NSX allows you to install Distributed Security for vSphere Distributed Switch (VDS). As the host switch is of the type VDS, DFW capabilities can be enabled on workload VMs..

Distributed Security provides security-related functionality to your VDS such as:

  • Distributed Firewall (DFW)
  • Distributed IDS/IPS
  • Identity Firewall
  • L7 App ID
  • Fully Qualified Domain Name (FQDN) Filtering
  • NSX Intelligence
  • NSX Malware Prevention
  • NSX Guest Introspection


The following are the requirements for installing Distributed Security for VDS:
  • vSphere 6.7 or later.
  • The vSphere cluster should have at least one VDS with distributed switch version 6.6 or later configured.
  • A compute manager must be registered in NSX. See Add a Compute Manager.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > Quick Start.
  3. On the Prepare Clusters for Networking and Security card, click Get Started.
  4. Select the clusters that you want to install Distributed Security.
  5. Click Install NSX and then select Security Only.
  6. In the dialog box, click Install.
    Note: If the VDS spans across multiple clusters, Distributed Security installs only to the clusters that you selected.
    The installation process for Distributed Security starts.
  7. To view VDS with Distributed Security installed, do the following:
    1. Navigate to System > Fabric > Nodes.
    2. Select the Host Transport Nodes tab.
      Note: vSphere clusters prepared for Distributed Security are identified by the Security label.


Distributed Security is installed and you can begin using security capabilities such as creating DFW policies and rules for the VDS.