• On the NSX-T Data Center, Security, Gateway Firewall, for a particular Logical Router (LR), in the Policy UI the Default rule is set to Reject or Drop.
• In the Manager UI the same rule is set to Reject or Drop accordingly.
• When enabling the Default Rule Logging option in the Actions, General Firewall Settings of the Policy UI for the Logical Router, the Default rule Action changes to Allow.
• The same behavior can be seen when using the Gateway Firewall API's instead of the UI:
  • /infra/tier-0s/<tier-0-id>
  • /infra/tier-1s/<tier-1-id>
  • And setting the default_rule_logging to True.

VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

The Gateway Firewall, General Settings, Default Rule logging is using the LR property default_rule_logging which has been marked as deprecated.
The current issue is a result of the LR API behavior which resets force_whitelisting to the false whenever the user toggles the default_rule_logging flag.
This behavior is present from the UI as well as from the API.

The issue is resolved in NSX-T Data Center 3.1.2 and onwards