Identity Firewall (IDFW) allows user-based distributed firewall rules (DFW).

User-based distributed firewall rules are determined by membership in an Active Directory (AD) group membership. IDFW monitors where Active Directory users are logged into, and maps the login to an IP Address, which is used by DFW to apply firewall rules. Identity Firewall requires either guest introspection framework or active directory event log scraping.


  1. Configure Active Directory Sync in NSX, see Synchronize a Windows Domain with Active Directory. This is required to use Active Directory groups in Service Composer.
  2. Prepare the ESXi cluster for DFW. See Prepare the Host Cluster for NSX in the NSX Installation Guide.
  3. Configure Identity Firewall logon detection options. One or both of these options must be configured.
    Note: If you have a multi-domain AD architecture, and the log scrapper isn't accessible due to security constraints, use Guest Introspection to generate login and logout events.