The Trust Group firewall allows you to segment virtual data center entities like virtual machines based on virtual machine names and attributes.

The Trust Groups firewall is a hyper visor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on objects like data centers and virtual machine names; and network constructs like IP addresses or IP set addresses. Firewall rules are enforced at the vNIC level of each virtual machine to provide consistent access control even when the virtual machine gets motioned. The hyper visor-embedded nature of the firewall delivers close to line rate throughput to enable higher workload consolidation on physical servers. The distributed nature of the firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts are added to a data center.

For L2 packets, the Trust Groups firewall creates a cache for performance boost. L3 packets are processed in the following sequence:


All packets are checked for an existing state. This is done for SANS too so that bogus or retransmitted SANS for existing sessions can be detected.


When a state match is found, the packets are processed.


When a state match is not found, the packets are processed through the rules until a match is found.

For TCP packets, a state is set only for packets with a SYN flag. However, rules that do not specify a protocol (service ANY), can match TCP packets with any combination of flags.

For UDP packets, 5-tuple details are extracted from the packet. When a state does not exist in the state table, a new state is created using the extracted 5-tuple details. Subsequently received packets are matched against the state that was just created.

For ICMP packets, ICMP type, code, and packet direction are used to create a state.

If you have a third-party vendor firewall solution deployed in your environment, see Redirecting Traffic to a Vendor Solution through Logical Firewall in the NSX Administration Guide.

Running open VMware Tools on guest or workload virtual machines has not been validated with the Trust Groups firewall.