• In the NSX Manager UI, go to Security and then Distributed Firewall or Gateway Firewall
• Select any policy within the first 200 polices and drag it to a different position in the order of policies
• Click the Publish button
• Observe that the recently moved policy returns to its original position.

VMware NSX versions prior to 4.2.0

• The order of policies is determined by a field called sequence_number. The problem is caused by no gap in the sequence_number.
• When moving a policy, the UI tries computing a sequence_number for the policy in the new position.
• Before version 4.2.0, the UI only looks for an available sequence_number within the first 200 policies.
• If an available sequence_number is found within these pages, the UI does not change the sequence number for the moved policy.
• This mistakenly positions the moved policy back to its original position.

The issue is resolved in NSX 4.2.0

Workaround 1

1. In UI, clone the desired policy which puts the new cloned policy at the top of the rule list

2. Move the desired rule down to the desired place in the order

3. Publish

4. Delete the cloned policy

5. Publish

Workaround 2

1. Run the following API to regenerate sequence numbers with air-gap.

POST - https://<NSX-Manager>/policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>?action=revise&operation=insert_top
 {

 }

Example:

POST - https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/TEST_POLICY?action=revise&operation=insert_top
 {

 }

2. Login to NSX Manager and Navigate to Security -> Distributed firewall page. Verify whether the policy order is proper or not.

3. The API mentioned in Step 1 will insert a blank policy on top of the firewall configuration. The customer can remove it from the UI and publish the configuration.