IDFW enhances traditional firewall by allowing firewall rules based on user identity. For example, administrators can allow or disallow customer support staff to access an HR database with a single firewall policy.
Identity based firewall rules are determined by membership in an Active Directory (AD) group membership. Note that the OU with an AD user and the OU with the AD group that the user is in, must both be added into Organization Units To Sync for IDFW rules to work. See Identity Firewall Supported Configurations.
IDFW processes the user identity at the source only in firewall rules. Only traffic originating at the source where the user identity is processed will be subject to IDFW rules. Identity-based groups cannot be used as the destination in firewall rules.
Note: For Identity Firewall rule enforcement, Windows Time service should be
on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a logout when group membership is modified. This behavior is a limitation of Active Directory.
Prerequisites
If Windows auto-logon is enabled on VMs, go to and enable Always wait for the network at computer startup and logon.
For supported IDFW configurations see Identity Firewall Supported Configurations.
Procedure
- Enable NSX File Introspection driver and NSX Network Introspection driver (VMware Tools full installation adds these by default), or event log scraping. See Identity Firewall Event Log Sources.
Event log scraping enables IDFW for physical devices. Event log scraping can be used for virtual machines, however guest introspection will take precedence over event log scraping. Guest Introspection is enabled through VMware Tools and if you are using the complete VMware Tools installation and IDFW, guest introspection will take precedence over event log scraping.
- Enable Identity Firewall on DFW and GFW.
- Configure Active Directory (required) and event log scraping (optional) Configuring Active Directory and Event Log Scraping.
- Configure Active Directory sync operations: Synchronize Active Directory.
- Create a group with Active Directory group members: Add a Group.
- Assign group with AD group members to a distributed firewall rule or gateway firewall rule. If creating a DFW rule using guest introspection, make sure that the Applied to field applies to the source group: Add a Distributed Firewall. The Source field should be an AD based group.
For every identity firewall rule that allows traffic from a group of users to a destination, there must be a corresponding distributed firewall rule or gateway firewall rule that allows traffic from a group of machines to the same destination that is specified in the identity firewall rule. The group of machines specifies the machines that users in the identity firewall rule will log in to.
When configuring identity firewall, the best practice is to create a rule that blocks traffic from all users to a destination, and create another rule that allows traffic for a specific group of users to the same destination.