You can create custom network and security objects to use in Distributed Firewall rules in the universal section.
Universal IP Sets
Universal MAC Sets
Universal Security Groups
Universal Service Groups
Universal network and security objects can be created only from the primary NSX Manager.
Universal security groups can contain only universal IP sets, universal MAC sets, and universal security groups. Membership is defined by included objects only, you cannot use dynamic membership or excluded objects.
Universal security groups cannot be created from Service Composer. Security groups created from Service Composer will be local to that NSX Manager.