Understanding and Resetting Distributed Firewall (DFW) Rule Statistics in NSX-T
search cancel

Understanding and Resetting Distributed Firewall (DFW) Rule Statistics in NSX-T

book

Article ID: 412847

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

DFW rule statistics in NSX-T provide administrators with insights into traffic matched by specific firewall rules. These statistics are collected at the ESXi host level and aggregated by NSX Manager for display in the UI.

The process works as follows:

  • The stats exporter module on each ESXi host collects flow records from the DFW dataplane kernel modules.

  • The Management Plane Agent (MPA) gathers these statistics and sends them to the NSX Manager.

  • Statistics are cumulative and persistent, even across NSX upgrades and reboots.

  • Aggregated statistics in the Rule Stats UI are refreshed approximately every 15 minutes, which is why the UI may display a banner indicating that “rule stats may be stale.”


DFW Rule Statistics Counters

The following counters are displayed for DFW rules in NSX-T:

  • Hit Count

    • Stateful rules: Number of connection states created when the rule matched.

    • Stateless rules: Number of packets processed by the rule.

  • Packet Count

    • Total number of IP packets that traversed the firewall rule.

  • Byte Count

    • Total number of bytes that traversed the firewall rule.

  • Session Count

    • Number of sessions created based on stateful rules.

    • For stateless rules, session_count will be equal to the packet_count.

Note: If logging is enabled for a rule (e.g., Rule ID 1), every increase in the hit counter should correspond to a log entry with the same rule ID.


Persistence of Statistics

  • Reboots: Rebooting NSX-T components (ESXi hosts, Edges, or NSX Managers) does not reset rule statistics.

  • Upgrades: Statistics remain persistent across NSX upgrades.

Resolution

Resetting DFW Rule Statistics

Rule statistics can only be cleared manually using one of the following methods:

1. NSX Manager UI

  • Navigate to Security → Distributed Firewall → Actions → Reset All DFW Stats.

2. REST API

Additional Information

Recommendations

  • Use DFW statistics as a reference point, but before deleting or disabling rules based on low or zero hit counts, verify host-level logs to ensure the rules are truly unused.

  • Consider enabling logging on specific rules if additional validation is required.

Powered by Wolken Software