VMware NSX.
The VMware configuration maximum guide specifies the following limits for Distributed Firewall rules in NSX versions 3.2.x and 4.x:
The number of DFW rules on a host is calculated based on the number of VMs that have the DFW filter applied to their nics, in other words, any VM participating in DFW will add to the rule count.
If the maximum allowed DFW rules on a host are exceeded, an alert will be triggered, indicating that the rules need to be optimized or reduced. The primary cause of this issue is often the "allowed to" field being set to "DFW" in the 'Applied To' field, which applies a rule to every vNIC on an NSX-T prepared host.
When the number of DFW rules exceeds the maximum, it can lead to a performance impact, characterized by high latency between VMs in the infrastructure. This is because the DFW slot on the filter on the VM's NIC becomes an additional stop for traffic inspection, and excessive rules can cause traffic to spend more time passing through the firewall module, resulting in increased latency.
To calculate rule count per vnic:
vsipioctl getrules -f <filter_name> | grep -E "rule.*at" | wc -l
To calculate rule count per host:
/opt/vmware/nsx-nestdb/bin/nestdb-cli --beautify --cmd get vmware.nsx.nestdb.RuleMsg
every single line in the above output is a rule on this host, grep with "RuleMsg" and do a word count to get the total number of rules on the host.