Solved: Re: Search for unused rules in DFW NSX

Hedin333 · ‎02-04-2019

Hi.

Currently, we have about 2k thousand rules on DFW NSX.

I suspect that some of them are tired and are no longer used.

How can I analyze a large number of rules?

May be PowerNSX help? Or Vrealize Log Insight?

HassanAlKak88 · ‎02-04-2019

Hello,

Yes as lhoffer said, if you are using vRNI you can query for firewall rules that are not used (there’s no traffic going through them) as below:

This will be a workaround showing the NSX firewall rules where flows are seen by removing the ’not’ operator. Keep in mind you need to have NSX send the IPFix traffic flows to Network Insight for this to work as per the following: NSX Distributed Firewall Inactive Rules

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak

Cheers,
vExpert2020-2019||vExpert-NSX2020||VCIX6-NV||VCAP-NV-DCV||VCP-NV-DC-CMA||CCNA-R&S
Twitter: @KakHassan
LinkedIn: linkedin.com/in/hassanalkak

View solution in original post

lhoffer · ‎02-04-2019

If you have vRealize Network Insight in the environment you can just use the "nsx firewall rule where flow is not set" query to see all rules that haven't had a flow match them in the time period you're looking at.

HassanAlKak88 · ‎02-04-2019