Following the steps below to publish a DFW policy with "TCP Strict" set to "No", you see that "TCP Strict" is "Yes".

• Create a new DFW policy from [Security] - [Distributed Firewall].
• Click on "Advanced Configuration".
• Confirm that "TCP Strict" is set to "No".
• Click "PUBLISH".
• When checking the "Advanced Configuration" of the created DFW policy, "TCP Strict" is set to "Yes".

VMware NSX-T Data Center 3.0
VMware NSX-T Data Center 3.1

"TCP Strict" is set to "Yes" by default, but it is mistakenly displayed as "No"
When the policy is published, the default value is loaded, and "Yes" is displayed.

This issue is resolved in VMware NSX-T Data Center 3.2.0

Workaround
To enable "TCP Strict", explicitly change it to "Yes" before publishing the policy.
To disable "TCP Strict", change it to "Yes" once, then change it back to "No" and publish it.