Faddom's Micro-Segmentation module allows you to automatically generate and push micro-segmentation policies based on real network traffic. The module analyzes live traffic flows, groups servers into tiers, identifies dependencies, and generates policies for multiple platforms. Policies can be pushed directly to Nutanix Flow, with support for VMware NSX and Cloud Security Groups coming soon.
Prerequisites
Before creating a micro-segmentation policy, you need to:
Have at least one Application Map created in Faddom (see Creating Application Maps)
Have your data sources connected (VMware vCenter, Nutanix Prism Central, or cloud environments)
Ensure Faddom has been collecting traffic data for your environment
Note: The Micro-Segmentation module works with VMware environments regardless of whether NSX is installed. Standard vSwitches are fully supported.
How to Create a Micro-Segmentation Policy
1. Navigate to Secure > Micro-Segmentation
From the main menu, select Secure, then click Micro-Segmentation.
2. Click Add Policy
On the Micro-Segmentation screen, click the Add Policy button to begin creating a new policy.
3. Select an Application Map (General)
In the General step, select an existing Application Map from the dropdown menu. This map serves as the foundation for your micro-segmentation policy.
Type the application map name in the search field or select from the list, then click Next.
4. Review Application Traffic & Rules (Traffic & Rules)
The Traffic & Rules step displays your application in Tier-Based View, showing all traffic flows between tiers (e.g., Web Servers, Application Servers, Database Servers). The policy creation is based on the last saved baseline of the application map. If the map has changes, you may want to save a baseline before creating the policy.
Faddom automatically groups servers into tiers (for details see Tier Types).
Viewing Options:
You can switch between two views using the icons in the top right:
Map View - Visual tier-based diagram showing traffic flows between tiers
List View - Table format showing detailed connection rules with the ability to configure:
Whether to allow internal traffic within each tier (Yes/No toggle)
Inbound and outbound connections
Target platforms and ports
Multi-Platform Policy Generation:
If your application map contains servers from multiple data sources (e.g., Nutanix VMs and VMware VMs in the same tier), Faddom will automatically separate the policy generation by platform. Each data source will have its own policy rules optimized for that platform's capabilities.
Review the displayed traffic flows and connections. The map shows connection counts between each tier. Configure any internal traffic rules in list view if needed, then click Next to continue.
Important: The Micro-Segmentation module works exclusively with Tier-Based View. Legacy Map View is not supported for policy generation.
5. Add External Dependencies (Dependencies)
The Dependencies step shows all traffic coming into or going out of your application from external sources, displayed in a table format similar to Migration Waves.
Dependencies are organized into three categories:
Secured entities used by other servers - External clients accessing your application
Dependencies - Servers your application depends on (databases, APIs, etc.)
(Clients accessing the business application are selected automatically)
Infrastructure Dependencies - Infrastructure services like DNS, LDAP, NTP, monitoring tools, backup systems
For each dependency, you can:
Add it to the policy by clicking the + button
Leave it out if it should be covered by a separate global policy
The table displays:
Server name and data source platform
Port and connection count
Inbound/Outbound traffic volume
Option to include in policy
Review each section and add the dependencies you want included in this specific policy, then click Next.
6. Confirm and Apply Policy (Confirm & Apply Policy)
The final step displays the complete policy broken down by data source platform (AWS, VMware, Nutanix, GCP). Each platform shows:
Inbound Connections tab
Outbound Connections tab
Policy rules are organized by:
Secured Entity (tier)
Source/Target
Source Platform
Port
Connection Type
Whether internal traffic within the tier is allowed
Policy Application Options:
SAVE AND APPLY POLICIES - Opens a dialog to select which platform policies to push
Nutanix - Can be pushed immediately to Nutanix Flow (in monitoring mode)
Other platforms - Marked as "Coming Soon" (VMware NSX, AWS, GCP, Azure)
SAVE ALL - Saves all policies without pushing to any platform
BACK - Return to previous steps to make changes
DISCARD - Cancel policy creation
EXPORTING THE POLICY - Select the data sources you want to export the policy for.
Pushing Policies to Nutanix Flow
When you apply a policy to Nutanix Flow, Faddom automatically:
Creates Categories - Faddom generates Nutanix Categories (tags) for each tier in your application map (e.g., Web Servers, Database Servers)
Builds Category-to-Category Rules - For all Nutanix VMs, policies are created as category-based rules
Creates IP/Subnet Rules - For servers outside Nutanix (external dependencies, VMware VMs, cloud resources), IP or subnet-based rules are generated
Pushes in Monitoring Mode - Policies are intentionally pushed to Flow in Monitoring Mode, not enforcement mode
Important: Policies pushed to Nutanix Flow are set to Monitoring Mode by default. This allows you to safely review the policies in Flow before enabling enforcement. You must manually enable enforcement within Nutanix Flow after verifying the policy is correct.
Drift Detection and Policy Maintenance
After a policy is created and applied, Faddom continues to monitor your application maps for changes. If the application behavior changes (new connections, removed connections, new servers, or removed servers), Faddom will detect this drift.
When the Application Map Baseline is updated, the Micro-Segmentation module will notify you that the policy is out of sync and offer an option to update the policy to match the current application state.
To view and manage policy drift:
Navigate to Secure > Micro-Segmentation
Locate your policy in the list
If drift is detected, you will see an indicator showing changes since the last policy push
Review the changes and update your policy to keep it aligned with current application behavior
Exporting Policies
For platforms where direct policy push is not yet available (VMware NSX, AWS, GCP, Azure), you can export policies to Excel for manual import or documentation purposes.
The export includes:
All tiers and their members
Connection rules (inbound and outbound)
Port-based rules
Source and target information
Additional Notes
Application Maps are "live" - they continuously update as Faddom detects new traffic, so your policies can stay current with minimal manual intervention
You can create policies for multiple data sources simultaneously (VMware, multiple Nutanix Prism Centrals, cloud environments)
Faddom supports both tag-based and IP-based policy generation depending on the platform and object type
For cloud environments, Faddom can map AWS (EC2, RDS, EKS), Azure, and GCP resources
Platform support roadmap: Nutanix Flow (available now), VMware NSX (coming soon), Cloud Security Groups for AWS/Azure/GCP (coming soon)
If you have any questions or need help, please contact support@faddom.com.