NSX-T Data Center included two types of firewalls: Distributed Firewall ( for east-west traffic ) Gateway Firewall ( for north-south traffic ) Fig:1 (credit: vmware.com) The distributed firewall is a hypervisor, kernel-embedded stateful firewall: It resides in the kernel of the hypervisor and outside the guest OS of the VM. It controls the I/O path to and from the vNIC. The gateway firewall is used for north-south traffic between the NSX-T gateways and the physical network: Its is also called as perimeter firewall protect to and from the physical environment. It applies to Tier-0 and Tier-1 gateway uplinks and service interfaces. It support both Tier-0 and Tier-1 gateway. If its applies to Tier-0 or Tier-1 gateway then HA status of that gateway should be active-standby. It is a centralized stateful service enforced on the NSX Edge node. Lets discuss both of the above firewall types in detail: Distributed Firewall DFW(Distributed