SSP Recommendations suggests new DFW rules even though:
A higher-priority Infra / Environment policy already allows the traffic.
The traffic doesn't match the existing intended policy in DFW

In SSP group membership:
The VM object is present
IP address is missing from the effective members

This results in confusion where customers believe SSP or Recommendations are malfunctioning, even though policies already exist.

SSP 5.0 / 5.1

NSX 4.2.x and later

SSP DFW Recommendations depend on IP-to-VM realization provided by NSX to determine whether traffic is protected.

SSP evaluates protection status using both VM membership and realized IP addresses, the absence of an IP causes SSP to interpret the traffic as unprotected. This results in incorrect DFW rule recommendations and traffic appearing to bypass the intended policies.

The missing IP realization may occur if the affected VMs are connected to Distributed Virtual Port Groups (DVPGs), and NSX was not activated on DVPGs for the cluster. When NSX is not activated on DVPGs, NSX cannot discover DVPGs or their ports, IP Discovery profiles do not function, and VM IP addresses are never realized. Consequently, DFW cannot enforce IP-based rules and SSP cannot correctly classify traffic as protected.

This behavior does not impact workloads connected to NSX Segments. The behavior is by design.

Activate Distributed Security (NSX) on DVPGs for the affected cluster.

activate-distributed-security-for-vds.html

Workaround : Add ip addresses to the affected SSP groups manually.