Hey there,
so i've got NSX 4.1 setup within my Environemnt which is polling 2 Active Directory domain Servers (Win2k19) which are also configured as Event Log Scrapers.
I've created a simple VLAN Segment to leverage the DFW and placed a DFS-Server into that VLAN Segment so that the DFW will be running in front of that VM which will be my destination for the DFW-Tests.
Then i've created 2 Groups within NSX and attached my DFS-Users and DFS-Admins AD-Group to their respective NSX-Group and enabled the Identity Firewall globally, within the Clusters (Where the DFS is running and where my Test-Jumphost is running) and enabled Event Log Sources within Security --> General Settings.
Then i've created the following Firewall Rules where the members of the DFS-Admin Group should be able to do anything against the DFS Servers (only IPs as a Destination) and the DFS-Users are only allowed to use SMB to access the Files hosted on those Filesservers.
At the end i've created a drop rule which should drop anything else:
("in progress" because 1 esxi host is currently offline, i guess)
But the Rule Hits Statistics shows a Hit Count of 0 and no traffic is going trough. Or atleast the DFS-Admin Users aren't able to ping or access the FileShares altough they should be able to use any service.
While my DFS-User is able to access the Fileshare but isn't allowed to ping the Server.
What i see is that my drop rule has many hits and if i disable it, the traffic will work. Active User Sessions is empty and even tough the LDAP Connection and Event Log Server tests are "ok" it seems like no AD-group Membership is checked?
The VMs from where i test don't have Network Introspection (But identity Firewall is enabled in the Cluster) installed as i want to make sure that the Identity Firewall based off the Event Log is working. I've also disabled the IDentity Firewall on those Clusters but now i'm stuck and don't know where else i can look and identify why the AD-Group membership Rules for accessing my DFS-Servers aren't even looked on.
Any guesses from your side? I wouldn't want to exclude configuration errors but so far i guess everything should be right. Also it would be nice to know where i could find Logs for the AD-Group Membership since the officila documentation doesn't tell anything about that 
AD-Groups as a Source and since Rules are worked off from top to bottom my drop rule is the last one.
best regards & thanks.
meoli