Current NSX Feature Entitlement

The following tables outline specific functions available by edition. VMware NSX is available as a single download image with license keys required to enable specific functionality.

Table 1. Distributed Security
Distributed Security	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Distributed Firewall for NSX Switch Ports	No	Yes	Yes
Distributed Firewall for VDS Switch Ports	No	Yes	Yes
Stateful L2 and L3 Rules	No	Yes	Yes
Stateless L2 and L3 Rules	No	Yes	Yes
Distributed FQDN Filtering	No	Yes	Yes
Basic L7 Application Identification Rules	No	Yes	Yes
Advanced L7 Application Identification Rules	No	Yes	Yes
Malicious IP Filtering	No	Yes	Yes
Distributed Flood Protection	No	Yes	Yes
Agent-Based Enforcement for Physical Servers	No	Yes	Yes
Stateful L2 and L3 Rules with DPU Support	No	Yes	Yes
Stateless L2 and L3 Rules with DPU Support	No	Yes	Yes

Table 2. Distributed User Identity Firewall
Distributed User Identity Firewall	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Distributed Identity Firewall using Guest Introspection	No	Yes	Yes
Distributed Identity Firewall using Active Directory Event Server	No	Yes	Yes
Distributed Identity Firewall using third-party log sources	No	Yes	Yes

Table 3. Distributed Threat Prevention
Distributed Threat Prevention	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Distributed Intrusion Detection Service (IDS)	No	No	Yes
Distributed Behavioral IDS	No	No	Yes
Distributed Intrusion Prevention Service (IPS)	No	No	Yes

Table 4. Distributed Advanced Threat Prevention
Distributed Advanced Threat Prevention	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Distributed Malware Detection and Prevention	No	No	Yes
Cloud Sandboxing and Artifact Analysis	No	No	Yes
Network Detection and Response (NDR)	No	No	Yes

Table 5. Service Insertion Integrations
Distributed Service Insertion Integrations	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Distributed Endpoint Protection	No	No	No
Distributed Network Introspection for Packet Copy (see footnote 9)	Yes	No	No
Distributed Network Introspection for Security (see footnote 7)	No	No	No

Table 6. Policy, Tagging and Grouping
Policy, Tagging and Grouping	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Object Tagging / Security Tags	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Network Centric Grouping	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Workload Centric Grouping	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IP Based Groups	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
MAC Based Groups	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Tag Based Groups	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 7. Firewall Operations
Firewall Operations	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Firewall Logging	Yes (Stateless Gateway Firewall)	Yes	Yes
Distributed Firewall based IPFIX	No	Yes	Yes
Rule Hit Count, Popularity Index, Flow Statistics	Yes (Stateless Gateway Firewall	Yes	Yes
Firewall Drafts	No	Yes	Yes

Table 8. Gateway Security
Gateway Security	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Stateful L3 Rules	No	Yes	Yes
Stateless L3 Rules	Yes	Yes	Yes
Basic L7 Application Identification Rules	No	Yes	Yes
Advanced L7 Application Identification Rules	No	Yes	Yes
URL Filtering	No	Yes	Yes
Gateway Flood Protection	No	Yes	Yes
Edge Bridge Firewall	No	Yes	Yes

Table 9. Gateway User Identity Firewall
Gateway User Identity Firewall	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Gateway Identity Firewall using Active Directory Event Server	No	Yes	Yes
Gateway Identity Firewall using third-party log sources	No	Yes	Yes

Table 10. Gateway Threat Prevention
Gateway Threat Prevention	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Gateway TLS Inspection	No	Yes	Yes
Gateway Intrusion Detection Service (IDS)	No	No	Yes
Gateway Intrusion Prevention Service (IPS)	No	No	Yes

Table 11. Gateway Advanced Threat Prevention
Gateway Advanced Threat Prevention	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Malware Detection	No	No	Yes
Cloud Sandboxing and Artifact Analysis	No	No	Yes
Malware / File Event Forwarding to NDR	No	No	Yes

Table 12. Gateway Service Insertion Integrations
Gateway Service Insertion Integrations	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Gateway Network Introspection for Security (see footnote 7)	No	No	No

Table 13. Gateway Firewall High Availability
Gateway Firewall High Availability	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Active/Standby Gateway Network Services	Yes	No	No
Active/Standby Gateway Firewall Services	Yes (Stateless Gateway Firewall)	Yes	Yes
Active/Active Gateway Network Services (e.g. NAT, VPN) (see footnote 9)	Yes	No	No
Active/Active Gateway Firewall Services - Stateless	Yes	Yes	Yes
Active/Active Gateway Firewall Services (e.g. Firewall, IDS/IPS, Malware Detection) (see footnote 9)	No	Yes	Yes

Table 14. Switching
Switching	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
vSphere Distributed Switch	Provided by vSphere	Provided by vSphere	Provided by vSphere
VLAN Backed Logical Switching	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Overlay Backed Logical Switching	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Spoofguard	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
L2 and L3 Multicast (see footnote 9)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Enhanced Datapath	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Enhanced Datapath for DPUs	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 15. Routing
Routing	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Distributed Routing	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IPv4 and IPv6 Static Routing	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IPv4 and IPv6 BFD	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IPv4 and IPv6 BGP	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
ECMP	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Virtual Routing and Forwarding (Tier-0 Gateway VRFs)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
EVPN	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
OSPF v2	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 16. Networking Services
Networking Services	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
NAT	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
L2 VPN	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IPv4 and IPv6 L3 VPN	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Quality of Service (QoS)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Edge Bridge for Networking	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Load Balancing for Aria Automation	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Load Balancing for IaaS Control Plane (Supervisor Cluster)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Load Balancing for VCF Components	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
NSX Load Balancer(see footnote 6)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 17. DNS, DHCP and IPAM (DDI)
DNS, DHCP and IPAM (DDI)	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
IPAM - Blocks, Subnets, and Pools	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IPv4 and IPv6 DHCP Server	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IPv4 and IPv6 DHCP Relay	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
IPv4 DNS Relay / DNS Proxy	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 18. Modern Apps
Modern Apps	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Container Networking with Kubernetes Network Policies	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Container Security with Antrea Network Policies	No	Yes	Yes
Container Security with IDS	No	No	Yes (Tech Preview)
Distributed Load Balancing	Yes	No	No

Table 19. Automation
Automation	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
REST API	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
OpenAPI Spec and SDKs (Python and Java)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Automation Tools (Ansible and Terraform) (see footnote 5)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 20. Multi-Tenancy
Multi-Tenancy	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Projects (User Defined) for Networking	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Projects (User Defined) for Security	No	Yes	Yes
NSX VPCs for Networking	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
NSX VPCs for Security	No	Yes	Yes

Table 21. Platform
Platform	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Manager / Controller Clustering	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
vCenter Integration	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Multi-vCenter^® Networking and Security	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Federation (see footnote 9)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Edge in VM Form Factor	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Edge in Bare-Metal Form Factor for Routing (see footnote 8)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Edge in Bare-Metal Form Factor for Gateway Firewall (see footnote 8)	Yes (Stateless Gateway Firewall)	Yes	Yes
DPDK Optimized Forwarding	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Dual Stack (IPv4/IPv6) External Management	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 22. Authentication and Authorization
Authentication and Authorization	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Authentication using Workspace ONE Access (see footnotes 1 and 4)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Direct Active Directory Integration via LDAP	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Authentication via OpenLDAP	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Session Based Authentication	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Certificate Based Authentication (Principle Identity)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Role Based Access Control	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 23. Log Management
Log Management	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Aria Operations for Logs Integration (Plugin) (see footnote 2)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Splunk Integration (Plugin) (see footnote 3)	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 24. Installation
Installation	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Automated Manager Deployment	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Manual Manager Deployment	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Automated Edge Deployment	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Manual Edge Deployment	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Automated Host Preparation by Cluster	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 25. Operations
Operations	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Port Mirroring	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Traceflow	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
NSX Live Traffic Analysis	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Tunnel Health Monitoring	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Port Connectivity Tool	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Switch Based IPFIX	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
LLDP	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Automated Technical Support Bundles	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Packet Capture	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Backup and Restore	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
SNMP v1/v2/v3 with Traps	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
Time-Series Metrics for Networking	Yes	No	No
Time-Series Metrics for Security	No	Yes	Yes

Table 26. Upgrade and Migration
Upgrade and Migration	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Upgrade Coordinator	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
NSX for vSphere to NSX-T Migration Coordinator	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF
NSX Manager to Policy Promotion	Yes	Provided by NSX Networking for VCF	Provided by NSX Networking for VCF

Table 27. Included Product Entitlement
Included Product Entitlement	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
Aria Operations for Logs for NSX	See the VMware Cloud Foundation Datasheet	No	No
Aria Operations for Networks	See the VMware Cloud Foundation Datasheet	No	No
HCX	See the VMware Cloud Foundation Datasheet	No	No
Workspace One Access	See the VMware Cloud Foundation Datasheet	No	No
Avi Load Balancer	No	No	No

Table 28. Security Intelligence
Security Intelligence	NSX Networking for VMware Cloud Foundation	VMware vDefend Firewall	VMware vDefend Firewall with Advanced Threat Prevention
VM-to-VM Traffic Flow Analysis	No	Yes	Yes
Firewall Visibility	No	Yes	Yes
Automated Security Policy	No	Yes	Yes
Rule and Group Recommendation Analytics	No	Yes	Yes
Network Traffic Analytics	No	No	Yes

Footnotes

Please refer to the Product Interoperability Matrices for specific versions supported with NSX.
VMware Aria Operations for Logs is not included in these editions. However, it may be included in the VMware Cloud Foundation suite.
Please refer to the NSX partner website for specific versions.
VMware Workspace ONE Access is not included in these editions. However, it may be included in the VMware Cloud Foundation suite.
Integration with automation tools such as VMware Aria Automation, vCloud Director, Ansible, and Terraform is available for all editions of NSX, however, you must have the appropriate NSX edition for the feature which is automated by these tools.
It is recommended that all customers who need load balancing features purchase Avi Load Balancer. Support for the built-in NSX load balancer for customers using NSX 4.x will remain for the duration of the NSX 4.x release series.
https://knowledge.broadcom.com/external/article?legacyId=97043
Customers must purchase one core VCF license per CPU core for bare-metal Edge node used.
This feature is not support in VCF deployments in VMware Cloud on AWS (VMC on AWS), Azure VMware Solution (AVS), Google Cloud VMware Engine (GCVE), Oracle Cloud VMware Solution (OCVS), VMware Cloud on Dell (VMC on Dell), and Alibaba Cloud on VMware Service (ACVS).