VMware

VMware NSX and VMC on AWS

Dashboard Widgets

General (General overview of the system)

Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)

USP Compliance (The number of rules with violations, according to their severity level)

Audit (The number of rules with expired access or will have access expire within the next month)

Recent Changes (Rules and devices with changes in the past 30 days)

Browsers

Rule Viewer (see Rule Viewer)

Object Lookup (See Object Lookup)

USP Viewer (see USP Viewer)

USP Alert Manager Viewer (see USP Alerts Manager)

USP Exceptions Viewer (see USP Exceptions)

Changes (see Change Browser)

Cleanup (see Cleanup Browser)

Device Viewer (see Device Viewer)

Change Management

Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)

Display IPv6 objects

Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)

Real-time Monitoring (Regularly automatically fetches policy information from the device)

Accountability - Installed Revisions (Supported for VMware NSX only)

Create SecureChange ticket from Rule Viewer for:
  • Rule Decommission (Removes selected rules from supported devices)

  • Rule Recertification(Used to document and verify the need for a rule)

Topology

Static Topology

BGP Dynamic Routes

Notes for VMware NSX and VMC on AWS:

  • Real-time monitoring uses device polling.

  • These features are not supported: unused objects cleanup, offline analysis.

  • Topology support only includes North-South connectivity and, in topology diagrams, traffic inside a logical switch will be seen as passing logical router.

  • For Auditing and Reporting, these features are supported: Regulations browser, Rule Viewer, New Revision report.

  • Dynamic Topology (BGP dynamic routing) is supported for NSX-T

  • New NSX-T devices are automatically configured with Declarative (Policy) APIs. Devices that were previously added using Imperative APIs will continue to work. In the Device Manager, the name of a device indicates whether the device is configured with a Declarative or Impertitive API.

    To convert a device that was previously added using Imperative APIs to Declarative APIs you need to add the device as a new device, and remove or disable the old instance of the device.

  • In NSX-T Devices, support for dynamic Security Groups based on tags set in the device.