There are several steps to take when troubleshooting firewall.
- Check the Firewall policy realization status. See Check Rule Realization Status.
- Check the rule hits statistics by navigating to Gateway Firewall, and clicking the graph icon. Rule level stistics are aggregated every 15 minutes from all the transport nodes. Rule statistics can be reset using Reset All Rules Stats from the three dot menu icon . or
- Check for Capacity Dashboard to make sure configuration is within the supported limit of NSX-T Data Center. The Capacity dashboard can be accessed from , see View the Usage and Capacity of Categories of Objects.
- Check for supported configuration max limit for the given release by checking the Configuration Limits.
- Check for per VM level Firewall Rules pushed to datapath in Manager Mode by navigating
You can also use the following NSX DFW helper script from github to get the total firewall rules configured and per VM firewall rules. https://github.com/vmware-samples/nsx-t/blob/master/helper-scripts/DFW/nsx-get-dfw-rules-per-vm.py