NSX Application Platform collects and stores metrics for security features. These metrics are available through the API.
For information on calling the metrics API, see the section "How to Use Metrics APIs" in the Deploying and Managing the VMware NSX Application Platform guide.
Distributed Security Metrics
| Monitoring | Description | Resource Type | Point-in-time Key | Time-series Key |
|---|---|---|---|---|
| Rule Hit Count | ||||
| Total number of hits counts for the rule |
Rule | fw_rule_stats.hits |
fw_rule_stats.hit_count |
|
| Average rate of hits count for the rule |
Rule | fw_rule_stats.avg_hits |
||
| Rule Session Count | ||||
| Total number of sessions hitting the rule |
Rule | fw_rule_stats.sessions |
||
| Average rate of sessions hitting the rule |
Rule | fw_rule_stats.avg_sessions |
||
| Rule Packet Count | ||||
| Total number of packets hitting the rule |
Rule | fw_rule_stats.packets |
||
| Average rate of packets hitting the rule |
Rule | fw_rule_stats.avg_packets |
||
| Rule Byte Count | ||||
| Total number of bytes hitting the rule |
Rule | fw_rule_stats.bytes |
||
| Average rate of byte hitting the rule |
Rule | fw_rule_stats.avg_bytes |
||
| Security Host Resource Usage | ||||
| Average percentage of CPU utilization for all security verticals of a Transport Node | Host Transport Node | dfw_tn.avg_cpu | ||
| Current percentage of CPU utilized by all security verticals for this Transport Node | Host Transport Node | dfw_tn.cpu | ||
| Average percentage of memory usage by the specified monitor on this transport node and obj_id is monitor name | Host Transport Node | dfw_tn.avg_memory | ||
| Average percentage of memory usage by the specified monitor on this transport node and obj_id is monitor name | Host Transport Node | dfw_tn.memory | ||
| Security Host Traffic Monitoring | Host Transport Node | |||
| Total sessions created by all security verticals for this Transport Node | Host Transport Node | dfw_tn.number_of_sessions | ||
| Average rate of change per second for sessions created by all security verticals for a Transport Node | Host Transport Node | dfw_tn.avg_number_of_sessions | ||
| Total bytes processed by all security verticals for this Transport Node | Host Transport Node | dfw_tn.number_of_bytes | ||
| Average rate of throughput change per second (bps) processed by all security verticals for a Transport Node | Host Transport Node | dfw_tn.avg_number_of_bytes | ||
| Security Configuration on Host | ||||
| Average rules per Segment Port (LSP) on the transport node | Host Transport Node | dfw_tn.rules_per_lsp | ||
| Number of Logical Segment Ports (LSPs) having security rules for the transport node | Host Transport Node | dfw_tn.number_of_lsps | dfw_tn.number_of_lsps | |
| Number of rules of all security verticals for this Transport Node | Host Transport Node | dfw_tn.number_of_rules | dfw_tn.number_of_rules | |
| Security Traffic Monitoring on Segment Port | ||||
| Total number of sessions created by all security verticals for the specified port | Segment Port | dfw_lsp.number_of_sessions | ||
| Average rate of change per second for number of sessions created by all security verticals for the specified port | dfw_lsp.avg_number_of_sessions | |||
| Total bytes processed by all security verticals for this Logical Segment Port | Segment Port | dfw_lsp.number_of_bytes | ||
| Average rate of throughput change per second (bps) processed by all security verticals for a Logical Segment Port | Segment Port | dfw_lsp.avg_number_of_bytes | ||
| Total number of packets dropped by the drop reason indicated by the obj_id, and obj_id is the top drop reason | Segment Port | dfw_lsp.packet_drop | ||
| Average rate of change per second for number of packets dropped by the drop reason indicated by the obj_id, and obj_id is the top drop reason | Segment Port | dfw_lsp.avg_packet_drop | ||
| Security Configuration on Segment Port | ||||
| Number of all rules applied to this Logical Segment Port | Segment Port | dfw_lsp.total_rules | dfw_lsp.total_rules | |
| Number of URL filtering rules for this Logical Segment Port | Segment Port | dfw_lsp.url_filtering_rules | dfw_lsp.url_filtering_rules | |
| Number of APP ID rules for this Logical Segment Port | Segment Port | dfw_lsp.app_id_rules | dfw_lsp.app_id_rules | |
| Number of IDPS rules for this Logical Segment Port | Segment Port | dfw_lsp.idps_rules | dfw_lsp.idps_rules | |
| Number of Identity FW rules for this Logical Segment Port | Segment Port | dfw_lsp.idfw_rules | dfw_lsp.idfw_rules | |
| The value of one (1) indicates Logical Segment Port has only 'applied to DFW' rules; while the value of zero (0) indicates Logical Segment Port has 'applied to group' rules | Segment Port | dfw_lsp.applied_to_dfw_only | dfw_lsp.avg_applied_to_dfw_only |
Gateway Firewall Metrics
| Monitoring | Description | Resource Type | Point-in-time Key | Time-series Key |
|---|---|---|---|---|
| Rule Hit Count | ||||
| Total number of hits counts for the rule |
Rule | fw_rule_stats.hits |
fw_rule_stats.hit_count |
|
| Average rate of hits count for the rule |
Rule | fw_rule_stats.avg_hits |
||
| Rule Session Count | ||||
| Total number of sessions hitting the rule |
Rule | fw_rule_stats.sessions |
||
| Average rate of sessions hitting the rule |
Rule | fw_rule_stats.avg_sessions |
||
| Rule Packet Count | ||||
| Total number of packets hitting the rule |
Rule | fw_rule_stats.packets |
||
| Average rate of packets hitting the rule |
Rule | fw_rule_stats.avg_packets |
||
| Rule Byte Count | ||||
| Total number of bytes hitting the rule |
Rule | fw_rule_stats.bytes |
||
| Average rate of byte hitting the rule |
Rule | fw_rule_stats.avg_bytes |
||
| Rule Connection Count | ||||
| Average count of connections per rule | Rule | edge_fw_conn_per_rule.avg_conn_per_rule | ||
| Average count of active connections per rule | Rule | edge_fw_conn_per_rule.avg_active_conn_per_rule | ||
| Security Connection Monitoring on Gateway | ||||
| Average rate of connections per second | Tier-0/Tier-1 | edge_fw.avg_cps | ||
| Average count of connections per logical-router | Tier-0/Tier-1 | edge_fw_conn_per_lr.avg_conn_per_lr | ||
| Average count of TCP established connections | Tier-0/Tier-1 | edge_fw_conn.avg_tcp_est_conn | ||
| Average count of TCP open connections | Tier-0/Tier-1 | edge_fw_conn.avg_tcp_open_conn | ||
| Average count of TCP half-open active ingress connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_tcp_half_open_ingress_conn | ||
| Average count of TCP maximum connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_tcp_max_conn | ||
| Average count of UDP established connections | Tier-0/Tier-1 | edge_fw_conn.avg_udp_est_conn | ||
| Average count of UDP active ingress connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_udp_ingress_conn | ||
| Average count of UDP maximum connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_udp_max_conn | ||
| Average count of ICMP active ingress connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_icmp_ingress_conn | ||
| Average count of ICMP maximum connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_icmp_max_conn | ||
| Average count of ICMP established connections | Tier-0/Tier-1 | edge_fw_conn.avg_icmp_est_conn | ||
| Average count of other protocol established connections | Tier-0/Tier-1 | edge_fw_conn.avg_others_est_conn | ||
| Average count of other protocol active ingress connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_others_ingress_conn | ||
| Average count of other protocol maximum connections | Tier-0/Tier-1 | edge_fw_conn_sum.avg_others_max_conn | ||
| Security Configuration on Gateway | ||||
| Number of rules with App ID profiles for this Logical Router | Tier-0/Tier-1 | gfw.app_id_rules | gfw.app_id_rules | |
| Number of rules with context profiles for this Logical Router | Tier-0/Tier-1 | gfw.context_profile_rules | gfw.context_profile_rules | |
| Number of all security rules applied to this Logical Router | Tier-0/Tier-1 | gfw.gfw_rules | gfw.gfw_rules | |
| Number of IDS/IPS rules for this Logical Router Tier-0/Tier-1 | Tier-0/Tier-1 | gfw.idps_rules | gfw.idps_rules | |
| Number of URL filtering rules for this Logical Router | Tier-0/Tier-1 | gfw.url_filtering_rules | gfw.url_filtering_rules | |
| Security Traffic Monitoring on Gateway Appliance (NSX Edge) | ||||
| Average Rx count for stateful connections only per core | Policy Edge Node | edge_fw_per_host.avg_rx_conn_per_core | ||
| Average Tx count for stateful connections only per core | Policy Edge Node | edge_fw_per_host.avg_tx_conn_per_core | ||
| Maximum count of connections per host | Policy Edge Node | edge_fw_per_host.max_conn_per_host | ||
| Security Traffic Monitoring on Gateway | ||||
| Average rate of Rx IPv4 packets per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv4_packets | ||
| Average rate of Tx IPv4 packets per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv4_packets | ||
| Average rate of Rx IPv4 packets dropped per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv4_drop_packets | ||
| Average rate of Tx IPv4 packets dropped per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv4_drop_packets | ||
| Average rate of Rx IPv4 bytes per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv4_bytes | ||
| Average rate of Tx IPv4 bytes per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv4_bytes | ||
| Average rate of Rx IPv4 bytes dropped per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv4_drop_bytes | ||
| Average rate of Tx IPv4 bytes dropped per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv4_drop_bytes | ||
| Average rate of Rx IPv6 packets per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv6_packets | ||
| Average rate of Tx IPv6 packets per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv6_packets | ||
| Average rate of Rx IPv6 packets dropped per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv6_drop_packets | ||
| Average rate of Tx IPv6 packets dropped per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv6_drop_packets | ||
| Average rate of Rx IPv6 bytes per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv6_bytes | ||
| Average rate of Tx IPv6 bytes per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv6_bytes | ||
| Average rate of Rx IPv6 bytes dropped per second | Tier-0/Tier-1 | edge_fw.avg_rx_ipv6_drop_bytes | ||
| Average rate of Tx IPv6 bytes dropped per second | Tier-0/Tier-1 | edge_fw.avg_tx_ipv6_drop_bytes | ||
| Total sessions active with GFW services for this Logical Router | Tier-0/Tier-1 | gfw.number_of_sessions | ||
| Total bytes processed in GFW services for this Logical Router | Tier-0/Tier-1 | gfw.number_of_bytes | ||
| Dropped packets without any applicable rules, such as errors or bad packets | Tier-0/Tier-1 | gfw.drops_without_rule | ||
| Average rate of change per second for dropped packets without any applicable rules such as errors or bad packets | Tier-0/Tier-1 | avg_drops_without_rule | ||
| Security Traffic Drop Analysis | ||||
| Average rate of drop per second due to TCP 3-way handshake rejected | Tier-0/Tier-1 | edge_fw.avg_drop_reason_3whs | ||
| Average rate of firewall drop due to Application Layer Gateway | Tier-0/Tier-1 | edge_fw.avg_drop_reason_alg | ||
| Average rate of firewall drop due to datapath internal error while getting packets | Tier-0/Tier-1 | edge_fw.avg_drop_reason_bad_offset | ||
| Average rate of drop per second due to incorrect TCP timestamp | Tier-0/Tier-1 | edge_fw.avg_drop_reason_bad_timestamp | ||
| Average rate of drop per second due to congestion | Tier-0/Tier-1 | edge_fw.avg_drop_reason_congestion | ||
| Average rate of drop per second due to connection-limit | Tier-0/Tier-1 | edge_fw.avg_drop_reason_connection_limit | ||
| Average rate of drop per second due to drop by load-balancer | Tier-0/Tier-1 | edge_fw.avg_drop_reason_drop_by_loadbalancer | ||
| Average rate of drop per second due to failed to copy packets | Tier-0/Tier-1 | edge_fw.avg_drop_reason_failed_to_copy_pkt | ||
| Average rate of drop per second due to the non-first fragments after they are assembled to the first fragment | Tier-0/Tier-1 | edge_fw.avg_drop_reason_fragment | ||
| Average rate of drop per second due to exceeding half-open TCP connection limit | Tier-0/Tier-1 | edge_fw.avg_drop_reason_half_open_tcp_max | ||
| Average rate of drop per second due to exceeding ICMP maximum size | Tier-0/Tier-1 | edge_fw.avg_drop_reason_icmp_max | ||
| Average rate of drop per second due to inactive connection | Tier-0/Tier-1 | edge_fw.avg_drop_reason_inactive | ||
| Average rate of drop per second due to IP options packets | Tier-0/Tier-1 | edge_fw.avg_drop_reason_ip_option | ||
| Average rate of drop per second due to out-of-memory | Tier-0/Tier-1 | edge_fw.avg_drop_reason_memory | ||
| Average rate of drop per second due to NAT64 no fragment support | Tier-0/Tier-1 | edge_fw.avg_drop_reason_nat64_no_frgm_support | ||
| Average rate of drop per second due to NAT connection limits | Tier-0/Tier-1 | edge_fw.avg_drop_reason_nat_conn_limit | ||
| Average rate of drop per second due to malformed packets that do not have a correct header or a payload | Tier-0/Tier-1 | edge_fw.avg_drop_reason_normalize | ||
| Average rate of drop per second due to exceeding other maximum rate | Tier-0/Tier-1 | edge_fw.avg_drop_reason_other_max | ||
| Average rate of drop per second due to bad protocol checksum | Tier-0/Tier-1 | edge_fw.avg_drop_reason_proto_cksum | ||
| Average rate of drop per second due to queued fragmented packets | Tier-0/Tier-1 | edge_fw.avg_drop_reason_queued_frag | ||
| Average rate of drop per second due to redirecting to null interface | Tier-0/Tier-1 | edge_fw.avg_drop_reason_redirect_iface_null | ||
| Average rate of drop per second due to TCP reset sent | Tier-0/Tier-1 | edge_fw.avg_drop_reason_rst_sent | ||
| Average rate of drop per second due to packet too short (for example, not even complete to include an IP header, or TCP/UDP header) | Tier-0/Tier-1 | edge_fw.avg_drop_reason_short | ||
| Average rate of drop per second due to packet dropped by SpoofGuard | Tier-0/Tier-1 | edge_fw.avg_drop_reason_spoofguard | ||
| Average rate of drop per second due to source connection limit | Tier-0/Tier-1 | edge_fw.avg_drop_reason_src_limit | ||
| Average rate of drop per second due to duplicate connection is found | Tier-0/Tier-1 | edge_fw.avg_drop_reason_state_insert | ||
| Average rate of drop per second due to reaching the maximum number of states that a datapath can track | Tier-0/Tier-1 | edge_fw.avg_drop_reason_state_limit | ||
| Average rate of drop per second due to TCP packets that do not pass the TCP state machine check | Tier-0/Tier-1 | edge_fw.avg_drop_reason_state_mismatch | ||
| Average rate of drop per second due to state reuse | Tier-0/Tier-1 | edge_fw.avg_drop_reason_state_reuse | ||
| Average rate of drop per second due to TCP SYN proxy | Tier-0/Tier-1 | edge_fw.avg_drop_reason_synproxy | ||
| Average rate of drop per second due to TCP flags | Tier-0/Tier-1 | edge_fw.avg_drop_reason_tcp_flags | ||
| Average rate of drop per second due to TCP sequence numbers | Tier-0/Tier-1 | edge_fw.avg_drop_reason_tcp_seqnum | ||
| Average rate of drop per second due to translation | Tier-0/Tier-1 | edge_fw.avg_drop_reason_translation | ||
| Average rate of drop per second due to TUN interface creation failed | Tier-0/Tier-1 | edge_fw.avg_drop_reason_tun_fail | ||
| Average rate of drop per second due to UDP packets exceeding maximum rate | Tier-0/Tier-1 | edge_fw.avg_drop_reason_udp_max | ||
| Average rate of drop per second due to update-state | Tier-0/Tier-1 | edge_fw.avg_drop_reason_update_state |
