It is possible that traffic which is expected to match the firewall rule after changing the object group is not to match the rule.

This issue is caused by the following step:

1. The firewall rule is configured by using an object group as shown below. 
   
   In this case, the 'TestRule' firewall rule is configured to allow the source IP addresses by using the 'Test' object group.
   All traffic that does not match the 'TestRule' will be dropped.
   
   
2. Generate a flow from a source address X.X.X.X that does not match the 'TestRule'.
   
   
3. Update the object group and add the new source address X.X.X.X to the 'Allow' rule.
   
   
4. The flow created by step2 will continue to be dropped regardless of the fact that X.X.X.X must match the "TestRule".

Velocloud SDWAN, VMware SDWAN, Firewall Rule, Object group

This issue is caused by known software issue #147800. 

Edge does not re-apply all the rules to the existing flow when only the object group is updated.

This issue is fixed in 5.2.4.0 and later.
For more information please see VMware SD-WAN Software Upgrade FAQs

If you are using a version earlier than 5.2.4.0, you can use the following workaround.

• Update the firewall rule by adding a 'New Comment'.
• Delete the flow using Flush Flows in "Remote Diagnostics".