Enabling logging on DFW rules in NSX Data Center can be beneficial for monitoring and troubleshooting network traffic. However, enabling logging on all DFW rules can potentially impact the performance of ESXi hosts due to the additional overhead introduced by increased CPU usage, memory consumption, and disk I/O. It can also cause the NSX services on the host to go down. This article addresses common concerns and provides guidance on the potential impacts and best practices for enabling logging on DFW rules.

• VMware NSX Data Center (Any supported version)
• ESXi Hosts within NSX managed and compatible environments
• VMs protected by NSX DFW

The potential performance impact arises from the additional processing required to log each traffic event that matches a DFW rule. When logging is enabled for a large number of DFW rules, especially in environments with high traffic volume, the ESXi hosts may experience increased CPU and memory usage, as well as increased disk I/O, which could affect overall system performance.  

1. Impact on Performance:

• Enabling logging on all DFW rules can introduce performance overhead on ESXi hosts. The actual impact will depend on the volume of traffic, the complexity of the firewall rules, and the system resources available (CPU, memory, and disk I/O).
• It is recommended to enable logging selectively, focusing on rules that require monitoring for troubleshooting or compliance purposes. Logging should be disabled once the necessary data has been collected to minimize the impact on system performance.

2. Determining Potential Impact:

• The potential impact on ESXi hosts can be estimated by considering the amount of traffic being processed by the DFW. High traffic volumes will lead to more frequent log entries, increasing the load on the hosts.
• Monitoring the system's performance counters and metrics, such as CPU and memory usage, can help determine if logging is causing any degradation in performance.

3. Documentation and Guidelines:

• While there is no specific documentation on assessing the impact of DFW logging, the NSX-T Data Center Administration Guide provides guidance on configuring and managing logging.
• Refer to this knowledge base article for details on issues with ESXi hosts when logging is enabled.

4. Limits on DFW Traffic Logs:

• NSX-T does not impose specific limits on the number of DFW traffic logs per minute or per second. The system is designed to handle large volumes of logs, but the actual limit is determined by the system resources (CPU, memory, and disk I/O).

5. Monitoring Traffic Events:

• Use the NSX-T UI's performance counters and the Rule Hit Statistics UI to monitor the number of traffic events evaluated by the DFW. These tools provide insights into how much traffic is being processed and the corresponding volume of log entries.
• Additionally, monitor the /var/log/dfwpktlogs.log file to track the number of DFW log messages generated.

6. Enabling Logging Programmatically:

• Logging on all existing DFW rules can be enabled programmatically using the NSX-T API. You can loop through all DFW rules and enable logging via API calls. While scripting using PowerShell or other tools can also achieve this, detailed configuration and scripting are outside the scope of this article.

7. Extracting DFW Rules Programmatically:

• The NSX-T API allows you to fetch all security policies and their associated rules using the endpoint /policy/api/v1/infra/domains/<domain-id>/security-policies. Explore scripting options such as PowerShell for further automation.

• For more details on configuring and managing NSX-T Distributed Firewall, refer to the NSX-T Data Center Administration Guide.
• The potential impact on ESXi hosts can be mitigated by carefully selecting which rules require logging and by continuously monitoring system performance.