When the IP address 0.0.0.0 is added in Group and is used in the distributed firewall (DFW), it acts as all/any IP address and matches all the flows.

In NSX 4.1.2 or 4.1.2.1, the 0.0.0.0 address, when programmed in a group, gets converted into 0.0.0.0/0.This allow rules that contain this address set and thus will always match a flow.

This issue is resolved in VMware NSX 4.1.2.3
This issue is resolved in VMware NSX 4.2.0

Workaround

Identify the group with IP address 0.0.0.0 and remove it from the set of groups or change the IP address 0.0.0.0 to '0.0.0.0/32' in the group.