This is a complicated one and leaving us scratching our heads.

Brand new NSX-T deployment.  Brand new, fresh install of NSX-T 3.2, vCenter 7.latest, and esxi 7.latest.

Installed NSX-T from the v-center UI, and chose the security model, and installed that on all the hosts. Everything clean, no mods. 

I built up a fresh Linux VM, and the Distributed Firewall rules were working as expected. I compute motioned the VM around, and it was fine. However, when I storage motion the VM, it appears to completely drop any firewalling it had applied. Not only do packets get through when they should not, there is no more logging about firewalling that VM- nothing (so it is not a firewall rule position issue). As if NSX-T did not exist on that VM. If I move the VM back to the data-store it came from, I do not get the firewall back. It is still gone.

I replicated this several times. One more time I built another fresh VM- did the same things, and the same thing happened.

I also brought over an existing VM from the vcenter 6.7 environment. Again, it was fine, until I storage-motioned it off to another datastore.

Anyone seen this?  Since we used the simplified "security only" install, NSX uses the VDS's from vCenter, and we have no customization in NSX in terms of transport profiles and uplinks.