7.3.2 VMware NSX Distributed Firewall Monitoring
The VMware NSX distributed firewall must have enough memory to avoid dropping traffic. The firewall administrator is notified of the lack of available memory by the following methods:
• An alert sent when a new rule cannot be configured due to the shortage.
• A syslog message that states the distributed firewall cannot create new connections due to the shortage. If the rule relating to the flow creation has logging turned on, a second message is generated to indicate that the packet was also dropped.
Freeing memory on a host, by moving a guest to another host, for example, resolves the issue.
If the distributed firewall virtual CPUs reach a maximum limit, packets might also be dropped. If logging is enabled for that flow, a log message is also generated for the dropped packets.
In an All Failure scenario, packets are discarded and the distributed firewall operates in a fail-closed mode until the failure is remedied.