Enabling logging on gateway firewall rules in NSX Data Center edge nodes can be beneficial for monitoring and troubleshooting network traffic. However, enabling logging on many or all rules can potentially impact the performance of the edge nodes due to the additional overhead introduced by increased CPU usage, memory consumption, and disk I/O. It can also cause NSX services on the edge to go down or packet loss to occur in the datapath. This article addresses common concerns and provides guidance on the potential impacts and best practices for enabling logging on gateway firewall rules.

• VMware NSX Data Center (Any supported version)

The potential performance impact arises from the additional processing required to log each traffic event that matches a firewall rule. When logging is enabled for a large number of rules, especially in environments with high traffic volume, the edge nodes may experience increased CPU and memory usage, as well as increased disk I/O, which could affect overall system performance.

1. Impact on Performance:

• Enabling logging on gateway firewall rules can introduce performance overhead on NSX Edge nodes. The actual impact will depend on the volume of traffic, the complexity of the firewall rules, and the system resources available (CPU, memory, and disk I/O).
• It is recommended to enable logging selectively, focusing on rules that require monitoring for troubleshooting or compliance purposes. Logging should be disabled once the necessary data has been collected to minimize the impact on system performance.

2. Determining Potential Impact:

• The potential impact on ESXi hosts can be estimated by considering the amount of traffic being processed by the edge. High traffic volumes will lead to more frequent log entries, increasing the load on the nodes.
• Monitoring the system's performance counters and metrics, such as CPU and memory usage, can help determine if logging is causing any degradation in performance.

3. Documentation and Guidelines:

• While there is no specific documentation on assessing the impact of firewall logging, the NSX-T Data Center Administration Guide provides guidance on configuring and managing logging.

4. Limits on DFW Traffic Logs:

• NSX-T does not impose specific limits on the number of traffic logs per minute or per second. The system is designed to handle large volumes of logs, but the actual limit is determined by the system resources (CPU, memory, and disk I/O).
• If logging is required for auditing or long term evaluation, increasing the Edge node size to Large or Extra Large should be considered.

5. Monitoring Traffic Events:

• Use the NSX-T UI's performance counters and the Rule Hit Statistics UI to monitor the number of traffic events evaluated by the DFW. These tools provide insights into how much traffic is being processed and the corresponding volume of log entries.  
  • For performance statistics navigate to Home -> Monitoring and select System
  • For rule hit statistics navigate to Security -> Gateway Firewall -> Select a rule and click the statistics counter icon on the far right.
  • 
• Additionally you can run the get dataplane commands at the admin console of an edge to review current usage statistics.
  • get dataplane cpu stats shows the current usage in the dataplace of CPU for network packet queues.
  • get dataplane cpu stats verbose adds additional information if more detail is needed.
  • get dataplane perfstats <interval in seconds> will capture multiple data points over a given interval and display them on screen.

• For more details on configuring and managing NSX-T Distributed Firewall, refer to the NSX-T Data Center Administration Guide.
• For similar information on the impact of logging for DFW, please see KB 375395