• When attempting to disable the firewall, VMware Cloud Director (VCD) successfully completes the operation, but the NSX-T Firewall remains enabled
• Disabling vApp firewall on VCD don't have effect on NSX-T
• The issue affects routed networks
• If the firewall is enabled from VCD. Rules can be added/deleted and applied
• If the firewall is disabled in VCD. Rules can be added/deleted but are not applied
• This could also result in the following error being reported in NSX-T: "The number of T0/T1 Service routers ... has exceeded the maximum threshold of 98%"

• VMware Cloud Director 10.6.1.1
• NSX-T 4.2.2.1

Though the Gateway Firewall state is still shown as "ON" in NSX-T, the rules that are added/removed from it decides whether firewall is applied on traffic/not

The behaviour observed is an expected behaviour. When we disable Firewall from VCD we don't expect any rules to be applied, while the firewall is enabled rules take effect irrespective of the TOGGLE state in NSX-T.

Engineering is aware of this and will address this in a future release of VMware Cloud Director.