Symptoms

• Specific network flows, particularly short-lived or bursty script-initiated connections, appear in logging tools (such as VMware Aria Operations for Logs/Log Insight) but are intermittently missing from the Security Intelligence Security Explorer.

• The "Last Seen" timestamp for certain compute objects does not update immediately after a known flow event.

• Flow records may appear in the "Completed" tab but not the "Active" tab, or may not appear in the Visualization at all during high-traffic periods.

Security Services Platform 5.1

The intermittent visibility of network flows is typically an effect of the high-performance telemetry design of the ESXi host.

To prioritize the stability of data-path traffic over management-plane reporting, the system employs several internal protection mechanisms:

• Internal Queue Constraints: The kernel utilizes shared buffers to move flow records from the firewall engine to the exporter.
  During periods of high traffic churn or excessive background noise, these internal queues may reach capacity. When these limits are reached, the system prioritizes system stability, and subsequent flow records may be discarded before they are processed.

• Aggregation and Export Limits: To prevent telemetry saturation of the management network, limits are placed on the number of flow entries a single filter can export within a specific time window.
  Bursty or rapid-fire connections (such as those generated by scripts) are more susceptible to these limits than steady, long-lived traffic.

• Instrumentation Limitations: Currently, the platform does not maintain user-visible counters for these specific internal queue drops.
  Because these discards happen at a deep kernel level to protect host resources, there is no direct log entry or counter to definitively prove a specific flow was dropped due to buffer saturation.

It is important to view Security Intelligence as a Security Recommendation Engine rather than a real-time network monitoring or auditing tool.

• Statistical Representation vs. Packet Auditing: The primary goal of the platform is to build a statistical model of network behavior to suggest Distributed Firewall (DFW) rules. For the purpose of micro-segmentation, the "eventual consistency" of the data is more critical than 100% packet-perfect reporting for every individual, short-lived session.

• Pattern Recognition: While the platform may miss isolated, bursty sessions during peak traffic, it is designed to capture the broader pattern of communication. If a flow represents a recurring business process, it will eventually be captured and included in the security recommendations.

• Future Enhancements: Ongoing product development is focused on improving internal telemetry and instrumentation to provide better visibility into these deep-kernel drops and to enhance the fidelity of short-lived flow reporting.

• Best Practice: To improve the visibility of critical automation workflows, customers should minimize non-essential background traffic (such as high-frequency monitoring probes or security scanners) hitting the same vNIC, as this reduces the pressure on internal flow conversion buffers.