Node status shows 'Degraded' one or multiple hosts in the NSX UI > System > Fabric > Hosts > Clusters 

Click the 'View Details' option of the ESXi Host showing 'Degraded'.  In the Overview tab you will see 'Controller Connectivity' has a 'Down'/Red status.

Click the 'Monitor' tab and scroll down to 'Agent Status'.  Click 'Agent Status' and it will show the Agent services and their status.

NSX_NESTDB shows 'Down'/Red

NSX 3.x and 4.x

When NSX-NESTDB is down on the ESXi host it will not receive DFW rules. Including newly created, updated, or previously working firewall rules attached to VM that has vMotioned to the downed ESXi host. 
Check if the service is down on the ESXi. SSH into the host and run:

/etc/init.d/nsx-nestdb status

The problem status is 'NSX-NESTDB not running'

Restart/Start the nsx-nestdb service on the ESXi host.

/etc/init.d/nsx-nestdb start

Repeat for all hosts in the same CCP down state due to NSX_NESTDB Agent in Down status.

This will put the host into a degraded state until the NSX Manager gets all the proper checks from the ESXi host. Then, the Agent Status will show 'Up'/Green status.
Return to NSX-UI > Security > Distributed Firewall .  In the Action column, look for 'Success'/Green status for the Polices that were previously in an 'Unknown' state.