Distributed firewall is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on VMware vCenter objects like datacenters and clusters and virtual machine names; network constructs like IP or IPSet addresses, VLAN (DVS port-groups), VXLAN (logical switches), security groups, as well as user group identity from Active Directory. Firewall rules are enforced at the vNIC level of each virtual machine to provide consistent access control even when the virtual machine gets vMotioned. The hypervisor-embedded nature of the firewall delivers close to line rate throughput to enable higher workload consolidation on physical servers. The distributed nature of the firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts are added to a datacenter.

For L2 packets, distributed firewall creates a cache for performance boost. L3 packets are processed in the following sequence:

  1. All packets are checked for an existing state. This is done for SYNs too so that bogus or retransmitted SYNs for existing sessions can be detected.

  2. If a state match is found, the packets are processed.

  3. If a state match is not found, the packet is processed through the rules until a match is found.

    • For TCP packets, a state is set only for packets with a SYN flag. However, rules that do not specify a protocol (service ANY), can match TCP packets with any combination of flags.

    • For UDP packets, 5-tuple details are extracted from the packet. If a state does not exist in the state table, a new state is created using the extracted 5-tuple details. Subsequently received packets are matched against the state that was just created.

    • For ICMP packets, ICMP type, code, and packet direction are used to create a state.

Distributed firewall can help in creating identity-based rules as well. Administrators can enforce access control based on the user's group membership as defined in the enterprise Active Directory. Here are some scenarios where identity-based firewall rules can be used:

  • User accessing virtual applications using a laptop or mobile device where AD is used for user authentication

  • User accessing virtual applications using VDI infrastructure where the virtual machines are Microsoft Windows based

If you have a third-party vendor firewall solution deployed in your environment, see Redirecting Traffic to a Vendor Solution through Logical Firewall.

Running open VMware Tools on guest or workload virtual machines has not been validated with distributed firewall.

ESXi Threshold Parameters for Distributed Firewall Resource Utilization

Each ESXi host is configured with three threshold parameters for DFW resource utilization: CPU, RAM, and connections per second (CPS). An alarm is raised if the respective threshold is crossed 20 consecutive times during a 200-second period. A sample is taken every 10 seconds.

100 percent of CPU corresponds to the total CPU available on the host.

100 percent of RAM corresponds to the memory allocated for distributed firewall ("total max size"), which is dependent on the total amount of RAM installed in the host.

Table 1. Total Max Size

Physical Memory

Total Max Size (MB)

0 - 8GB

160

8GB - 32GB

608

32GB - 64GB

992

64GB - 96GB

1920

96GB - 128GB

2944

128GB

4222

The memory is used by distributed firewall internal data structures, which include filters, rules, containers, connection states, discovered IPs, and drop flows. These parameters can be manipulated using the following API call:

https://NSX-MGR-IP/api/4.0/firewall/stats/eventthresholds

Request body:

<eventThresholds>
  <cpu>
    <percentValue>100</percentValue> 
  </cpu>
  <memory>
    <percentValue>100</percentValue> 
  </memory>
  <connectionsPerSecond>
    <value>100000</value> 
  </connectionsPerSecond>
</eventThresholds>