After upgrading from NSX 3.2.x to NSX 4.2.2.x, the default section rules for Distributed Firewall (DFW) in Manager Mode get synchronized (and overwritten) with those in Policy Mode.
For example, even though the action of the default L3 rule in Manager Mode is ’drop’’, if the action of the default L3 rule in Policy Mode is allow, after an upgrade, the default L3 rule in Manager Mode may be changed to ’allow’’.

VMware NSX-T Data Center

NSX provides two interfaces for managing DFW rules: Manager Mode and Policy Mode.
Starting with NSX-T 3.0.0, Policy Mode became the default, and the default section rules of DFW in both Modes are managed via Policy Mode.
Therefore you can't edit the default section rules via manager Mode since those are locked for editing and must be changed in Policy Mode instead.

Since Policy Mode manages the default section rules for both Modes, it is the expected behavior for the default section rules in both Modes to be identical.
When you edit a default section rules in Policy Mode, the same settings automatically apply to the default section rules in Manager Mode.
If there's a mismatch in default section rules between the two Modes, any edit of default section in Policy Mode will trigger a sync, ensuring consistency across the two Modes.

- Why does mismatch of default section rules between Manager Mode and Policy Mode happen ?

   Normally, the default section rules in the Manager Mode are read-only and can't be changed via Manager Mode UI. 
   This prevents any mismatches in default section settings between the two Modes.

   However, in some cases, user can bypass this lock by using Manager API with the 'X-Allow-Overwrite' option.
   This operation will create mismatches between the default section rule of the two Mode.

   For example: 
   If user uses Manager API with 'X-Allow-Overwrite' option to change the action of the L3 default rule to "drop" (while Policy Mode still has it set to "allow" by default), 
   After publishing DFW rules from Manager Mode, the default rules setting of Manager Mode will be loaded.
   This means the "drop" L3 default rule in Manager Mode becomes active, even though Policy Mode is still set to "allow."

- When does synchronization of default Section rule from Policy Mode to Manager Mode happen?

    1. When the default section rules are edited (touched) in the Policy Mode UI.

       In NSX-T 3.0.0 and later, the default section in Manager Mode is owned by Policy Mode.
       So, any edits in Policy Mode immediately update the default section in Manager Mode.

    2. During NSX upgrade.

      Sometimes (not always), during the NSX upgrade, the default section might get "touched" in Policy Mode without you noticing. 
      This can happen because the upgrade process might add new internal attributes to the objects, even if no user changes  the default rule settings.
      As a result, the system ends up in the same state as if you'd edited the default section rule directly in Policy Mode. 

Note: Synchronization of default section rules  from Policy Mode to Manager Mode occurs only when editing rules in the default section. 
          It does not trigger when editing custom rules created by users.

Please check for any mismatches in the DFW default section rules between the Manager Mode UI and Policy Mode UI.
If differences exist, edit the default section in the Policy Mode UI to apply the changes to Manager Mode.
Please avoid using Manager API with the 'X-Allow-Overwrite' option to change the DFW default section rules to prevent mismatches of the both Modes.