on-demand for troubleshooting.
Recommendation is to enable these only for short durations and on needed Hosts or VMs, and disable back after troubleshooting.
Resolution
Here we are enumerating steps to enable a plugin (NSX ships with that plugin being disable by default). Same steps work for disabling a plugin as well.
=======================================================
Step 1 : Identify UUID/Path of SHA plugin which you want to enable.
=======================================================
Below table contains list of disabled Metrics and corresponding SHA Plugins
| Module Name | Description | Plugin ID | Plugin Name | Metrics |
|
IDPS Planning & Monitoring |
Security monitoring stats for host-level top 10 ports/protocols based on packets at a particular time/moment When DFW packets per second and throughput are high, this plugin can be turned on to monitor top protocols per Host. |
/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3 |
security_mon_top_n_host_stats_monitor | tn_security_monitoring.top10_ports_flow_pkts |
|
IDPS Planning & Monitoring |
Security monitoring stats for VM-level top 10 ports/protocols based on packets at a particular time/moment. When DFW packets per second and throughput are high, this plugin can be turned on to monitor top protocols per Host. |
/infra/sha/pre-defined-plugins/3e55414b-a9e8-4147-adf6-de815f9e09bf |
security_mon_top_n_vm_stats_monitor | tn_security_monitoring.per_vm_top10_ports_flow_pkts |
Once you have identified plugin you want to enable/disable, you can use below API to get list of all pre-defined SHA plugins and their current status:
GET https://<NSX-IP>/policy/api/v1/infra/sha/pre-defined-plugins
Sample payload:
pre-defined-plugins
{ "results": [ ... { "enabled": true, "config": { "check_interval": 300 }, "supported_node_types": [ "NSX_ESX", "NSX_ESX_SN_HOST" ], "pre_req_conditions": [ "TSDB" ], "delay_on_reboot": 5, "resource_type": "ShaPredefinedPlugin", "id": "3dbb2f6f-3553-413d-98c2-687d92eef1ed", "display_name": "Security monitoring stats plugin", "path": "/infra/sha/pre-defined-plugins/3dbb2f6f-3553-413d-98c2-687d92eef1ed", "relative_path": "3dbb2f6f-3553-413d-98c2-687d92eef1ed", "parent_path": "/infra", "remote_path": "", "unique_id": "0e12ab39-b07c-4082-b019-c6c7b48d2a13", "realization_id": "0e12ab39-b07c-4082-b019-c6c7b48d2a13", "owner_id": "a2cf3c44-ab36-422d-8a57-9e2e325317ee", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1744135737831, "_create_user": "system", "_last_modified_time": 1744135737831, "_last_modified_user": "system", "_revision": 0 }, { "enabled": false, "config": { "check_interval": 300 }, "supported_node_types": [ "NSX_ESX", "NSX_ESX_SN_HOST" ], "pre_req_conditions": [ "TSDB" ], "delay_on_reboot": 5, "resource_type": "ShaPredefinedPlugin", "id": "3e55414b-a9e8-4147-adf6-de815f9e09bf", "display_name": "Security monitoring top N stats per VM plugin", "path": "/infra/sha/pre-defined-plugins/3e55414b-a9e8-4147-adf6-de815f9e09bf", "relative_path": "3e55414b-a9e8-4147-adf6-de815f9e09bf", "parent_path": "/infra", "remote_path": "", "unique_id": "61f44b46-e0b1-4e08-8f3b-ae6a34b41d06", "realization_id": "61f44b46-e0b1-4e08-8f3b-ae6a34b41d06", "owner_id": "a2cf3c44-ab36-422d-8a57-9e2e325317ee", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1744135737868, "_create_user": "system", "_last_modified_time": 1744135737868, "_last_modified_user": "system", "_revision": 0 }, { "enabled": false, "config": { "check_interval": 300 }, "supported_node_types": [ "NSX_ESX", "NSX_ESX_SN_HOST" ], "pre_req_conditions": [ "TSDB" ], "delay_on_reboot": 5, "resource_type": "ShaPredefinedPlugin", "id": "d4a89bf8-605e-49fd-b05f-50a819ef51b3", "display_name": "Security monitoring top N stats per host plugin", "path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "relative_path": "d4a89bf8-605e-49fd-b05f-50a819ef51b3", "parent_path": "/infra", "remote_path": "", "unique_id": "b0cc993b-4b4c-4300-84bd-5cbc66e865c2", "realization_id": "b0cc993b-4b4c-4300-84bd-5cbc66e865c2", "owner_id": "a2cf3c44-ab36-422d-8a57-9e2e325317ee", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1744135737853, "_create_user": "system", "_last_modified_time": 1744135737853, "_last_modified_user": "system", "_revision": 0 }, ... ], "result_count": 55, "sort_by": "display_name", "sort_ascending": true}
=======================================================
Step 2: Identify current plugin status and confirm it's actually disabled/enabled.
=======================================================
As you can see above Plugin : d4a89bf8-605e-49fd-b05f-50a819ef51b3 (security monitoring per host top N protocol/port plugin) is disabled by default.
GET https://<NSX-IP>/policy/api/v1/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3
Note: Check the "supported_node_types" attribute. It tells us that where this plugin can be run on Host Transport Nodes. This will be used in next step.
Security monitoring top N stats per host plugin
{ "enabled": false, "config": { "check_interval": 300 }, "supported_node_types": [ "NSX_ESX", "NSX_ESX_SN_HOST" ], "pre_req_conditions": [ "TSDB" ], "delay_on_reboot": 5, "resource_type": "ShaPredefinedPlugin", "id": "d4a89bf8-605e-49fd-b05f-50a819ef51b3", "display_name": "Security monitoring top N stats per host plugin", "path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "relative_path": "d4a89bf8-605e-49fd-b05f-50a819ef51b3", "parent_path": "/infra", "remote_path": "", "unique_id": "912f16c6-7b5d-4459-921f-a899af2b8be6", "realization_id": "912f16c6-7b5d-4459-921f-a899af2b8be6", "owner_id": "8253329f-135f-4f0f-95b5-682ca40b8659", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1745689536843, "_create_user": "system", "_last_modified_time": 1745689536843, "_last_modified_user": "system", "_revision": 0}
=======================================================
Step 3: Identify host TNs where you want to enable this plugins.
=======================================================
We can enable a plugin on NSX_ESX
As you can see supported_node_types for our example plugin is "NSX_ESX", hence you can enables it on host Transport Nodes only.
Note: For 4.2.2 release, we allow plugin to be be enable on selective Transport Nodes.
=======================================================
Step 4: Create a group with selective host Transport Nodes
=======================================================
Create a Group with selective host Transport Nodes.
PATCH https://<NSX-IP>/policy/api/v1/infra/domains/default/groups/<tn-group-id>
Request:
ESX Group Creation body
{ "expression": [ { "paths": [ "/infra/sites/default/enforcement-points/default/host-transport-nodes/<TN-ID>" ], "resource_type": "PathExpression" } ], "extended_expression": [], "reference": false, "group_type": [], "resource_type": "Group", "id": "<tn-group-id>", "display_name": "tn1_group", "parent_path": "/infra/domains/default"}
Once above request executed, you can check in NSX UI.
=======================================================
Step 5 : Enable SHA plugin using SHA profile.
=======================================================
5A) We will cross check status of SHA plugin with ID d4a89bf8-605e-49fd-b05f-50a819ef51b3 on host Transport Nodes : 3a172104-0888-40be-80cf-7baf1bfd65bc.
As expected plugin should be Disabled.
GET https://<NSX-IP>/policy/api/v1/infra/sha/plugin-status/3a172104-0888-40be-80cf-7baf1bfd65bc
Plugin status
{ "results": [ ... { "plugin_path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "plugin_name": "security_mon_top_n_host_stats_monitor", "status": "NORMAL", "profile": "NAME: default-profile, ENABLE: False, CHECK_INTERVAL: 300", "detail": "Plugin is disabled.", "node_path": "/infra/sites/default/enforcement-points/default/host-transport-nodes/TN1" }, ... ], "result_count": 28}
5B) We will create a SHA profile to enable SHA plugin: d4a89bf8-605e-49fd-b05f-50a819ef51b3 (step-2). We will be applying this profile on a group (tn1_group) created in step-4.
PATCH https://<NSX-IP>/policy/api/v1/infra/sha/plugin-profiles/profile1
Request:
Profile Creation body
{ "config": { "check_interval": 300 }, "resource_type": "PredefinedPlugin", "id": "profile1", "display_name": "profile1", "plugin_path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "applied_to_group_path": "/infra/domains/default/groups/tn1_group", "enabled": "True"}
Response :
Response body
{ "config": { "check_interval": 300 }, "resource_type": "PredefinedPlugin", "id": "profile1", "display_name": "profile1", "path": "/infra/sha/plugin-profiles/profile1", "relative_path": "profile1", "parent_path": "/infra", "remote_path": "", "unique_id": "7dd36b23-1a10-4676-bc5f-2080eaf6f324", "realization_id": "7dd36b23-1a10-4676-bc5f-2080eaf6f324", "owner_id": "8253329f-135f-4f0f-95b5-682ca40b8659", "marked_for_delete": false, "overridden": false, "plugin_path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "applied_to_group_path": "/infra/domains/default/groups/tn1_group", "enabled": true, "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1745777922686, "_create_user": "admin", "_last_modified_time": 1745777922686, "_last_modified_user": "admin", "_revision": 0}
=======================================================
Step 6: Check status of this plugin on ESX node
=======================================================
We will check status of this plugin on Host Transport Node: 3a172104-0888-40be-80cf-7baf1bfd65bc.
GET https://<NSX-IP>/policy/api/v1/infra/sha/plugin-status/3a172104-0888-40be-80cf-7baf1bfd65bc
Plugin status
{ "results": [ ... { "plugin_path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "plugin_name": "security_mon_top_n_host_stats_monitor", "status": "NORMAL", "profile": "NAME: default-profile, ENABLE: False, CHECK_INTERVAL: 300", "detail": "", "node_path": "/infra/sites/default/enforcement-points/default/host-transport-nodes/TN1" }, ... ], "result_count": 29}
The above shows that the security_mon_top_n_host_stats_monitor of d4a89bf8-605e-49fd-b05f-50a819ef51b3 is Enabled now.
=======================================================
Step 7: (Optional but Recommended) Disable the plugin back.
=======================================================
User can/should disable the plugin which was enabled by following the above steps. Plugin is disabled originally to manage the scale on SSP Metrics or metrics it provides are useful for extended debugging/troubleshooting. So after the use of these default disabled plugins is done, we highly recommend disabling it
PATCH https://<NSX-IP>/policy/api/v1/infra/sha/plugin-profiles/profile1
Request:
ESX Group Creation body
{ "config": { "check_interval": 300 }, "resource_type": "PredefinedPlugin", "id": "profile1", "display_name": "profile1", "path": "/infra/sha/plugin-profiles/profile1", "relative_path": "profile1", "parent_path": "/infra", "remote_path": "", "unique_id": "7dd36b23-1a10-4676-bc5f-2080eaf6f324", "realization_id": "7dd36b23-1a10-4676-bc5f-2080eaf6f324", "owner_id": "8253329f-135f-4f0f-95b5-682ca40b8659", "marked_for_delete": false, "overridden": false, "plugin_path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "applied_to_group_path": "/infra/domains/default/groups/tn1_group", "enabled": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1745777922686, "_create_user": "admin", "_last_modified_time": 1745777922686, "_last_modified_user": "admin", "_revision": 0}
Response :
Response body
{ "config": { "check_interval": 300 }, "resource_type": "PredefinedPlugin", "id": "profile1", "display_name": "profile1", "path": "/infra/sha/plugin-profiles/profile1", "relative_path": "profile1", "parent_path": "/infra", "remote_path": "", "unique_id": "7dd36b23-1a10-4676-bc5f-2080eaf6f324", "realization_id": "7dd36b23-1a10-4676-bc5f-2080eaf6f324", "owner_id": "8253329f-135f-4f0f-95b5-682ca40b8659", "marked_for_delete": false, "overridden": false, "plugin_path": "/infra/sha/pre-defined-plugins/d4a89bf8-605e-49fd-b05f-50a819ef51b3", "applied_to_group_path": "/infra/domains/default/groups/tn1_group", "enabled": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_create_time": 1745777922686, "_create_user": "admin", "_last_modified_time": 1745777922686, "_last_modified_user": "admin", "_revision": 0}
Feedback
