The documentation is not 100% clear for what you are trying to achieve.
The whole firewall config (all rules and all sections) has a ETag, however each section also has its own ETag.
By grabbing the ETag for all rules and sections, when you are trying to add the rule, you are also specifying the particular sectionId, and as the ETag you have specified, doesn't match the section ETag, it will fail (more than likely with a "412 Precondition Failed" message)
As you are trying to add a firewall rule to a firewall section, when you grab the ETag, rather than grab the ETag for ALL rules and sections, you actually need to query the specific firewall section you wish to add a rule to and grab the ETag from that particular section.
So to grab the ETag for section 1011, you need to run the following:
The NSX_62_API guide will be updated in a future release to make this clearer.
Adding to Dale's comment - Pages 303 & 30 of the NSX 6.2 API guide detail this process.
1. Get the firewall config to list the section ID's (will also link a section ID to section name)
GET https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config
2. Get the section in question
GET https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config/layer3sections/1123
3. ETag will be returned (item 5 below)
4. Add the If-Match header with the Etag
5. POST https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config/layer3sections/1123/rules
with the correct syntax in the body (example below)
<rule disabled="false" logged="false">
<name>Allow vRealize/RC Traffic</name>
<name>vRealize Operations - RC</name>
***Note - application-383, ipset-5, and ipset-6 are all custom values and may not apply to your environment.