Identity Firewall (IDFW) allows user-based distributed firewall rules (DFW).

User-based distributed firewall rules (DFW) are determined by membership in an Active Directory (AD) group membership. IDFW monitors where Active Directory users are logged into and maps the login to an IP Address, which is used by DFW to apply firewall rules. Identity Firewall requires either guest introspection framework and/or active directory event log scraping.


  1. Configure Active Directory Sync in NSX, see Synchronize a Windows Domain with Active Directory. This is required to use Active Directory groups in Service Composer.
  2. Prepare the ESXi cluster for DFW. See Prepare the Host Cluster for NSX in the NSX Installation Guide.
  3. Configure Identity Firewall logon detection options. Note that you must configure one or both of these options: