After Tier-1 gateways are imported from LM to GM prior to 4.2.x, Gateway Firewall (GFW) does not work on those imported Tier-1 gateways after GM is upgraded to 4.2.1 (or above). Symptoms include the GFW feature toggle on the NSX UI not taking effect for the Tier 1 gateways. 

Following message for Tier 1s can be seen in /var/log/proton/nsxapi.log for the LM:

2026-03-25T16:27:43.024Z  WARN providerTaskExecutor-1-58 GatewayFeatureToggleProviderNsxT 3080209 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Error is handlePolicyChange to process security toggle for /global-infra/tier-1s/T1-Gateway-01_SiteA/security-config

NSX Federation environment where LM(s) is/are onboarded to GM prior to upgrade to 4.2.x and then later LM/GM are upgraded to 4.2.1 (or above)

When a gateway is imported from LM to GM (< 4.2.3), it becomes a GM object but its security-config lacks a Span object. Since 4.2.1+ requires Span objects for replication, the security-config is never pushed to the LM.

The issue is addressed in vDefend Firewall / NSX 4.2.4 and all subsequent versions released after 4.2.4.

Workaround:

The issue can be addressed by creating the missing span objects via a script. Please open a case with Broadcom support to implement the workaround.