When you have NSX Federation environment with a global manager and multiple local manager sites utilizing IDFW, and users accessing VM's between sites it can lead to group membership inaccuracies. This leads to incorrect DFW rules being applied to the VMs, causing unintended traffic drops.

NSX 3.x and 4.x 

Each local manager site will have log scrapping or Guest Introspection detecting the log events. These login/logout events will only report to the nsx manager they're configured for and will not cross into the other local manager site. 

Configure Identity Firewall AD settings and IDFW rules within each local manager site. 

IDFW documentation states, "IDFW rules are not supported on Global Managers in a Federation environment. IDFW can still be used locally in Federated sites by creating IDFW rules on Local Managers."

Per = https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/security/identity-firewall.html