You will notice Distributed Port Groups marked with an 'Error' status and labeled 'Global' under Networking > Segments > Distributed Port Groups
DFW rules are not enforced correctly on VM's residing on these portgroups.
NSX versions below 4.2.1
This issue is known to occur when Distributed Port Groups are incorrectly imported into the Global Manager during a Federation Configuration Import. Since Distributed Port Groups are not supported on the Global Manager, the import process should prevent them from being imported.
Permanent fix is in NSX 4.2.1 and later.
For customers that cannot upgrade to address the issue, please open a Service Request with Broadcom Global Support for assistance with workaround steps.