• You have security-only clusters.
• You upgraded NSX from versions less than NSX 4.1.1 to 4.2.x
• On upgrading NSX Manager, DFW rules were partly removed.
• On completing upgrade, rules were restored for some vNICs but not for all the vNICs.

VMware NSX upgraded from versions less than NSX 4.1.1 to NSX 4.2.x

The combination of 2 upgrade tasks temporarily deletes portgroup information in NSX Manager.

• Upgrade task to NSX 4.1.1 and later.
• Upgrade task to NSX 4.2.0 and later.

It deletes all the VIF along with portgroups, and NSX Manager sends wrong DFW rules to ESXi.

On completing upgrade, all the portgroups/VIFs are fetched from vCenter.
However there is another issue that all the VIFs are not fetched, and some vNICs might still have incomplete rules.

Currently there is no resolution.

If allowed by the upgrade path, first upgrade to NSX 4.1.1.x or 4.1.2.x and then upgrade to NSX 4.2.x.
You can avoid the issue because the 2 upgrade tasks are processed in separate upgrades.

If you have upgraded NSX and some vNICs still have incomplete DFW rules, invoke the API for all the hosts to recover DFW rules.
POST /api/v1/transport-nodes/<transport-node-uuid>?action=resync_host_config