This article is to document a frequently replicated symptom and explain why it happens.

Symptoms:
You have created an "IP Set" inside the NSX Manager. This "IP Set" is applied to a "Security Group" using the NSX Service Composer. In the DFW, this "Security Group" has been selected in the "Applied To" field. After publishing, you see these symptoms:

• The firewall rules traffic that should be getting caught and processed by the DFW fails.
• A search for the rules applied to an expected virtual machine through the vsipioctl getrules -f <nic_filter> command reveals the intended rule is missing from the virtual machine.

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x

IP Sets are not supported in the "Applied to" field of the DFW.

The "Applied to" field of the DFW supports only the following selected objects:

1. Cluster
2. Datacenter
3. Distributed Virtual Port Group
4. NSX Edge
5. Network
6. Virtual Machine
7. vNIC
8. Logical Switch
9. Security Group
10. Host System

For more information, see the NSX-v 6.3 Administration Guide.

While all of the above items are supported in the "Applied to" field, it is possible to configure unsupported items indirectly through the DFW interface. For instance, an IP or MAC set can be applied to a given Security Group, and then apply the DFW to that Security Group. This results in an unsupported configuration and NSX Manager does not push the firewall rules to the VMs/hosts.

To resolve this issue, to keep the firewall rules applied to the selected IPs in the IP Set and ensure they are pushed to the hosts/VMs, ensure those rules are "Applied to" the Distributed Firewall as a whole or one of the listed supported values.

1. Identify the rule in the DFW list of the Web Client.
2. Click the pencil icon in the "Applied To" field.
3. Select the checkbox beside "Apply this rule on all clusters on which the Distributed Firewall is installed."