• You may find that Distributed Firewall (DFW) rules fail to apply to virtual machines (VMs) because the com.vmware.nsx.vdsSecurity.enabled flag incorrectly defaults to false instead of true for the Distributed Virtual Switch (DVS).
• You can verify the disabled flag this by running the following command on the ESXi host
  • net-dvs -l | grep nsx.vdsSecurity.enabled
                   com.vmware.nsx.vdsSecurity.enabled = false , propType = CONFIG
• DFW rules work temporarily and then stop functioning.
• The vCenter Database (VCDB) contains an entry for the com.vmware.nsx.vdsSecurity.enabled flag set to false, which then syncs to the ESXi hosts.

• VMware vCenter Server versions prior to 8.0 Update 3i
• VMware ESXi versions prior to 8.0.3 P08

This issue occurs because the vCenter Server retrieves NSX properties during VPXA or host restarts. These vCenter Database (VCDB) entries override other values during synchronization, leading to the incorrect security flag being pushed to the hosts and preventing DFW enforcement

• To prevent this issue, upgrade both vCenter Server and ESXi to the versions listed below (or higher).
  • Upgrade to vCenter Server 8.0 Update 3i (8.0.3.00800) or later.
  • Upgrade to ESXi 8.0.3 P08 (ESXi 8.0 Update 3i) or later.

PR 3665362

If the entries are already in the vCenter VCDB, refer to the following workaround article:

• Broadcom KB 378540

Subscribe to this knowledge article to get updates on this issue.