'Nothing to Recommend’ Displayed Despite Unprotected Flow Status
search cancel

'Nothing to Recommend’ Displayed Despite Unprotected Flow Status

book

Article ID: 425504

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

Security recommendations display “Nothing to Recommend” even though flows are shown as Unprotected in the Flow Details view.

Environment

Security Services Platform 5.1

Cause

This behavior is expected and occurs due to how the NSX Recommendation Engine evaluates flows.

Recommendations are generated per VM and per side of a flow, not based on the combined flow classification shown in the UI.

Key points:

  • When recommendations are run for a specific VM, NSX evaluates only that VM’s side of each flow.

  • A recommendation is generated only if the VM being analyzed hits a default (unprotected) firewall rule on its side of the flow.

  • The Flow Details view may label a flow as Unprotected if either side of the flow hits a default rule.

  • However, recommendations do not use combined flow logic - they use per-side logic scoped strictly to the selected VM(s).

In a scenario where:

  • The recommendation was run only for the source VM, the destination VM was the one hitting the default allow rule but the source VM did not hit a default rule and was already protected by an explicit DFW rule.

  • Since the unprotected condition occurred outside the recommendation scope, no recommendation will be generated.

As a result, “Nothing to Recommend” is expected in this case.

Resolution

To generate recommendations for flows marked as unprotected:

  1. Ensure that all VMs involved in the flow are included in the recommendation scope.

  2. Run the recommendation by selecting both the source and destination VMs.

  3. This allows the recommendation engine to evaluate each VM’s side of the flow independently.

  4. If a VM in scope hits a default (unprotected) rule on its side, a recommendation will be generated.

Example

  • If recommendations are run only for VM A, and VM B is the one hitting the default rule:

    • Result: Nothing to Recommend (expected)

  • If recommendations are run for both VM A and VM B:

    • Result: A recommendation is generated for VM B

Summary

Although a flow may appear as Unprotected in Flow Details, recommendations are generated only when the VM being analyzed is unprotected on its own side of the flow.
Including all relevant VMs in the recommendation scope ensures accurate and complete rule recommendations.

Powered by Wolken Software