IDFW enhances traditional firewall by allowing firewall rules based on user identity. For example, administrators can allow or disallow customer support staff to access an HR database with a single firewall policy.

Identity based firewall rules are determined by membership in an Active Directory (AD) group membership. See Identity Firewall Supported Configurations.

IDFW processes the user identity at the source only in firewall rules. Identity-based groups cannot be used as the destination in firewall rules.

Note: For Identity Firewall rule enforcement, Windows Time service should be on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a logout when group membership is modified. This behavior is a limitation of Active Directory.


If Windows auto-logon is enabled on VMs, go to Local Computer Policy > Computer configuration > Administrative Templates > System > Logon and enable Always wait for the network at computer startup and logon.

For supprted IDFW configurations see Identity Firewall Supported Configurations.


  1. Enable NSX File Introspection driver and NSX Network Introspection driver (VMware Tools full installation adds these by default), or event log scraping. See Identity Firewall Event Log Sources.

    Event log scraping enables IDFW for physical devices. Event log scraping can be used for virtual machines, however guest introspection will take precedence over event log scraping. Guest Introspection is enabled through VMware Tools and if you are using the complete VMware Tools installation and IDFW, guest introspection will take precedence over event log scraping.

  2. Enable Identity Firewall on DFW and GFW.
  3. (optional): Configuring Active Directory and Event Log Scraping.
  4. Configure Active Directory sync operations: Synchronize Active Directory.
  5. Create security groups (SG) with Active Directory group members: Add a Group.
  6. Assign security group with AD group members to a distributed firewall rule or gateway firewall rule. If creating a DFW rule using guest introspection, make sure that the Applied to field applies to the destination group: Add a Distributed Firewall. The Source field should be an AD based group.