After configuring a Firewall rule on an NSX Edge or a DFW rule using a custom Layer 3 protocol number, the protocol number appears as the Destination Port number in the FW rule.
Example:
The Output of "show ipset" command:
To work around this issue:
id="1130" disabled="false" logged="true">
<name>Allow OSPF on transit</name>
<action>allow</action>
<source>
<name>Edge Transit Net Global</name>
<value>ipset-20</value>
<type>IPSet</type>
<isValid>true</isValid>
<destination>
<name>Edge Transit Net Global</name>
<value>ipset-20</value>
<type>IPSet</type>
<isValid>true</isValid>
</destination>
<services>
<service>
<protocol>89</protocol>
<isValid>true</isValid>
</service>
</services>
<direction>inout</direction>
<packetType>any</packetType>
</rule>
<rule id="1130" disabled="false" logged="true">
<name>Allow OSPF on transit</name>
<action>allow</action>
<appliedToList>
<appliedTo>
<name>leo-mt-infra-stage-lb-01</name>
<value>edge-9</value>
<type>Edge</type>
<isValid>true</isValid>
<appliedTo>
<appliedTo>
<name>leo-mt-infra-prod-lb-01</name>
<value>edge-5</value>
<type>Edge</type>
<isValid>true</isValid>
</appliedTo>
</appliedToList>
<sources excluded="false">
<source>
<name>Edge Transit Net Global</name>
<value>ipset-20</value>
<type>IPSet</type>
<isValid>true</isValid>
</sources>
<destinations excluded="false">
<destination>
<name>Edge Transit Net Global</name>
<value>ipset-20</value>
<type>IPSet</type>
<isValid>true</isValid>
</destinations>
<service>
<protocol>89</protocol>//No Destination Port tag will force the DPORT to Any even if the protocol is changed
<isValid>true</isValid>
</service>
</services>
<direction>inout</direction>
<packetType>any</packetType>
</rule>