DFW Rules Limit Per Host Exceeded and DFW rules limit per vnic approaching.
search cancel

DFW Rules Limit Per Host Exceeded and DFW rules limit per vnic approaching.

book

Article ID: 371437

calendar_today

Updated On:

Products

VMware NSX-T Data Center VMware NSX VMware vDefend Firewall

Issue/Introduction

  • Issue: In a NSX environment you will notice the following alerts, DFW rules limit per host is about to exceed the maximum limit and/or DFW rules limit per vnic approaching.

  • Event ID:

    • distributed_firewall.dfw_rules_limit_per_vnic_approaching
    • distributed_firewall.dfw_rules_limit_per_vnic_exceeded
    • distributed_firewall.dfw_rules_limit_per_host_approaching
    • distributed_firewall.dfw_rules_limit_per_host_exceeded

            

Environment

VMware NSX.

Cause

The VMware configuration maximum guide specifies the following limits for Distributed Firewall rules in NSX versions 3.2.x and 4.x:

  • Distributed Firewall Rules per Hypervisor Host > 120,000 > Total rules across virtual NICs on a Hypervisor Host.
  • Distributed Firewall Rules per Virtual NIC 4,000 > Total number of rules on a VMs vnic.

The number of DFW rules on a host is calculated based on the number of VMs that have the DFW filter applied to their nics, in other words, any VM participating in DFW will add to the rule count.

If the maximum allowed DFW rules on a host are exceeded, an alert will be triggered, indicating that the rules need to be optimized or reduced. The primary cause of this issue is often the "allowed to" field being set to "DFW" in the 'Applied To' field, which applies a rule to every vNIC on an NSX-T prepared host.

When the number of DFW rules exceeds the maximum, it can lead to a performance impact, characterized by high latency between VMs in the infrastructure. This is because the DFW slot on the filter on the VM's NIC becomes an additional stop for traffic inspection, and excessive rules can cause traffic to spend more time passing through the firewall module, resulting in increased latency.

To calculate rule count per vnic:

vsipioctl getrules -f <filter_name> | grep -E "rule.*at" | wc -l

To calculate rule count per host:

/opt/vmware/nsx-nestdb/bin/nestdb-cli --beautify --cmd get vmware.nsx.nestdb.RuleMsg 

every single line in the above output is a rule on this host, grep with "RuleMsg" and do a word count to get the total number of rules on the host.

Resolution

  • It is recommend getting the rule count under the published maximums both for the per vnic and per host numbers.
  • To achieve that we recommend utilizing the "Applied To" set to a group instead of DFW, the reason being that when utilizing the default option of “DFW” in the ‘Applied To’ field, a rule is placed on every vNIC that resides on an NSX-T prepared host.
  • The utilization of 'Applied To' to a group instead of DFW, serves to reduce overall rule count across all vNICs, eliminate rules from vNICs where they are irrelevant, and prevent inappropriate traffic matches against rules. At a minimum, this provides data plane efficiencies, as rules that would never match on a given vNIC are removed, reducing the overall amount of rule processing. Thereby reducing or not contributing to latency.