Distributed Firewall offers multiple sets of configurable rules: Layer 3 (L3) rules (General tab) and Layer 2 (L2) rules (Ethernet tab). Layer 2 firewall rules are processed before Layer 3 rules.

The default firewall rule allows all L3 and L2 traffic to pass through all clusters in your infrastructure. The default rule is always at the bottom of the rules table and cannot be deleted or added to. However, you can change the Action element of the rule from Allow to Block, add comments for the rule, and indicate whether traffic for that rule should be logged.

User defined firewall rules are enforced in top-to-bottom ordering, with a per-virtual NIC level precedence. Each traffic session is checked against the top rule in the Firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced.

A firewall rule can have one or more of the following entities as the source or destination:




Virtual app

Resource pool

Virtual machine


Logical switch

IPSet. Both IPv4 and IPv6 addresses are supported. For information on creating an IPSet, see Create an IP Address Group.

Security group. For information on creating a security group, see Create a Security Group.

Running open VMware Tools on guest or workload virtual machines has not been validated with Distributed Firewall.