If the distributed firewall does not have enough memory, it will start dropping traffic. The distributed firewall administrator is notified of the lack of available memory by the following actions:
- Receiving an alert when a new rule could not be configured due to the shortage.
- A syslog message that states the distributed firewall cannot create new connections due to the shortage. If a rule relating to the flow creation also has logging turned on, a second message is generated to indicate that the packet was also dropped.
The firewall administrator can resolve the issue by freeing memory on a host; for example, by moving a guest to another host.
If the distributed firewall vCPUs are over-utilized or maxed out, packets can also be dropped. If logging is enabled for the related flow, a log message is generated for dropped packets.
In an All Failure scenario, packets are discarded and the distributed firewall operates in a Fail Closed mode until the failure is remedied. Please go through the table for more understanding on distributed firewall design policy with benefits:
|
Design decision |
Design justification |
Design implication |
|
Admin has made the following decisions for this design: |
||
|
The VMkernel log on all hosts prepared for NSX for vSphere will be sent to syslog collectors to analyze and troubleshoot the flows interacting with the distributed firewall, and the NSX Edge services gateway virtual machines will syslog directly. |
Host logs will contain the details of any distributed firewall-related actions, because they are kernel-level operations. The vmkernel.log file will capture all firewall events relating to any virtual machines on specific hosts. NSX Edge services gateways are virtual machines that can generate syslog messages directly so pinpointing a particular instance will be possible; for example, by searching on an IP address or related information. |
Host-level syslog messages are controlled by advanced settings on the individual ESXi servers on a per VM basis. These settings will be captured as part of both the ESXi host design and NSX Edge services gateway provisioning workflows respectively. Regular expression matching on NSX for vSphere specific terms can be performed in the VMware vRealize Log Insight tool. |