VMware Networking Community
Hedin333
Contributor
Contributor
Jump to solution

Search for unused rules in DFW NSX

Hi.

Currently, we have about 2k thousand rules on DFW NSX.

I suspect that some of them are tired and are no longer used.

How can I analyze a large number of rules?

May be PowerNSX help? Or Vrealize Log Insight?


Rule stats.PNG

1 Solution

Accepted Solutions
HassanAlKak88
Expert
Expert
Jump to solution

Hello,

Yes as lhoffer​ said, if you are using vRNI you can query for firewall rules that are not used (there’s no traffic going through them) as below:

pastedImage_0.png

This will be a workaround showing the NSX firewall rules where flows are seen by removing the ’not’ operator. Keep in mind you need to have NSX send the IPFix traffic flows to Network Insight for this to work as per the following: NSX Distributed Firewall Inactive Rules

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak

View solution in original post

5 Replies
lhoffer
VMware Employee
VMware Employee
Jump to solution

If you have vRealize Network Insight in the environment you can just use the "nsx firewall rule where flow is not set" query to see all rules that haven't had a flow match them in the time period you're looking at.

HassanAlKak88
Expert
Expert
Jump to solution

Hello,

Yes as lhoffer​ said, if you are using vRNI you can query for firewall rules that are not used (there’s no traffic going through them) as below:

pastedImage_0.png

This will be a workaround showing the NSX firewall rules where flows are seen by removing the ’not’ operator. Keep in mind you need to have NSX send the IPFix traffic flows to Network Insight for this to work as per the following: NSX Distributed Firewall Inactive Rules

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak
KingMatthew
Contributor
Contributor
Jump to solution

What is the difference between Hit count and Flow?

In the graphic I see a high Hit count, but 0 for the flow count.

Reply
0 Kudos
rrawat11
VMware Employee
VMware Employee
Jump to solution

HI Hassan,

I we are not having vRNi then is ther any work around to pullout/export/filter the information/report of the unused firewall rules instead of checking the graphs of the individual firewall rule

 

Reply
0 Kudos
rrawat11
VMware Employee
VMware Employee
Jump to solution

Hi Hassan,

if we are not having vRNI in the nSX-T/NSX-V environment the is there any way to pullout/export/filter information/report of unused firewall rules collectively instead of checking the graphs of the individual firewall rule

Reply
0 Kudos