Distributed firewall monitors all the East-West traffic on your virtual machines.
Prerequisites
Guest VMs to be DFW-protected must have their vNIC connected to an N-VDS logical switch associated with a transport zone.
If you are creating rules for Identity Firewall, first create a group with Active Directory members. To view supported protocols for IDFW, see
Identity Firewall Supported Configurations.
Note: For Identity Firewall rule enforcement, Windows Time service should be
on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a logout when group membership is modified. This behavior is a limitation of Active Directory.
Note that if you are using a combination of Layer 7 and ICMP, or any other protocols you need to put the Layer 7 firewall rules last. Any rules after a Layer 7 any/any rule will not be executed.