Active Directory objects can be used to create security groups based on user identity, and identity-based firewall rules.

You can register an entire AD (Active Directory) domain to be used by IDFW (Identity Firewall), or you can synchronize a subset of a large domain. Once a domain is registered, NSX synchronizes all AD data required by IDFW. To enable selective sync, update the domain payload using PUT/api//v1/directory/domains/<domain-id>/ update selective_sync_settings, with enabled set to true, and provide a list of OrgUnits to synchronize. New OrgUnits are synchronized, and deleted OrgUnits are deleted from NSX. For more information, see the NSX API Guide

If you use the API to manually end a full sync after it is has begun, the sync stats will not be updated correctly.

Note: IDFW relies on the security and integrity of the guest operating system. There are multiple methods for a malicious local administrator to spoof their identity to bypass firewall rules. User identity information is provided by the Guest Introspection Agent inside guest VMs. Security administrators must ensure that NSX Guest Introspection Agent is installed and running in each guest VM. Logged-in users should not have the privilege to remove or stop the agent.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Navigate to System > Identity Firewall AD.
  3. Click the three button menu icon next to the Active Directory that you want to synchronize, and select one of the following:
    Menu Item Description
    Sync Delta Perform a delta synchronization, where local AD objects that have changed since the last synchronization are updated.
    Sync All Perform a full synchronization, where the local state of all AD objects is updated.
  4. Click View Sync Status to see the current state of the Active Directory, the previous synchronization state, the synchronization status, and the last synchronization time.