Is the Win7 guest where the source user is logging in? Checking the "ID as source" option enables the IDFW for RDSH host functionality, which only works on Windows Server 2012 and 2016 per the Identity Firewall Tested and Supported Configurations section of the admin guide. If that's the case and/or your source VM is not an RDSH host, just de-selecting the "Enable user identity as source" box for the FW rule section or moving it to a different section without that enabled should fix.
Thanks for responding. Yeah I've already gone through the supported OS, but this is very confusing, as other articles discussed how useful is iDFW with VDI, and if you go to the very bottom of that page you will find a list of the "supported Guest Introspection OS", which includes WIndows 7.
I will try a RDSH with a Windows server,just to check that, but I;m not convinced.
I will get back to you.
To clarify, RDSH is not required for IDFW, however, when you select the "Enable User Identity at Source" option, the IDFW is expecting to need to translate users on the source to an AD group SID to map to their AD group rather than just observing the log on event and translating the user to an IP like you would in a normal VDI environment where there's only a single user logged into a VM.
Even if you uncheck the "Enable User Identity at Source" option you'll still be able to create IDFW policies based on AD groups which is definitely great in a VDI environment, it'll just cause the DFW to stop trying to map AD SIDs on the source host to the data plane instead of the associated IP.
Thanks for your support, but I'm still confused, and there's no clear documentation at all.
Anyway, I will try this again later.