• FW rules applied to Distributed Port Group are not sent to new cluster.
  
  Below is the workflow of the issue:

1. 1. Create a FW rule whose "Applied to" is Distributed Port Group.
   2. Create a new cluster and move an ESXi to the cluster.
      
      Now the cluster has the portgroup.
      
      
   3. Install NSX on the cluster.
      
      Now FW is enabled and the rules are sent to the ESXi.
      
      
   4. Check FW rule on the ESXi by "vsipioctl loadruleset".

The rule created by the step 1. is not seen, even though the ESXi has the portgroup.

VMware NSX Data Center for vSphere

Follow either one of the options to propagate the FW rules.

• Make change to the relevant rules or section containing affected rule(s) and publish the rules to take effect.
  
  For example, change the name of the section, change the name of any rule in the section, create a new rule in the section, enable/disable affected FW rule logging and so on.
  
  
• When configuring a new cluster, do firewall publish before adding a new host then the issue is not seen based on the lab tests.

Impact/Risks:

FW Rules applied to Distributed Port Group are not propagating to new cluster and causing impact on workload VMs.