Layer 7 App Ids are used in creating context profiles, which are used in distributed firewall rules or gateway firewall rules. Rule enforcement based on attributes enables users to allow or deny applications to run on any port.

NSX-T provides built in App IDs for common infrastructure and enterprise applications. App Ids include versions (SSL/TLS and CIFS/SMB) and Cipher Suite (SSL/TLS). For distributed firewall, App Ids are used in rules through context profiles, and can be combined with FQDN allowlisting and denylisting. App Ids are supported on ESXi and KVM hosts.

  • Gateway firewall rules do not support the use of FQDN attributes or other sub attributes in context profiles.
  • Context profiles are not supported on tier-0 gateway firewall policy.
Supported App IDs and FQDNs:
  • For FQDN, users need to configure a high priority rule with a DNS App ID for the specified DNS servers on port 53.
  • ALG App IDs (FTP, ORACLE, DCERPC, TFTP), require the corresponding ALG service for the firewall rule.
  • SYSLOG App ID is detected only on standard ports.
KVM Supported App IDs and FQDNs:
  • Sub attributes are not supported on KVM.
  • FTP and TFTP ALG App IDs are supported on KVM.

Note that if you are using a combination of Layer 7 and ICMP, or any other protocols you need to put the Layer 7 firewall rules last. Any rules after a Layer 7 any/any rule will not be executed.


  1. Create a custom context profile: Profiles.
  2. Use the context profile in a distributed firewall rule, or a gateway firewall rule: Add a Distributed Firewall or Add a Gateway Firewall Policy and Rule.
    Multiple App ID context profiles can be used in a firewall rule with services set to Any. For ALG profiles (FTP, ORACLE, DCERPC, TFTP), one context profile is supported per rule.