IDFW enhances traditional firewall by allowing firewall rules based on user identity. For example, administrators can allow or disallow customer support staff to access an HR database with a single firewall policy.

Identity based firewall rules are determined by membership in an Active Directory (AD) group membership. See Identity Firewall Supported Configurations.

Note: SMB protocol is not supported with Identity firewall rules. CIFS/SMB traffic cannot be filtered based on IDFW rules. This traffic should be secured using distributed firewall rules.

IDFW processes the user identity at the source only in distributed firewall rules. Identity-based groups cannot be used as the destination in DFW rules.

Note: For Identity Firewall rule enforcement, Windows Time service should be on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a logout when group membership is modified. This behavior is a limitation of Active Directory.


If Windows auto-logon is enabled on VMs, go to Local Computer Policy > Computer configuration > Administrative Templates > System > Logon and enable Always wait for the network at computer startup and logon.

For supprted IDFW configurations see Identity Firewall Supported Configurations.


  1. Enable NSX File Introspection driver and NSX Network Introspection driver. VMware Tools full installation adds these by default.
  2. Enable IDFW on cluster or standalone host: Enable Identity Firewall.
  3. Configure Active Directory domain: Add an Active Directory.
  4. Configure Active Directory sync operations: Synchronize Active Directory.
  5. Create security groups (SG) with Active Directory group members: Add a Group.
  6. Assign SG with AD group members to a distributed firewall rule: Add a Distributed Firewall.