Symptoms:
With Applied To configuration set to Policy’s Security Groups in NSX for vSphere 6.3.2 or 6.2.8, you see partial firewall rules on the vm vnic.2.

There are two scenarios where partial FW rules are seen on the vNIC:

1. When a virtual machine is out of a security group and added to the security group.
2. Bulk of virtual machines were created using automation tools such as vRealize Automation.

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

When a VM is either added to SG or removed from SG, address set changes come down to the host. In this use case, the same SG comes down as a set of IPs for source and destination for the FW rule and as vNICs for where the rule is applied to. Generally, they come as separate messages. But if there are large number of SGs that get changed at the same time (due to nesting in this case), they come down aggregated in the same message. Earlier, the host processed one at a time. With the new aggregation optimization, it picks up multiple messages at a time. If the manager is slow or host is slow, the messages are not aggregated as much and hence chances of this happening is less.

This issue is resolved in VMware NSX for vSphere 6.4.0, available at VMware Downloads.

Workaround:
To work around this issue if you do not want to upgrade:

1. Change the Applied To setting to Distributed Firewall.
2. Navigate to Networking & Security > Installation > Host Preparation.
3. Select the cluster you want to force sync, Click Actions > ForceSync Services.
4. Select Firewall from the services to force sync. Click OK.