There are several steps to take when troubleshooting firewall.

  1. Check the Firewall policy realization status. See Check Rule Realization Status.
  2. Check the rule hits statistics by navigating to Security > Distributed Firewall or Security > Gateway Firewall, and clicking the graph icon. Rule level stistics are aggregated every 15 minutes from all the transport nodes. Rule statistics can be reset using Reset All Rules Stats from the three dot menu icon .
  3. Check for Capacity Dashboard to make sure configuration is within the supported limit of NSX-T Data Center. The Capacity dashboard can be accessed from Security > Security Overview > Capacity , see View the Usage and Capacity of Categories of Objects.
  4. Check for supported configuration max limit for the given release by checking the Configuration Limits.
  5. Check for per VM level Firewall Rules pushed to datapath in Manager Mode by navigating Logical Switches > Ports > Related Firewall Rules.

    You can also use the following NSX DFW helper script from github to get the total firewall rules configured and per VM firewall rules. https://github.com/vmware-samples/nsx-t/blob/master/helper-scripts/DFW/nsx-get-dfw-rules-per-vm.py