Security groups based on dynamic or logical objects can be created and used in the Applied to text box of distributed firewall rules.

Because address sets are dynamically populated based on virtual machine name or tags, and must be updated on each filter, they can exhaust the available amount of heap memory on hosts to store DFW rules and IP address sets.

In NSX-T Data Center version 2.5 and later, a feature called Global or Shared Address Sets, makes address sets shared across all the filters. While each filter can have different rules, based on Applied To, the address sets members are constant across all the filters. This feature is enabled by default, reducing heap memory use. It cannot be disabled.

In NSX-T Data Center version 2.4 and earlier, Global or Shared Address Sets is disabled, and environments with heavy distributed firewall rules might experience VSIP heap exhaustion.