In the NSX for vSphere environment with Identity Firewall:

• Publishing Firewall rules fail or stuck in progress.
• In the NSX Manager Management Service Log vsm.log file, you see entries similar to:
  
  INFO TaskFrameworkExecutor-XX NotificationProcessor:428 - Processing Context domain-cX : X rule updates, X/X container updates, X spoofguard updates, X timer updates.
  INFO TaskFrameworkExecutor-XX FirewallInstallManagerImpl:317 - Firewall Enabled for cluster domain-cX
  INFO TaskFrameworkExecutor-XX AbstractTranslationDao:148 - Retrieving Nodes using For DynamicCriteria
  INFO TaskFrameworkExecutor-XX AbstractTranslationDao:170 - Retrieved XXX nodes for X criteria
  ERROR TaskFrameworkExecutor-XX FirewallMessagingManager:165 - Exception while publishing container set to cluster: domain-cX.
  java.lang.NullPointerException at com.vmware.vshield.vsm.securitygroup.service.translate.target.IpNodeTargetTranslator.intersection(IpNodeTargetTranslator.java:161)
  at com.vmware.vshield.vsm.dynamicmembership.service.translate.DynamicSetTranslator.getConjunctedNodes(DynamicSetTranslator.java:336)
  at com.vmware.vshield.vsm.dynamicmembership.service.translate.DynamicSetTranslator.evaluateSets(DynamicSetTranslator.java:266)
  at com.vmware.vshield.vsm.dynamicmembership.service.translate.DynamicSetTranslator.translateInternal(DynamicSetTranslator.java:131)

• In the ESXi hosts, rules or address sets are not updated or empty.
  
  To view rules and address sets on ESXi CLI, run the summarize-dvfilter and vsipioctl command.

  1. Identify VM's dvfilter by running summarize-dvfilter command.
     
     For Example:
     $ summarize-dvfilter
     You see the output similar to:
     
     world 53259 vmm0:VMName vcUuid:'xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx'
     port 100663303 VMName .eth0 <---- This is vNIC
     vNic slot 2
     name: nic-XXXXX-eth0-vmware-sfw.2 <--- This is DVFilter Name
     agentName: vmware-sfw <--- This should be "vmware-sfw" for DFW
     state: IOChain Attached
     vmState: Detached
     failurePolicy: failClosed
     slowPathID: none
     
     Note: Make a note of the DVFilter name.
      
  2. View the rules using <DVFilter Name> noted in the Step #1 by running the vsipioctl getrules command:
     
     For Example:
     $ vsipioctl getrules -f DVFilter Name
     You see the output similar to:
     
     ruleset domain-cX
     {
     # Filter rules
     rule 1016 at 1 inout protocol tcp from addrset ip-securitygroup-XX to addrset ip-securitygroup-XX port 22 drop with log;
     rule 1011 at 2 inout protocol tcp from addrset ip-securitygroup-XX to any port 21 drop as ftp;
     # internal # rule 1011 at 3 inout protocol tcp from addrset ip-securitygroup-XX to any port 21 drop;
     # internal # rule 1011 at 4 inout protocol tcp from any to addrset ip-securitygroup-XX port 21 drop;
     rule 1003 at 5 inout protocol ipv6-icmp icmptype 136 from any to any accept;
     rule 1003 at 6 inout protocol ipv6-icmp icmptype 135 from any to any accept;
     rule 1002 at 7 inout protocol udp from any to any port 67 accept;
     rule 1002 at 8 inout protocol udp from any to any port 68 accept;
     rule 1001 at 9 inout protocol any from any to any accept;
     }
      
  3. View the address sets using <DVFilter Name> noted in Step # 1 by running vsipioctl getaddrsets command:
     
     For Example:
     $ vsipioctl getaddrsets -f DVFilter Name
     You see the output similar to:
     
     addrset ip-securitygroup-XX
     {
     }
     Note: Output should contain IP address of logged in user when you configure Identity Firewall.