Symptoms

• In Security Explorer - Security Intelligence, specific traffic flows are marked as "Unprotected" (Red status).

• Flow Details indicate the traffic is permitted by a specific rule at the source but matches the "Default Layer3 Rule" at the destination.

• This is commonly seen in multicast traffic, heartbeat signals, or uni-directional app flows.

vDefend Security Services Platform 5.1

The "Applied To" scope of the DFW rule determines which vNICs "download" the security policy. If a rule is only applied to the Source Group, the destination vNIC remains unaware of the rule and must rely on the Default Any Any rule to accept the packet.

Even if the traffic is physically allowed, the visualization engine flags it as Unprotected because there is no explicit security intent defined at the destination.

Illustrative Scenarios

Example 1: Multicast Traffic (e.g., mDNS)

• Rule: Source: Group-App | Destination: 224.0.0.251 | Service: UDP 5353

• Applied To: Group-App

• Visualization Status: Unprotected

• Why: The receiver (the Multicast group) does not have the rule applied. When the packet hits the destination, it matches the Default Rule. To fix this, add the Destination Group to "Applied To" or use the DFW scope.

Example 2: Uni-directional Initiation (App to Database)

• Rule: Source: App-VM | Destination: DB-VM | Service: MySQL

• Applied To: App-VM

• Visualization Status: Unprotected

• Why: The DB-VM vNIC has not been "told" to allow MySQL from App-VM. While the stateful firewall allows the return traffic, the initial packet hitting the DB vNIC is processed by the Default Rule because the specific rule wasn't pushed to the DB's vNIC.

Example 3: Bi-directional Initiation (Peer-to-Peer)

• Rule: Source: VM-A | Destination: VM-B | Service: Port 80

• Applied To: VM-A, VM-B

• Visualization Status:

  • Flow A → B: Protected (Matches Rule)

  • Flow B → A: Unprotected (Hits Default Rule)

• Why: The rule specifically defines the intent from A to B. If VM-B initiates a new session back to A, it is a different conversation. Since no rule defines B → A, it falls to the Default Rule.

To ensure flows are correctly categorized as "Protected," the security policy must be present at both the source and destination:

1. Modify "Applied To": Ensure the Destination Group (or the specific VMs receiving the traffic) is included in the Applied To column of the rule.

2. Use DFW Scope: For common services or environment-wide rules, set Applied To to DFW. This ensures the rule is programmed on every vNIC in the environment, providing 100% visibility for the visualization engine.

Verification

Once the scope is updated, the flow status in Security Explorer will transition from Red (Unprotected) to Green (Protected) as the destination vNIC now matches the specific Rule ID.