Hello.
Is it possible to check how much CPU / memory usage the distributed FW uses ESXi?
I would like to know the ESXi CLI.
From my experience i haven't seen anyone monitoring the CPU/Mem usage on a regular basis for DFW .Few things to know is , heap size is the main criteria and DFW leverage ESXI heap size which can be checked via vsish commands. If you look at KB https://kb.vmware.com/s/article/2146298 one of the symptom is when when we have 1000 Security groups and IP sets and there were few known issues in 6.2.x because heap size was limited to 1.5 gb and it they have further increased the heap size to 3gb and global address sets optimize the heap size significantly( optimization feature). However to avoid heap size high usage ensure below points are covered
1. DRS should be configured and running and consolidation ratio is correct VM-host
2. Heap size free space is always above 20%
I will also recommend to use Applied to field to limit the DFW rule scope rather enabling the rule on complete setup which is DFW enabled.
So i don't find a strong reason to monitor this every day unless you have significant firewall growth and you don't want any failures because heap size is full which is highly unlikely if we follow best practices as per my knowledge.
You may also check -> http://networkinferno.net/testing-distributed-firewall-heap-usage ,Monitoring DFW Heap Usage – SneakU
SneakU vSIP Heap Monitoring – Content Pack – SneakU
From my experience i haven't seen anyone monitoring the CPU/Mem usage on a regular basis for DFW .Few things to know is , heap size is the main criteria and DFW leverage ESXI heap size which can be checked via vsish commands. If you look at KB https://kb.vmware.com/s/article/2146298 one of the symptom is when when we have 1000 Security groups and IP sets and there were few known issues in 6.2.x because heap size was limited to 1.5 gb and it they have further increased the heap size to 3gb and global address sets optimize the heap size significantly( optimization feature). However to avoid heap size high usage ensure below points are covered
1. DRS should be configured and running and consolidation ratio is correct VM-host
2. Heap size free space is always above 20%
I will also recommend to use Applied to field to limit the DFW rule scope rather enabling the rule on complete setup which is DFW enabled.
So i don't find a strong reason to monitor this every day unless you have significant firewall growth and you don't want any failures because heap size is full which is highly unlikely if we follow best practices as per my knowledge.
You may also check -> http://networkinferno.net/testing-distributed-firewall-heap-usage ,Monitoring DFW Heap Usage – SneakU
SneakU vSIP Heap Monitoring – Content Pack – SneakU
Thank you!
It is also possible to have NSX alert you when DWF CPU and Heap utilization crosses a specific threshold as well as connections per second. By default, this is set to 100%, so if you do get any alerts, its already too late
To set the alerts, it needs to be done via the API, or via PowerNSX as shown in the example below:
PS /Users/dcoghlan> get-help Set-NsxFirewallThreshold -Examples
NAME
Set-NsxFirewallThreshold
SYNOPSIS
Sets the Distributed Firewall thresholds for CPU, Memory
and Connections per Second
-------------------------- EXAMPLE 1 --------------------------
PS />Set-NsxFirewallThreshold -Cpu 70 -Memory 70 -ConnectionsPerSecond 35000
CPU Memory ConnectionsPerSecond
--- ------ --------------------
cpu memory connectionsPerSecond