3 Replies Latest reply on Jan 22, 2018 10:12 PM by DaleCoghlan

    On Distributed FW CPU / Memory Utilization of ESXi

    networlddsg Enthusiast



      Is it possible to check how much CPU / memory usage the distributed FW uses ESXi?


      I would like to know the ESXi CLI.

        • 1. Re: On Distributed FW CPU / Memory Utilization of ESXi
          Sreec Master
          Community WarriorsvExpertVMware Employees

          From my experience i haven't seen anyone monitoring the CPU/Mem usage on a regular basis for DFW  .Few things to know is , heap size is the main criteria and DFW leverage ESXI heap size which can be checked via vsish commands. If you look at KB https://kb.vmware.com/s/article/2146298 one of the symptom is when when we have 1000 Security groups and IP sets and there were few known issues in 6.2.x because heap size was limited to 1.5 gb and it they have further increased the heap size to 3gb and global address sets  optimize the heap size significantly( optimization feature). However to avoid heap size high usage ensure below points are covered


          1. DRS should be configured and running and consolidation ratio is correct VM-host

          2. Heap size free space is always above 20%


          I will also recommend to use Applied to field to limit the DFW rule scope rather enabling the rule on complete setup which is DFW enabled.

          So i don't find a strong reason to monitor this every day unless you have significant firewall growth and you don't want any failures because heap size is full which is highly unlikely if we follow best practices as per my knowledge.


          You may also check -> http://networkinferno.net/testing-distributed-firewall-heap-usage  ,Monitoring DFW Heap Usage – SneakU

          SneakU vSIP Heap Monitoring – Content Pack – SneakU

          • 3. Re: On Distributed FW CPU / Memory Utilization of ESXi
            DaleCoghlan Enthusiast
            VMware Employees

            It is also possible to have NSX alert you when DWF CPU and Heap utilization crosses a specific threshold as well as connections per second. By default, this is set to 100%, so if you do get any alerts, its already too late


            To set the alerts, it needs to be done via the API, or via PowerNSX as shown in the example below:


            PS /Users/dcoghlan> get-help Set-NsxFirewallThreshold -Examples                                                                                                  






                Sets the Distributed Firewall thresholds for CPU, Memory

                and Connections per Second


                -------------------------- EXAMPLE 1 --------------------------


                PS />Set-NsxFirewallThreshold -Cpu 70 -Memory 70 -ConnectionsPerSecond 35000



                CPU Memory ConnectionsPerSecond

                --- ------ --------------------

                cpu memory connectionsPerSecond