Please note the below behavior only applies to stateful rules. Stateless rules do not generate flow table entries.

When using Distributed Firewall (DFW), you might see SYN and ACK packets matching a configured rule, but RST and FIN ACK packets hitting a different rule, even for the same source, destination, and port. This occurs because DFW processes TCP packets based on the flow table entry, which is created when the first SYN packet matches a rule.

Only SYN packets can match a DFW rule with TCP services defined, and the flow table entry is only created when a SYN packet is seen. Once a connection is established, subsequent packets like ACK, RST, FIN ACK, etc. are handled by the flow table. However, if the flow is deleted (e.g., when the connection ends, connection timers expire, etc.), any late non-SYN packets will not match an existing flow and therefore won’t match the expected rule. As a result, these packets hit the default rule or a lower-priority rule, because DFW rules with "Any" defined for services can match TCP packets with any combination of flags, not just SYN.

This is normal behavior and doesn’t impact active connections.

VMware NSX 3.x, 4.x

This is normal behavior and doesn’t impact active connections.

To see what flows are active for a particular virtual machine:

1. Open an SSH Session to the ESXi host where the virtual machine is running.
2. Run the summarize-dvfilter | grep -A20 command to retrieve the virtual machine DFW Filter name.
3. Run the vsipioctl getflows -f command to see the active or current flows associated with that filter or virtual machine.