Application and protocol identity enables visibility across a large number of applications and enforcement based on application tiers such as Active Directory, DNS, HTTPS or MySQL.

Layer 7 application identification identifies which application a particular packet or flow is generated by, independent of the port that is being used.

Enforcement based on application identity enables users to allow or deny applications to run on any port, or to force applications to run on their standard port. Deep Packet Inspection (DPI) enables matching packet payload against defined patterns, commonly referred to as signatures. Layer 7 service objects can be used for port-independent enforcement or to create new service objects that leverage a combination of Layer 7 application identity, protocol and port. Layer 7 based service objects can be used in the firewall rule table and Service Composer, and application identification information is captured in Distributed Firewall logs, and Flow Monitoring and Application Rule Manager (ARM) when profiling an application.


  1. In the vSphere Web Client, click Networking & Security > Groups and Tags.
  2. Create service and specify Layer 7, App ID, protocol, and port. For port independent enforcement, this step can be skipped. SeeApplication ID GUIDs and Create a Service for more details.
  3. Create a new distributed firewall rule. In the service field, select the Layer 7 service you created in step 2. For port independent enforcement, select an App ID, see Application ID GUIDs. See Add a Firewall Rule for details.
  4. Save and publish the firewall rule.