When the customer configures a rule with the appliedTo feature, the traffic is dropped, and when the user removes the appliedTo and just applies the rule to the DFW, the traffic works. 

VMware vDefend Firewall

VMware vDefend Firewall with Advanced Threat Prevention

When the appliedTo feature is used for DFW, the rules are only realized for the VMs that are present in the appliedTo group.   IP addresses, MAC addresses, or Active Directory objects are not processed when included within a Group used in the Applied To field.

The user has to ensure that the necessary DFW rules are applied to both the source and the destination when using the appliedTo feature.   Remember that IP addresses, MAC addresses, or Active Directory objects are not processed when included within a Group used in the Applied To field.