What is NSX Distributed Firewall?
Complete East-West Security for Zero Trust
Ransomware and lateral movement of threats make east-west the new battleground. NSX Distributed Firewall offers a software-delivered, distributed architecture and advanced threat prevention. It enables zero-trust security that’s easy to deploy and automates policy while reducing overall costs.
Hyperscale Throughput
Get complete coverage with up to 20Tbps firewalling per SDDC.
Secure Workload Access
Secure workload access on your journey to zero trust.
Up to 73% savings in OpEx
Lower OpEx, with no network changes and automated policies.
Benefits of NSX Distributed Firewall
No Network Changes
Radically simplify firewall deployment and operations by replacing physical hardware, eliminating changes to the network, and avoiding traffic hair-pinning.
Eliminate Blind Spots
Get visibility and workload context to identify and block threats at every hop, while remaining isolated from the attack surface.
Security as Code
An API-driven, object-based policy model delivers policy recommendations, automates policy mobility and ensures new workloads automatically receive appropriate security policies.
Zero Trust with Better Security
Operationalize Zero Trust architecture in your infrastructure across multi-cloud with a modern software-based approach that’s easy to operationalize and scale.
Use Cases
Simplify Network Segmentation
Gain visibility into traffic and easily create network segmentation by defining segments entirely in software—no need to change your network or hairpin traffic by deploying discrete appliances.
Implement Zero Trust Within the Cloud
Easily and automatically create, enforce, and manage granular micro-segmentation policies. Intrinsic understanding of application topology helps generate policy recommendations.
Enable Ubiquitous Virtual Patching
Take advantage of NSX Advanced Threat Prevention at every host to monitor all your traffic flows, identify malicious traffic on a per hop basis, and then apply virtual patching to ensure unpatched servers inside the data center cannot be exploited.
Block Advanced Threats
Prevent communication with malicious IP addresses outside your network. Leverage multiple detection engines with distributed IDS/IPS, NTA, and sandboxing to block advanced threats from moving laterally across your network—even across encrypted traffic. Get NSX Advanced Threat Prevention that correlates events across all detection engines to identify intrusions.
The internal firewall and micro-segmentation capabilities of NSX Data Center enabled us to rapidly deliver on our CIO’s zero-trust initiative.
- Mark Fournier, Director of IT Infrastructure, United States Senate Federal Credit Union
The inherent security on the NSX platform allows our developers and security experts to work together from the get-go, weaving cybersecurity into the very DNA of the network.
- Scott Tivendale, Capability Lead, Cenitex
NSX has simplified the ability for us to segment those servers off into their own environment... without having to make vast hardware purchases and additional firewalls and technologies.
- Ben Moore, Lead Systems Engineer, Preferred Mutual
Related Resources
Internal Firewalls for Dummies
Organizations can no longer rely on edge firewalls alone. Learn how internal firewalls provide better security for today’s complex data centers.
NSX Distributed Firewall Datasheet
NSX Distributed Firewall protects all east-west traffic with security intrinsic to the infrastructure, radically simplifying the security deployment model.
The Best Way to Protect East-West Traffic
Bolted-on security solutions can’t deliver the scalability, flexibility and cost effectiveness needed by today. Understand why intrinsic security is key.
Related Products
Expand your data center security capabilities with detection and response, threat prevention and more.
NSX Advanced Threat Prevention
Complete network traffic inspection
NSX Intelligence
Distributed analytics engine for topology visualization & policy recommendations
NSX Gateway Firewall
A Layer 7 firewall to protect physical servers and zone/cloud edge
Frequently Asked Questions
NSX Distributed Firewall is a software-defined Layer 7 firewall enabled at each workload to segment east-west traffic and block lateral movement of threats. Its advanced threat prevention includes distributed IDS/IPS, network sandbox, network traffic analysis, and network detection and response.
How does NSX Distributed Firewall work?
NSX Distributed Firewall uses a software-based approach to deliver security that's built into the hypervisor and delivered at each workload. This enables it to enforce access controls and inspect every flow for threats without traffic hair-pinning. It includes a stateful L7 firewall, an intrusion detection/prevention system (IDS/IPS), network sandbox, and behavior-based network traffic analysis and network detection & response.
What are the key capabilities of NSX Distributed Firewall?
Key differentiators of NSX Distributed Firewall include:
- Distributed architecture
- Superior workload context
- No network taps NTA
- Elastic throughput
- Operationally simple
For full capabilities, see the datasheet.
What are the use cases for NSX Distributed Firewall?
Use cases for NSX Distributed Firewall include:
- Network Segmentation
- Zero Trust in the Cloud
- Virtual Patching for all Workloads
- Stop lateral movement of threats
What are the benefits of NSX Distributed Firewall?
Benefits of NSX Distributed Firewall include:
- Better Security
- No network changes
- Eliminate blind spots
- Security as code
- Operational simplicity
Why VMware for Internal Firewall?
Stop the spread of lateral threats inside the network with no network changes.