Unable to see the Drop flows in the VCF Operations for Networks
search cancel

Unable to see the Drop flows in the VCF Operations for Networks

book

Article ID: 434246

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

  • Search queries like the following may not show any results:

 flows where firewall action = 'DROP'

flows where firewall action = 'DROP' and Flow Type = 'Source is Internet'

  • Dropped flows might be seen in the micro-segmentation section, but not when running search queries.

Environment

VCF Operations for Networks

Cause

Deny limits are not being adhered to because of a known bug in VCF operations for Networks. This is causing the actual source IP to be represented as an aggregated IP, which subsequently prevents "dropped flows" from resulting in the search query.

Resolution

The steps below can be executed to validate if you are experiencing this issue; based on that, the following workaround can be performed.

Run the following search queries to see if there are any flows:

  1. count of flows where firewall action in ('DENY', 'DROP') and source ip != 240.240.240.241 in last 3 days
  2. count of flows where firewall action in ('DENY', 'DROP') and source ip != 240.240.240.241 in last 30 days
  3. count of flows where firewall action in ('DENY', 'DROP') and source ip != 240.240.240.241 in last 1 day

Note: Operations for Networks uses 240.240.240.241 as the source IP to represent aggregated dropped flows. If the flows are visible using these search queries but not with the actual source IP, the following workaround can be implemented.

SSH into the collector using a user support and run the following commands:

  1. ub
  2. rdb
  3. customerId
  4. set_policy -ns features -key enableIpfixPersistence -val true -cid <cid>
  5. set_policy -ns ipfixCommonConfig -key denyInternetGlobalConnCap -val 600000 -cid <cid>
Powered by Wolken Software