Microsegmentation-guidance on number of rules

jedijeff · ‎07-28-2018

Hi. We are using NSX to stretch L2 now. And are turning out attention to microsegmentation now. I realize no one can answer this question for me. But I was curious as we start looking at our rules and polices we want move in place, is there a point where we can start blogging down the system with too many rules on the dfw? we have lots of rules sets on our hardware firewalls, with a good portion stale or redundant i am sure. so I am just curious how many rules some people have on their dfw? 50? Hundreds? Just curious. Thanks,,,

sk84 · ‎07-28-2018

VMware releases the configuration maximums for each product. This is the theoretically maximum supported configuration.

For NSX 6.4 Update 3: https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/NSX%20for%20vSphere%20Recommended%20Configurat...

Rules per NSX Manager 100,000 (Can be a mix of local and universal rules.)

Rules per Virtual NIC 3,500

Distributed Firewall Sections 10,000

Universal Distributed Firewall Rules 24,000

Universal Firewall Sections 500

Audit Log entries 1,000,000

Flow Monitoring Data 2,000,000 Records over 15 days.

Saved Distributed Firewall Rule Configurations 100

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

All

Microsegmentation-guidance on number of rules