Practical NSX: Identity Based Firewall

NSX Identity Based Firewall uses a connection to Active Directory from the NSX manager to scans the event log of the AD Server to determine log on credentials and events. The identity firewall requires either guest introspection framework or active directory event log scraping. You can use both in your environment, or one or the other.

Users logging on will have their VMs automatically assigned to a security group based on their AD group and the relevant firewall rules applied to them. This combination allows us to control access within our environment.

For those of you who would like to follow along please use the Hands on Lab: HOL-1903-02-NET

Connect NSX Manager to AD

Networking & Security > NSX Home > Users and Domains

Enter your ldap details.

Configure access to the security event logs.

Configure NSX Guest Introspection

Networking & Security > Installation and Upgrades > Service Deployments

Click Add > Guest Introspection

Select cluster to install.

Select the network and storage.

Click finish to deploy.

Wait for the install to complete then verify that it was successful.

Create Security Groups and Firewall Rules

We are going to start by creating an IP SET thats contains all the lab virtual machine infrastructure ( then we will create a security group based on it.

Networking and Security > Groups and Tags > IP SETS > Click on ADD

Let’s now create a security group.

Networking and Security > Service Composer > Security Groups > Click on ADD

Click on Select object to include > Object type IP Sets > Internal > Finish

We now need to create a firewall rule.

Networking and Security > Firewall > Add Section Above

Name the section then click Add

Add a rule.

Name the rule: Network Admin Access. As a source, create a new security group based on the AD group AppConfiguration.

Name the group: Network Administrators

Select Define dynamic membership > Select Entity belongs to directory group > Choose AppConfiguration.

Click Finish then Save.

Our firewall rule now looks like this.

Let’s change the destination to the internal security group we created earlier.

Our firewall rule now looks like this.

Let’s now create an identify based firewall rule for the HR group.

As a destination, we are going to allow access the hr web vm via http and https .

The changes that we have made to the firewall need to be published.

One last thing to do from a firewall perspective, is to allow communication between the the workloads that are members of the internal security group and change the default firewall rule to deny. Remember to publish the changes.


The HR admin group should be able to access the application hosted on the hr web server.

User is able to access the HR database.

User is unable to access the finance app!

Network administrator should have access to everything in our infrastructure.

Network admin is able to access the finance and the external database.

I hope you found this helpful. Please share.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

Sharing is caring!

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *