Object Analyzer helps optimized environments by collecting NSX inventory to determine whether the object or policy is still in use or not. With a series of logic checks, dFW – eFW – IP Sets – Security Groups – Services – Service Groups and Security Tags are analyzed. The result is a per-object type report displaying which are no longer in use with an option to delete.
Minimum Release: 3.2 Application: NSX-v, NSX-T, VMCoAWS License: Enterprise Privilege level: Audit or higher (view); Cloud Service Admin or higher (delete)
No setup required. Inventory is collected real-time or using the previously collected system report.
To begin, navigate to Tools -> Object Analyzer and select either Historical or Real-time data collection.
Historical: The analysis will be based upon the most recent inventory collected during the last system report execution.
Real-time: The analysis will be performed against the active NSX Manager data source. A series of API GET calls will be utilized to retrieve the data.
Click Begin Analysis to start collecting inventory and analyzing.relationships and usage.
Once complete, a summary report is provided with the potential optimizations that can be achieved. Additionally, all of the unused inventory is presented for analysis, export and deletion.
Starting in version 3.6, duplicate objects are also detected. These could be exact matches or effective matches.
For each object, different logic is utilized to determine if it is in fact no longer in use. Below is a summary of the criteria:
- dFW Rule – rule is either inactive or no hit counts*
- eFW Rule – same as dFW
- IP Set – not directly or indirectly (Security Group Membership Criteria) referenced. Additionally, if the object is used in a disabled or zero hit firewall rule, it will be marked inactive
- Security Group – not directly or indirectly (nested SG Membership Criteria) referenced. Additionally, if the object is used in an disabled or zero hit firewall rule, it will be marked inactive
- Security Tag – not directly or indirectly (nested SG Membership Criteria) referenced. Addtionally, if the object is not assigned to a VM, it will be marked inactive
- Service – not directly or indirectly (Service Group Membership) referenced. Additionally, if the object is used in a disabled firewall rule; zero hit firewall rule or Service Group that is marked as inactive, this service will be marked inactive
- Service Group – not referenced in a rule. Addtionally, if the object is used in a disabled or zero hit firewall rule, it will be marked inactive
* hit counts are measured from the last hit counter reset
Beginning in ReSTNSX version 3.3, custom filters are now supported to remove user defined objects from consideration to be removed. For example, if a certain object is unused, Object Analyzer will show in the All Objects tab every-time the analysis is performed. Custom filters allow users to remove objects that may be needed but are unused into a separate table. Once the object is on the filtered list, it will be remain in that location until the user returns it to the main table – even on subsequent Object Analyzer executions. Filtered lists are saved per user.
Below is an example of the default behavior to display all unused objects.
The filter feature allows users to select objects that will be removed from consideration for the current and future collection.