I think what you are looking for is the Traceflow tool, where you can set up, which vm on which port is reachable.
If you create a Test network, where is located a vm, which is allowed to communicate with the app01 , the traceflow will show you the full packet walk.
Also you can start the traceflow test from the web vm to the app01 vm. where you configure on which port should it communicate.
Traceflow works well to check packet flow VM to VM. So here Source (Administrator) which is in physical network and destination (app 01) is VM, In trace flow i don't have option to select IP as source, I can either select VM or logical port. so traceflow is not helping in this case, any other method or any options in trace flow to monitor traffic.
There are multiple methods to know the rule hits/blocked state.
1. Perform packet capture and analyze the same using wireshark. VMware Knowledge Base
2. If you have VRNI it is certainly a good option , probably that is something you should be serious about if you are interested in flow monitoring and traffic flow analysis.
3. Rely on NSX/ESXI host CLI Troubleshooting Distributed Firewall
4. Syslog servers with DFW logging enabled at NSX will also capture the flows and help you understand the same. For eg : Loginsight.
There are plenty of articles floating around on each method. So feel free to browse and revert if you have any doubts.
I agree with what Sreec wrote... but I would like to suggest also the following:
- first of all, if is not enabled; ENABLE log (of the rule that you would like to check).
- get access to the ESXi host where the VM running
- execute the command .... # cat /var/log/dfwpktlogs.log | grep <IP VM to check example 172.16.15.10>
and the output will be something like this
2018-11-25T16:47:21.175Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S
2018-11-25T16:47:21.690Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S
2018-11-25T16:47:22.205Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S
in this example 1008 is the ID of the rule matched.