Use vNIC filter_hash in Log Insight

My colleague Dale wrote about the addition of the Filter Hash property introduced in NSX 6.2.4. This helps identify the the filter used on the vNIC. His examples show the ability to use the CLI to determine it.

The filter hash provides a reference to a DFW filter placed upon a vNIC. In Dale’s article it can be easily show with come commands. If you are logging Distributed Firewall rules the output is included in it. You could use the Filter Hash as a way to determine a source of a rule. This could be useful when a Virtual Machine may have numerous IP addresses on a vNIC. This could be the case in terms of a loopback or a Virtual IP.

The following value highlighting the filter hash is as follows:

Field Name: vmw_nsx_firewall_filterhash
Extracted value: Integer -?\d+
Pre context: dfwpktlogs:
Post context: INET


This will highlight the filter hash.  The hash can be used in dashboards below:

  • Unique number of hashs
  • Hash, src, dst and port
  • Hash



Release: NSX for vSphere 6.2.3

Just a small note – another version for NSX for vSphere. Some good improvements. Check out some of the better ones below. The release notes have more. More to come in some following blogs.

What’s new? 

  • Expanding physical connectivity options— by introducing NSX Hardware Layer 2 Gateway Integration
  • Improving security— with enhancements such as Edge Firewall SYN Flood protection, firewall rule filtering, and TFTP ALG support.
  • Increasing visibility and operational readiness— by introducing NSX Dashboard, SNMP Support, Customer Experience Improvement Program, and enhancements to Central CLI and Traceflow
  • VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, with monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts. This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+.
  • Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.

Find more here at the release note –

Documentation –