NSX-T Data Center allows you to install Distributed Security for vSphere Distributed Switch (VDS) without the need to deploy an NSX Virtual Distributed Switch (N-VDS). This ensures that DFW capabilities work on a VM whether it is managed by an NSX host switch or not.

Distributed Security provides security-related functionality to your VDS such as:

  • Distributed Firewall (DFW)
  • Distributed IDS/IPS
  • Identity Firewall
  • L7 App ID
  • Fully Qualified Domain Name (FQDN) Filtering
  • NSX Intelligence
  • NSX Malware Prevention
  • NSX Guest Introspection


The following are the requirements for installing Distributed Security for VDS:
  • vSphere 6.7 or later.
  • The vSphere cluster should have at least one VDS with distributed switch version 6.6 or later configured.
  • The vSphere cluster should not have N-VDS deployed.
  • A compute manager must be registered in NSX-T. See Add a Compute Manager.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > Quick Start.
  3. On the Prepare Clusters for Networking and Security card, click Get Started.
  4. Select the clusters that you want to install Distributed Security.
  5. Click Install NSX and then select Security Only.
  6. In the dialog box, click Install.
    Note: If the VDS spans across multiple clusters, Distributed Security installs only to the clusters that you selected.
    The installation process for Distributed Security starts.
  7. To view VDS with Distributed Security installed, do the following:
    1. Navigate to System > Fabric > Nodes.
    2. Select the Host Transport Nodes tab.
      Note: vSphere clusters prepared for Distributed Security are identified by the Security label.


Distributed Security is installed and you can begin using security capabilities such as creating DFW policies and rules for the VDS.