Recommendations Not Generated for Multicast or Broadcast Traffic in SSP 5.1.1
search cancel

Recommendations Not Generated for Multicast or Broadcast Traffic in SSP 5.1.1

book

Article ID: 434873

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

SSP 5.1.1 fails to generate micro-segmentation recommendations for multicast or broadcast traffic (such as UDP 5353 mDNS) when using the Rec Diff workflow. This occurs even when these flows are visible as Unprotected Flows and the user has explicitly enabled the "Include Broadcast Traffic" and "Include Multicast Traffic" settings

 

Symptoms

  • Traffic (e.g., Source 10.xx.xx.xx → Destination 224.0.0.251, UDP 5353) is visible in the SSP UI under Unprotected Flows.
  • The recommendation workflow is executed with both Include Broadcast Traffic and Include Multicast Traffic enabled.
  • The recommendation output incorrectly shows: "Nothing to Recommend" 

Environment

SSP 5.1.1

Cause

In SSP 5.1.1, the Rec Diff job incorrectly handles multicast and broadcast flows. During processing, the destination is converted to an IP (multicast address), causing both source and destination to be treated as IP-based entities. Because the flow direction logic compares these against context computes and finds that neither end is mapped to a compute entity, the flows are incorrectly filtered out of the recommendation generation 

Resolution

Currently there is no fix. This will be fixed in an upcoming version of SSP

 

As a temporary solution, use the New Section recommendation workflow instead of Rec Diff, as it is not impacted by this logic error:


  1. Navigate to the recommendation workflow in SSP.
  2. Select New Section.
  3. Apply appropriate filters (e.g., Protocol: UDP, Port: 5353).
  4. Enable inclusion of Broadcast and Multicast traffic and run the recommendation
Powered by Wolken Software