Distributed Firewall Memory usage very high Alarm
search cancel

Distributed Firewall Memory usage very high Alarm

book

Article ID: 330558

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Title: Alarm or distributed_firewall.dfw_memory_usage_very_high
Event ID: distributed_firewall.dfw_memory_usage_very_high

Alarm Description

  • Purpose: Distributed Firewall kernel heap memory usage for the specified heap is very high.
  • Impact: In this case, we can expect failures in new/updated configuration from being applied. Additionally, it could also impact new firewall connections.
    • vsip-rules - Will affect new rule config. Rules may not get realised
    • vsip-fprules - Will affect new rule config. May cause vmotion failures
    • vsip-fqdn - May affect L7 rule enforcement
    • vsip-attr - May affect L7 rule enforcement

 

Environment

VMware NSX-T Data Center

Resolution

Steps to Resolve

For 3.0.0 and higher

Recommended Action:

View the current Distriuted Firewall kernel memory usage by invoking the NSX CLI command 'get firewall thresholds' on the host. Check the heap that has high memory usage

    • vsip-rules - Use Applied to field in the rules so the rules are applied to fewer/specific VMs effectively reducing the rule count. Groups containing IP addresses should use CIDR blocks as much as possible, rather than specifying each individual IP address.
    • vsip-fprules - Re-balance the workloads on this host to other hosts. Groups containing IP addresses should use CIDR blocks as much as possible, rather than specifying each individual IP address.
    • vsip-fqdn/vsip-attr - Consider refining L7 rules to targetted traffic using from/to addresses for these rules

Reduce the number of firewall rules.

    • Use groups for source/destination addresses instead of individual IPs.
    • When a rule has multiple ports, protocols, or services, those should be defined as a group as opposed to listed individually in the rule.
    • Add Applied To field in rules to define the VM scope. Without the use of this field, every rule will get applied to every entity in the DFW expanse.

Maintenance window required for remediation? No

 

Additional Information