Steps to Resolve
For 3.0.0 and higher
Recommended Action:
View the current Distriuted Firewall kernel memory usage by invoking the NSX CLI command 'get firewall thresholds
' on the host. Check the heap that has high memory usage
-
- vsip-rules - Use Applied to field in the rules so the rules are applied to fewer/specific VMs effectively reducing the rule count. Groups containing IP addresses should use CIDR blocks as much as possible, rather than specifying each individual IP address.
- vsip-fprules - Re-balance the workloads on this host to other hosts. Groups containing IP addresses should use CIDR blocks as much as possible, rather than specifying each individual IP address.
- vsip-fqdn/vsip-attr - Consider refining L7 rules to targetted traffic using from/to addresses for these rules
Reduce the number of firewall rules.
-
- Use groups for source/destination addresses instead of individual IPs.
- When a rule has multiple ports, protocols, or services, those should be defined as a group as opposed to listed individually in the rule.
- Add Applied To field in rules to define the VM scope. Without the use of this field, every rule will get applied to every entity in the DFW expanse.
Maintenance window required for remediation? No