The distributed firewall rules are implemented to secure workload groups in the SDDC environment. A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined firewall rules.

The source of the rule is a single or multiple workload groups. The source matches to the default any if not defined. The destination of the rule is a single or multiple workloads. The destination matches to the default any if not defined.


For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the rules table, beginning at the top and proceeding to the rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.

The default firewall rules apply to traffic that does not match any of the user-defined firewall rules. The default firewall rules allow all L3 and L2 traffic to pass through all prepared clusters in your infrastructure. The default Layer 3 firewall rule applies to all traffic, including DHCP. If you change the Action to Drop or Reject, DHCP traffic is blocked. You must create a rule to allow DHCP traffic.


Verify that multiple security groups and services are configured. See Add a Security Group and Add a Custom Service.


  1. Log in to the VMC Console at
  2. Select Networking & Security > Distributed Firewall.
  3. Select a rule from the right-hand column and click Add New Section.
  4. Enter a rule section name.



    Emergency Rules

    Applies to temporary rules needed in emergency situations.

    For example, block traffic to a Web server due to malicious content.

    Infrastructure Rules

    Applies to infrastructure rules only.

    Such as, ESXi, vCenter Server or connectivity to on-premise data center.

    Environement Rules

    Applies to broad groups.

    Such as, setting rules so that the production environment cannot reach the test enviroment.

    Application Rules

    Applies to specific application rules.

    Default Rules

    The default rules allows all traffic.

  5. Click Publish.
  6. Select the newly created section and click Add New Rule.
  7. Enter a rule name.
  8. Select an existing source workload group.
  9. Select an existing destination group.
  10. Assign one or more predefined services or the default Any service to the rule.
  11. Select one of the actions from the drop-down menu.




    Allows all L3 or L2 traffic with the specified source, destination, and protocol to pass through the current firewall context.

    Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.


    Drops packets with the specified source, destination, and protocol.

    Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.


    Rejects packets with the specified source, destination, and protocol.

    Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.

  12. Select Logging to enable packet logging for this firewall rule.

    If enabled, the packet logs are forwarded to the Log Intelligence service. To access the logs, visit the Log Intelligence service console.

  13. Click Publish.