VMware NSX

 View Only

  • 1.  On Distributed FW CPU / Memory Utilization of ESXi

    Posted Dec 19, 2017 08:20 AM

    Hello.

    Is it possible to check how much CPU / memory usage the distributed FW uses ESXi?

    I would like to know the ESXi CLI.



  • 2.  RE: On Distributed FW CPU / Memory Utilization of ESXi
    Best Answer

    Broadcom Employee
    Posted Dec 19, 2017 12:09 PM

    From my experience i haven't seen anyone monitoring the CPU/Mem usage on a regular basis for DFW  .Few things to know is , heap size is the main criteria and DFW leverage ESXI heap size which can be checked via vsish commands. If you look at KB https://kb.vmware.com/s/article/2146298 one of the symptom is when when we have 1000 Security groups and IP sets and there were few known issues in 6.2.x because heap size was limited to 1.5 gb and it they have further increased the heap size to 3gb and global address sets  optimize the heap size significantly( optimization feature). However to avoid heap size high usage ensure below points are covered

    1. DRS should be configured and running and consolidation ratio is correct VM-host

    2. Heap size free space is always above 20%

    I will also recommend to use Applied to field to limit the DFW rule scope rather enabling the rule on complete setup which is DFW enabled.

    So i don't find a strong reason to monitor this every day unless you have significant firewall growth and you don't want any failures because heap size is full which is highly unlikely if we follow best practices as per my knowledge.

    You may also check -> http://networkinferno.net/testing-distributed-firewall-heap-usage  ,Monitoring DFW Heap Usage – SneakU

    SneakU vSIP Heap Monitoring – Content Pack – SneakU



  • 3.  RE: On Distributed FW CPU / Memory Utilization of ESXi

    Posted Dec 21, 2017 01:18 AM

    Thank you!



  • 4.  RE: On Distributed FW CPU / Memory Utilization of ESXi

    Broadcom Employee
    Posted Jan 23, 2018 06:12 AM

    It is also possible to have NSX alert you when DWF CPU and Heap utilization crosses a specific threshold as well as connections per second. By default, this is set to 100%, so if you do get any alerts, its already too late

    To set the alerts, it needs to be done via the API, or via PowerNSX as shown in the example below:

    PS /Users/dcoghlan> get-help Set-NsxFirewallThreshold -Examples                                                                                                  

    NAME

        Set-NsxFirewallThreshold

    SYNOPSIS

        Sets the Distributed Firewall thresholds for CPU, Memory

        and Connections per Second

       

        -------------------------- EXAMPLE 1 --------------------------

       

        PS />Set-NsxFirewallThreshold -Cpu 70 -Memory 70 -ConnectionsPerSecond 35000

       

        CPU Memory ConnectionsPerSecond

        --- ------ --------------------

        cpu memory connectionsPerSecond