How DFW rules are enforced:
DFW rules are enforced in top-to-bottom ordering. Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced Because of this behavior, when writing DFW rules, it is always recommended to put the most granular policies at the top of the rule table. This is the best way to ensure they will be enforced before any other rule.
Double click on the NSX plugin and select Firewall on the left side. Click on the Green Plus Sign to add a rule. Rules need a name, a service/s to accept or reject, a source and a destination. In this case, the rule is called "Reject Ping"
Next, select the source. The source could be a cluster, a vm, a vnic, etc.
Select the destination. In this case another vm is selected.
Select the service to allow, block or reject.
Select the action and direction. In this case, Reject and both in/out were selected.
Once finished populating all the fields, don't forget to Publish the changes.
Test the rule. Notice the ping from this vm is simply rejected by the firewall.