The NSX distributed firewall can only redirect traffic to the VM-series firewall when it matches an IP address that is known to the vCenter Server. This means that any non-IP L2 traffic, or IP traffic that does not match the IP addresses known to the vCenter Server, will not match the redirection rules defined on the NSX Manager and be steered to the VM-Series firewall. Therefore, to ensure that all traffic is correctly filtered, you need to perform the following steps:
Enable SpoofGuard to prevent unknown IP traffic that might otherwise bypass the VM-series firewall.
When SpoofGuard is enabled if the IP address of a virtual machine changes, traffic from the virtual machine will be blocked until you inspect and approve the change in IP address in the NSX SpoofGaurd interface.
Configure the NSX firewall rules to block non-IP L2 traffic that cannot be steered to the VM-Series firewall.
vCenter uses VMware Tools to learn the IP address(es) of each guest. If VMware Tools is not installed on some of your guests, see Steer Traffic from Guests that are not Running VMware Tools.
Enable SpoofGuard and Block Non-IP L2 Traffic
Enable SpoofGuard for the port group(s) containing the guests. When enabled, for each network adapter, SpoofGuard inspects packets for the prescribed MAC and its corresponding IP address. Select Networking and Security > SpoofGuard. Click Add to create a new policy, and select the following options: SpoofGuard: Enabled Operation Mode: Automatically trust IP assignments on their first use. Allow local address as valid address in this namespace. Select Networks: Select the port groups to which the guests are connected.
Select the IP protocols to allow. Select Networking and Security > Firewall > Ethernet. Add a rule that allows ARP, IPv4 and IPv6 traffic. Add a rule that blocks everything else.

Related Documentation