There are several components to look into when troubleshooting Identity Firewall.

1. Make sure that the Active Directory server full/delta sync is working on the NSX Manager.
   1. In the vSphere Web Client, log in to the vCenter linked to the NSX Manager.
   2. Navigate to Home > Networking & Security > System > Users and Domains.
   3. Click the Domains tab, and select your NSX Manager from the drop-down menu.
   4. Select your domain from the list. Verify that the Last Synchronization Status column displays SUCCESS and the Last Synchronization Time is current.
2. If your firewall environment uses the event log scraping method of login detection, follow these steps to verify that you have configured an event log server for your domain:
   1. In the vSphere Web Client, log in to the vCenter linked to the NSX Manager.
   2. Navigate to Home > Networking & Security > System > Users and Domains.
   3. Click the Domains tab, and select your NSX Manager from the drop-down menu.
   4. Select your domain from the list. Here you can view and edit the detailed domain configuration.
   5. Select Event Log Servers from the domain details and verify that your Event Log Server is added.
   6. Select your Event Log Server, and verify that the Last Sync Status column displays SUCCESS and the Last Sync Time is current.
3. If your firewall environment uses Guest Introspection, the framework must be deployed to the compute clusters where your IDFW protected VMs will reside. The Service Health Status on the UI should be green. Guest Introspection diagnostic and logs information is found in the Troubleshooting Guest Introspection.
4. After verifying the correct configuration of your logon detection method, ensure that the NSX Manager is receiving logon events;
   1. Log in an Active Directory user.
   2. Run the following command to query for login events. Verify your user is returned in the results. GET https://<nsxmgr-ip>/1.0/identity/userIpMapping.

      Example output:
      <UserIpMappings>
          <UserIpMapping>
              <ip>50.1.111.192</ip>
              <userName>user1_group20</userName>
              <displayName>user1_group20</displayName>
              <domainName>cd.ad1.db.com</domainName>
              <startTime class="sql-timestamp">2017-05-11 22:30:51.0</startTime>
              <startType>EVENTLOG</startType>
              <lastSeenTime class="sql-timestamp">2017-05-11 22:30:52.0</lastSeenTime>
              <lastSeenType>EVENTLOG</lastSeenType>
          </UserIpMapping>
      </UserIpMappings>

5. Verify that your security group is used in a firewall rule, or has an assigned security policy. Security group processing in IDFW will not take place unless one of these conditions is true.
6. After verifying that IDFW is detecting logons correctly, verify that the ESXi host where your desktop VM resides is receiving the correct configuration. These steps will use the NSX Manager central CLI. To check the desktop VM IP address populated in the ip-securitygroup list:
   1. See CLI Commands for DFW to retrieve the filter name applied on the desktop VM.
   2. Run the show dfw host hostID filter filterID rules command to view the locate DFW rules items.
   3. Run the show dfw host hostID filter filterID addrsets command to view the IP address populated in the ip-securitygroup list. Verify that your IP is displayed in the list.