VMware NSX

What is the easiest way to check for the NSX Distributed Firewall hit counts ?

For ex - For a particular Rule ID - 1000, I wanted to check how many hits have been received.

One way is by checking the firewall logs from syslog.

Is there any other simpler way of checking this.

Hi,

You can get the stats for the last 24 hours in the NSX firewall interface. On the right on top of the firewall rules table, there's a "pick your columns" icon. In the dropdown you can select "Stats" which will add a column to each firewall rule where you can view the stats; amount of packets (hits) and the total bytes going through the rule.

Hope that helps,

it will show only packets & bytes.

I want to similar to Cisco ACL where it will show the hit counts when ever the rule is hit.

There isn't anything like this today. I asked my SE the same question and got the same answer.

I've since requested a feature enhancement for the same data to be shown in the NSX Ruleset UI.

As a workaround for this I've been using vRealize Log Insight using the following approach.

There is a pre-built Log Insight content pack for VMware - NSX-vSphere for Log Insight. If you install this content pack, there is a sub-section for Distributed Firewall - Overview, which contains a "Top Rule Hit Count" based on Rule ID along with some other info.

I like to know more than just the Rule ID for what's being hit so I went one step further with a custom dashboard.

Create a Log Insight query to pull in the dfwpktlogs (the appname for all of the NSX DFW logs), grouped by a value that is unique per rule.  This can be done by grouping by the NSX Rule ID for example (keeping in mind that if you have more than a single NSX deployment logging to Log Insight Rule IDs could overlap). To get around this, I have all of my NSX DFW rules set to log and have tagged each one individually with a unique name specific to the NSM Manager and "Rule Name" (i.e. VC1_ALLOW_WEB_to_DB). This also saves me from having to flip back and forth between Log Insight and the NSX Rules to see what each Rule ID is doing.

Once the Log Insight query is pulling in all of the dftpktlogs and I know tagging and logging is all set up, I "Group by" the results by vmw_nsx_firewall_ruleid and vmw_nsx_firewall_tag. Make sure to also change the "Grouped by" view from being Over-Time to Non-time Series and the count filter is set to "Count of events".  Last thing is the change the "Chart Type" to Table.

This will create a table of the NSX tags and a count of how many times they've each been hit over the time range specified in the query. That said, there is a limitation in the number of items that show up in the table view. If i look back at my last three months of data, the bottom most "Rule/line" in my table has a hit count of 3500+.  This means data won't show if there are more than 100 or so DFW rules in the query.

There are was around this as well, but it's already a convoluted process to get information that should be in the NSX UI anyway

Hope this helps

1 packet = 1 hit. ;-)

If you'd like more then the 24 hours insight, you'd need to use an aggregation service like vRealize Log Insight, like @paulparmentier17 described.

Not true, the NSX interface always and only shows 0.

Different ways to check the rule hit counts :

1 . Through DFW UI on the right hand corner statistics symbol. 

2. You can use the API "GET /api/4.0/firewall/stats/rules/1000"

3. You can even use Esxi host Cli command "vsipioctl getconnections -f nic-2541751-eth0-vmware-sfw.2"  you will see an output like this:

[root@esx-03a:~] vsipioctl getconnections -f nic-2541751-eth0-vmware-sfw.2
51943f3500000002 Active udp 0800 OUT 1007 0 0 (blocked) 0.0.0.0:bootpc(68) -> 255.255.255.255:bootps(67) 0 4920 0 15
51943f3500000003 Active icmp 0800 OUT 1007 0 0 (blocked) 1.1.1.2 -> 1.1.1.1 8 0 924 924 11 11
51943f3500000004 Active icmp 0800 IN 1007 0 0 1.1.1.1 -> 1.1.1.2 8 0 1764 1764 21 21
51943f3500000005 Active udp 0800 IN 1007 0 0 0.0.0.0:bootpc(68) -> 255.255.255.255:bootps(67) 656 0 2 0

I hope this helps. 
--Sarfa