Symptoms:

• When deleting a security group that is referenced in a Service Composer security policy, one or more distributed firewall rules may become invalid
• In the firewall view, you may see the below error:

Rule X has an invalid source

Rule Y has an invalid destination

• Subsequent publish task fails and any attempts to synchronize Service Composer fails

VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x

This issue is resolved in VMware NSX for vSphere 6.4.0
 

To work around this issue if you do not want to upgrade, disable the invalid references through GUI.

1. Create a new empty security group with the same name as the old one removed.
2. Edit the existing security policy, and under Firewall Rules, simply edit and re-add the security group just created.
3. In the DFW section, the rule should no longer show as invalid.
4. Navigate to Service Composer > Security Policies, and for each security policy that has associated firewall rules, click Actions and select Synchronize Firewall Configuration.
   
   After forcing a sync to the DFW, the error in Service Composer should disappear.

Note: Invalid references in the DFW rule source/destination can be removed using API. The rules cannot be modified by the UI because they are generated through Service Composer policies and the edit icon is grayed out.

For more information, see the Modify Firewall Rule section of the NSX 6.2 API Guide.