There are several guardrails limiting the number of flows and entities displayed in Security Intelligence's Security Explorer canvas. Users may see discrepancy in flow counts of allowed, blocked, and unprotected flows between the landing page and when filters are applied, or between the canvas and flow details dialog, when these guardrails are hit.

Security Intelligence's Security Explorer is located at Monitor & Plan →  Security Explorer → Security Explorer.

Security Services Platform(SSP) 5.1

• When the "asset collections" option is is selected in the drop down, the canvas shown is the "asset collections view".
• When the "computes" option is selected in the drop-down, the canvas shown is the "compute view".
• When right clicking on a compute or asset collection entity and selecting "Flow Details", the dialog shown is the "flow details".

By default, the following guardrails are in effect:

1. Max number of unique flows displayed on compute view: 1,000,000
2. Max number of unique asset collection flows displayed on asset collections view: 2,000,000
3. Max number of connections displayed on compute view or asset collections view: 500,000
4. Max number of entities (computes or IPs) involved in flows: 100,000
5. Max number of source and destination asset collections shown per unprotected flow on asset collections view without filters applied: 3
6. Max number of source and destination asset collections shown per flow on asset collections view when filters are applied: 25

An asset collections flow is the result of pairing the source and destination asset collections in a unique flow.

For example, a flow where the source belongs to asset collections [g1, g2] and the destination belongs to asset collections [g3, g4] is shown as 4 asset collections flows [ g1 → g3, g1 → g4, g2 → g3, g2 → g4 ]

A connection represents a line on the graph, which is an aggregation of the flows between the two entities . For example, a line between two computes or a line between two asset collections.

Discrepancy between the canvas's landing page and flow details, or between the canvas's landing page and when filters are applied

To verify if guardrail 1,2,3 is hit

Find the visualization pod with the following command. The target pod's name has the pattern "visualization-<hash>". There may be another pod with the prefix "visualization-create-kafka-topic-job-", but is not related.

k -n nsxi-platform get pods -l app.kubernetes.io/component=visualization

Check the logs of the visualization pod with the following command. If the asset collections flow count, compute flow count, or connection count exceeds the limits mentioned above, only partial data will be shown on the canvas.

# For checking asset collections flow count
k -n nsxi-platform logs <visualization-pod-name> | grep -i "Total Group flow Records"

# For checking compute flow count
k -n nsxi-platform logs <visualization-pod-name> | grep -i "Total Compute Flow records"

# For checking whether unordered connection limit is exceeded
k -n nsxi-platform logs <visualization-pod-name> | grep -i "Topology partial result"

Below are examples of output

k -n nsxi-platform logs visualization-688dd748f7-zs8ff | grep -i "Total Group flow Records"
2025-02-25T05:33:52,787 INFO  [https-jsse-nio-172.xx.xx.xx-8443-exec-7] c.v.n.p.v.VisualizationServiceImplV2: INTELLIGENCE [nsx@6876 comp="nsx-manager" level="INFO" subcomp="nsxi"] Total Group flow Records: 2103261, requestLimit: 10000

k -n nsxi-platform logs visualization-688dd748f7-zs8ff | grep -i "Total Compute Flow records"
2025-02-25T05:40:34,123 INFO  [https-jsse-nio-172.xx.xx.xx-8443-exec-9] c.v.n.p.v.VisualizationServiceImplV2: INTELLIGENCE [nsx@6876 comp="nsx-manager" level="INFO" subcomp="nsxi"] Total Compute Flow records: 2196, NodeLimit: 10000

k -n nsxi-platform logs visualization-688dd748f7-zs8ff | grep -i "Topology partial result"
2025-02-25T05:34:03,103 INFO  [https-jsse-nio-172.xx.xx.xx-8443-exec-7] c.v.n.p.v.GraphTopologyConverterV2: INTELLIGENCE [nsx@6876 comp="nsx-manager" level="INFO" subcomp="nsxi"] Topology partial result true, exceed unordered connections limit 500000 true, exceed flow limit true

To verify if guardrail 6 is hit,

Use the following commands to check the maximum number of asset collections in a flow, and which entities have more than 25 asset collections.

(1) Find maximum number of asset collections in a flow
k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select max(MV_LENGTH(srcGroupIds)) as maxSrcGroups,max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz"}'

(2) Find sources with more than 25 asset collections
k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select srcVmId, max(MV_LENGTH(srcGroupIds)) as maxSrcGroups from correlated_flow_viz group by srcVmId having maxSrcGroups>25"}'

(3) Find destinations with more than 25 asset collections
k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select dstVmId, max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz group by dstVmId having maxDstGroups>25"}'

Below are examples of output

k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select max(MV_LENGTH(srcGroupIds)) as maxSrcGroups,max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz"}'
[{"maxSrcGroups":341,"maxDstGroups":341}]

k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select srcVmId, max(MV_LENGTH(srcGroupIds)) as maxSrcGroups from correlated_flow_viz group by srcVmId having maxSrcGroups>25"}'
[{"srcVmId":"004ec270-eed8-47e3-8323-fb7dbd2a2668","maxSrcGroups":168},{"srcVmId":"006169ee-95a5-4a3f-b2dc-f0dc50b24fd6","maxSrcGroups":174}]

k -n nsxi-platform exec svc/druid-broker -c druid -- curl -ks -H 'content-type:application/json' https://localhost:8282/druid/v2/sql -d '{"query":"select dstVmId, max(MV_LENGTH(dstGroupIds)) as maxDstGroups from correlated_flow_viz group by dstVmId having maxDstGroups>25"}'
[{"dstVmId":"004ec270-eed8-47e3-8323-fb7dbd2a2668","maxDstGroups":168},{"dstVmId":"006169ee-95a5-4a3f-b2dc-f0dc50b24fd6","maxDstGroups":174},{"dstVmId":"0081cf0d-0e4a-41c0-ba58-4d397a9b9e67","maxDstGroups":157}]

To verify if guardrail 5 is hit

Right click on an asset collection and select "Filter By". Since the guardrail only affects the landing page, the unprotected flow count of an asset collection when filters are applied would be higher than the unprotected flow count of the same asset collection in the landing page.

Discrepancy between the canvas when filters are applied and flow details

Use the methods above to verify if guardrails 1,2,3 or 6 are hit. 

It is not recommended to modify most of the guardrails.

If guardrail 2 or 6 is hit, you can choose to optimize the asset collection membership so the same VM does not appear in too many asset collections.

If guardrail 6 is hit, and the max number of asset collections in a flow exceeds 25 but below 50, you may also open a case with Broadcom support to tune the system.

If guardrail 3 or 4 is hit, it might be helpful to review and optimize the Private IP Ranges in SSP it is recommended to set them as granular as possible.