Distributed firewall monitors all the East-West traffic on your virtual machines.


Guest VMs to be DFW-protected must have their vNIC connected to an N-VDS logical switch associated with a transport zone.

If you are creating rules for Identity Firewall, first create a group with Active Directory members. To view supported protocols for IDFW, see Identity Firewall Supported Configurations.
Note: For Identity Firewall rule enforcement, Windows Time service should be on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a logout when group membership is modified. This behavior is a limitation of Active Directory.

Note that if you are using a combination of Layer 7 and ICMP, or any other protocols you need to put the Layer 7 firewall rules last. Any rules above a Layer 7 any/any rule will not be executed.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select Security > Distributed Firewall from the navigation panel.
  3. Ensure that you are in the correct pre-defined category, and click Add Policy. For more about categories, see Distributed Firewall.
  4. Enter a Name for the new policy section.
  5. (Optional) To configure the following policy settings, click the gear icon:
    Option Description
    TCP Strict A TCP connection begins with a three-way handshake (SYN, SYN-ACK, ACK) and typically ends with a two-way exchange (FIN, ACK). In certain circumstances, the distributed firewall (DFW) might not see the three-way handshake for a particular flow ( due to asymmetric traffic or the distributed firewall being enabled while a flow exists). By default, the distributed firewall does not enforce the need to see a three-way handshake, and picks up sessions that are already established. TCP strict can be enabled on a per section basis to turn off mid-session pick-up and enforce the requirement for a three-way handshake.

    When enabling TCP strict mode for a particular DFW policy, and using a default ANY-ANY Block rule, packets that do not complete the three-way handshake connection requirements and that match a TCP-based rule in this section are dropped. Strict is only applied to stateful TCP rules, and is enabled at the distributed firewall policy level. TCP strict is not enforced for packets that match a default ANY-ANY Allow which has no TCP service specified.

    Stateful A stateful firewall monitors the state of active connections and uses this information to determine which packets to allow through the firewall.
    Locked The policy can be locked to prevent multiple users from editing the same sections. When locking a section, you must include a comment.

    Some roles such as enterprise administrator have full access credentials, and cannot be locked out. See Role-Based Access Control.

  6. Click Publish. Multiple policies can be added, and then published together at one time.
    The new policy is shown on the screen.
  7. Select a policy section and click Add Rule, and enter a rule name.
  8. In the Sources column, click the edit icon and select the source of the rule. Groups with Active Directory members can be used for the source text box of an IDFW rule. See Add a Group for more information.
    IPv4, IPv6, and multicast addresses are supported.
  9. In the Destinations column, click the edit icon and select the destination of the rule. If not defined, the destination matches any. See Add a Group for more information.
    IPv4, IPv6, and multicast addresses are supported.
  10. In the Services column, click the edit icon and select services. The service matches Any if not defined.
  11. The Profiles column is not available when adding a rule to the Ethernet category. For all other rule categories, in the Profiles column, click the edit icon and select a context profile, or click Add New Context Profile. See Add a Context Profile.
    Context profiles use layer 7 APP ID attributes for use in distributed firewall rules and gateway firewall rules. Multiple App ID context profiles can be used in a firewall rule with services set to Any. For ALG profiles (FTP, or TFTP), one context profile is supported per rule.
    Context profiles are not supported when creating IDS rules.
  12. Click Apply to apply the context profile to the rule.
  13. By default, the Applied To column is set to DFW, and the rule is applied to all workloads. You can also apply the rule or policy to selected groups. Applied To defines the scope of enforcement per rule, and is used mainly for optimization or resources on ESXi and KVM hosts. It helps in defining a targeted policy for specific zones and tenants, without interfering with other policy defined for other tenants and zones.

    Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied To text box.

  14. In the Action column, select an action.
    Option Description
    Allow Allows all L3 or L2 traffic with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.
  15. Click the status toggle button to enable or disable the rule.
  16. Click the gear icon to configure the following rule options:
    Option Description
    Logging Logging is turned off by default. Logs are stored at /var/log/dfwpktlogs.log file on ESXi and KVM hosts.
    Direction Refers to the direction of traffic from the point of view of the destination object. IN means that only traffic to the object is checked, OUT means that only traffic from the object is checked, and In-Out, means that traffic in both directions is checked.
    IP Protocol Enforce the rule based on IPv4, IPv6, or both IPv4-IPv6.
    Log Label

    Log Label is carried in the Firewall Log when logging is enabled.

  17. Click Publish. Multiple rules can be added and then published together at one time.
  18. The data path realization status of policy with Transport Nodes details shown on the right side of the policy table.