When deploying generic rules, NSX Distributed Firewall (DFW) objects such as NS Groups and NS Services are automatically generated by the cloud connector for each virtual service or pool. However, not all of these automatically created objects may be necessary. The accumulation of unused objects can lead to reaching the scaling limits within NSX. This topic shows how to control DFW object creation.
Automating DFW Object Creation
To automatically create or delete DFW objects in NSX Manager, the flag automate_dfw_objects is introduced in the cloud configuration.
By default the option is enabled and the cloud connector creates or deletes the DFW objects.
configure cloud <cloud-name> nsxt_configuration automate_dfw_objects save save
The cloud configuration is as shown below:
[admin:1234]: > show cloud new-nsxt +------------------------------+-------------------------+ | Field | Value | +------------------------------+-------------------------- | uuid | cloud-f485af70-22d4-4db2| | name | new-nsxt | | vtype | CLOUD_NSXT | | nsxt_configuration | | | nsxt_url | 192.163.0.128 | | nsxt_credentials_ref | test-nsxt-nsx-mgr-user | | site_id | default | | enforcementpoint_id | default | | domain_id | default | | automate_dfw_rules | False | | management_network_config | | | tz_type | OVERLAY | |-----------------------Truncated Output-----------------| | vpc_mode | True | | vmc_mode | False | | automate_dfw_objects | True | | dhcp_enabled | False | | mtu | 1500 bytes | | prefer_static_routes | False | | enable_vip_static_routes | False | | obj_name_prefix | nsxt-ss-new | +-----------------------Truncated Output-----------------+ [admin:1234]: >
To stop creating objects automatically, set the option to No:
configure cloud <cloud-name> nsxt_configuration no automate_dfw_objects save save
When Preserve Client IP is enabled in any of the virtual services, the objects mentioned below will be created by the cloud connector.
However, the objects will only be created for the pools and SE groups that are part of the Preserve Client IP and not for all.
DFW Object Type |
DFW Object |
automate_dfw_objects Configuration (True/ False) |
Is the Object Created? |
|
|---|---|---|---|---|
Preserve Lient IP Enabled |
Preserve Lient IP Disabled |
|||
NS Service |
Controller Cluster |
True |
Created |
Created |
False |
Not Created |
Not Created |
||
NS Service |
Per Virtual Service |
True |
Created |
Created |
False |
Not Created |
Not Created |
||
NS Service |
Per Pool |
True |
Created |
Created |
False |
Created |
Not Created |
||
NS Group |
Controller Cluster |
True |
Created |
Created |
False |
Created |
Not Created |
||
NS Group |
Per Virtual Service |
True |
Created |
Created |
False |
Not Created |
Not Created |
||
NS Group |
Per Virtual Service's SEs |
True |
Created |
Created |
False |
Not Created |
Not Created |
||
NS Group |
For All SE Mgmt IPs |
True |
Created |
Created |
False |
Not Created |
Not Created |
||
NS Group |
For All SE IPs (data vNic + Mgmt vNic) |
True |
Created |
Created |
False |
Not Created |
Not Created |
||
NS Group |
Per SE group |
True |
Created |
|
False |
Not Created |
|||
NS Group |
per SE group (Data Network IPs only separate for V4 and V6) |
True |
Created |
Created |
False |
Created |
Not Created |
||
The cloud connector will not delete or update the already created objects from NSX-T when the flag is set to False. It would stop creating any new objects.
You must manually clean up the objects which are not needed.
