Impact of Identity Firewall (IDFW) Enable/Disable on existing connections in NSX-T
search cancel

Impact of Identity Firewall (IDFW) Enable/Disable on existing connections in NSX-T

book

Article ID: 325103

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article provides insight on the impact of Identify Firewall (IDFW) Enable/Disable.

Environment

VMware NSX-T Data Center 2.x
VMware NSX-T Data Center

Resolution

In IDFW disable state, user identity information is not available and IDFW rules will not be enforced. The connections established during this time period will skip the IDFW rule evaluation and will be matched against other NON-IDFW rules in the rule set. At a later time when IDFW is enabled, the existing connections will continue to skip IDFW evaluations. Only the new connections will be evaluated against the IDFW rules.

In IDFW enabled state, user identity information is available and IDFW rules will be enforced. The connections established during this time period will be evaluated against IDFW rules for a match. At a later time when the IDFW is disabled, the existing connections will continue to be evaluated against the IDFW rules. Only the new connections will not be evaluated against the IDFW rules.

In conclusion IDFW enable/disable will not change the behavior for existing connections. Only the new connections will be affected by this change.