When creating a Distributed Firewall Rule and setting the "Applied To" field to include an NSX Edge in 6.4.2 and 6.4.3, the rule is built out to the Edge, and is viewable from the Edge Firewall section, but is not enforced at the edge, causing unexpected traffic to be allowed through the edge.

VMware NSX for vSphere 6.4.x

This issue is resolved in VMware NSX for vSphere 6.4.4.

In NSX 6.4.2 and 6.4.3, only certain changes to the Distributed Firewall include the API call to update the Edge Firewall as well. Creating a rule and applying it to the Edge is not enough to initially create and enforce the rule at the Edge level.

Workaround:

There are several work around options for this scenario.

• 1. Force Sync the Edge
• 2. Redeploy the Edge
• 3. Create a new Section in the Distributed Firewall