Distributed firewall rules apply at the VM level and control East-West traffic within the SDDC.

All traffic attempting to pass through the distributed firewall is subjected to the rules in the order shown in the rules table, beginning at the top. A packet allowed by the first rule is passed on to the second rule, and so on through subsequent rules until the packet is dropped, rejected, or hits the default rule, which allows all traffic.

Distributed firewall rules are grouped into policies. Policies are organized by category. Each category has an evaluation precedence. Rules in a category that has a higher precedence are evaluated before rules in category that has a lower precedence.
Table 1. Distributed Firewall Rule Categories
Category Evaluation Precedence Category Name Description
1 Ethernet Applied to all level 2 SDDC network traffic
2 Emergency Used for quarantine and allow rules
3 Infrastructure Define access to shared services. Global rules, AD, DNS, NTP, DHCP, backup, management servers.
4 Environment Rules between security zones such as production zones, development zones, or zones dedicated to specific business purposes.
5 Application Rules between applications, application tiers, or microservices
See Security Terminology in the NSX-T Data Center Administration Guide for more information about Distributed Firewall terminology.


Distributed firewall rules require inventory groups as sources and destinations and must be applied to a service, which can be a predefined service or a custom service that you define for your SDDC. You can create these groups and services while you are creating a rule, but it can speed up the process if you take care of some of this beforehand. See Add or Modify a Compute Group and Add a Custom Service.


  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Select Networking & Security > Distributed Firewall.
    Click CATEGORY SPECIFIC RULES and select a category to view and modify policies and rules in that category, or click ALL RULES to view (but not modify) rules in all policies and categories.
  3. (Optional) Change the default connectivity strategy.
    By default, the Distributed Firewall includes an implicit Allow rule for all traffic. This rule, which does not appear in any list of rules, is evaluated after all other rules, and allows traffic that doesn't match a preceding rule to pass through the firewall. Click the connectivity strategy icon ( ) to see a list of available strategies. To change the current strategy, select a different one and click SAVE. See Select a Default Connectivity Strategy in the NSX-T Data Center Administration Guide for more information about available connectivity strategies.
  4. To add a policy at the top of the list, click ADD POLICY and give the new policy a Name.

    To add a policy before or after an existing policy, click the vertical ellipsis button at the beginning of the policy row to open the policy settings menu, then click Add Policy Above or Add Policy Below.

    By default a new policy applies to the distributed firewall (DFW), but you can specify one or more inventory groups for it to apply to instead. The policy's APPLIED TO value is propagated to all the rules in the policy.

  5. To add a rule, select a policy, click ADD NEW RULE, and give the rule a Name.
  6. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( ) to open a parameter-specific editor.
    Option Description
    Sources Click Any in the Sources column and select an inventory group for source network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Destinations Click Any in the Destinations column and select an inventory group for destination network traffic, or click CREATE NEW GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Services Click Any in the Services column and select a service from the list. Click SAVE.
    Applied To The rule inherits its APPLIED TO value from the containing policy.
    • Select Allow to allow all L2 and L3 traffic to pass through the firewall.
    • Select Drop to drop packets that match any specified Sources, Destinations, and Services. This is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject packets that match any specified Sources, Destinations, and Services. This action returns a "destination unreachable message" to the sender. For TCP packets, the response includes a TCP RST message. For UDP, ICMP and other protocols, the response includes an "administratively prohibited" code (9 or 10). The sender is notified immediately (without any re-tries) when connection cannot be established.
    The new rule is enabled by default. Slide the toggle to the left to disable it.
  7. (Optional) Configure advanced settings.
    To change the directionality or logging behavior of the rule, click the gear icon to open the Settings page.
    By default, this value is In/Out, forcing the rule to apply to traffic to and from the destination object. You can also choose In to specify that only traffic to the object is checked, or Out to specify that only traffic from the object is checked. Note that changing this value can cause asymmetric routing and other traffic anomalies, so be sure you understand the likely outcome for all sources and destinations before you make the change.
    Logging for a new rule is disabled by default. Slide the toggle to the right to enable logging of rule actions.
  8. Click PUBLISH to create the rule.

What to do next

You can take any or all of these optional actions with an existing firewall rule.

  • Click the gear icon to view or modify rule logging settings. Log entries are sent to the VMwarevRealize Log Insight Cloud Service. See Using vRealize Log Insight Cloud in the VMware Cloud on AWS Operations Guide.

  • Click the graph icon to view statistics for the rule, including:
    Popularity Index
    Number of times the rule was triggered in the past 24 hours.
    Hit Count
    Number of times the rule was triggered since it was created.
    Statistics start accumulating as soon as the rule is enabled.
  • Reorder firewall rules.

    A rule created from the ADD NEW RULE button is placed at the top of the list of rules in the policy. Firewall rules in each policy are applied in order from top to bottom. To change the position of a rule in the list, select it and drag it to a new position. Click PUBLISH to publish the change.