You are using NSX Networking and Security with firewall rules.

vCloud Director is being used for deployment and creating gateway firewall sections.

Alarms are present in the UI for System-wide firewall section threshold being reached.

Checking the UI under Security > Security Overview > Capacity, there are a large number of gateway firewall sections/policies.

Checking the UI under Security > Gateway Firewall, the number of sections/policies are lower than that in the capacity tab.

Some vCD auto-generated policies do not contain firewall rules and are not cleaned-up as expected. Policies without rules are not visible on UI but counted in the desired state.

To confirm run the following API call to obtain the total number of policies/sections:

GET /policy/api/v1/infra/domains/{domain-id}/gateway-policies

Confirm the sections/policies have no rules present:

GET /policy/api/v1/infra/domains/{domain-id}/gateway-policies/{gateway-policy-id}/rules

As the sections/polices are not visible in the UI as there are no rules, they must be removed using an API call.

Use the above GET APIs to identify sections with no rules and the below DELETE API call remove the policies/sections with no rules:

DELETE /policy/api/v1/infra/domains/{domain-id}/gateway-policies/{gateway-policy-id}

If there are a large number of sections/policies which require removal, please open a support ticket with VMware support referencing this KB document.