vDefend
Micro-segmentation, east-west policy enforcement, and identity-aware control — built into the hypervisor kernel.
Stateful L2–L7 firewall enforced at the vNIC in the ESXi kernel — no traffic hairpin to a centralized appliance. Policy distributes to every host, so enforcement follows the workload. Supports VMs, containers, and physical workloads via bare-metal agents.
Stateful L4–L7 policy enforced at NSX Tier-0 and Tier-1 gateways, controlling north-south traffic at the edge of logical segments. Supports URL filtering, FQDN-based rules, TLS inspection, and Geo-Fencing by country or region.
Gateway Firewall rules can match source or destination by country or region using GeoIP data, blocking inbound or outbound traffic from specific geographies without manually maintaining IP block lists. Added to the Gateway Firewall in vDefend 9.0.
Active Directory-integrated policy enforcement that lets DFW rules reference AD users and groups rather than IP addresses. Enables user-identity-aware micro-segmentation for Windows workloads without per-host agents — useful for VDI environments and privileged access control.
Zero-trust east-west segmentation using DFW rules scoped to workload tags, security groups, or VM attributes rather than IP addresses. Policy remains accurate as workloads move or scale — no firewall rule rewrite required when a VM vMotions or a new instance spins up.
Decrypts east-west TLS sessions inline at the DFW layer for ATP inspection, without routing traffic to a separate proxy appliance. Uses a dedicated CA and certificate pinning to preserve trust chains. Relevant wherever encrypted lateral movement is part of the threat model.
Extends the vDefend Distributed Firewall to Virtual Private Clouds within VCF/NSX, applying the same workload-level enforcement model to VPC-based deployments. Introduced in vDefend 9.0 as part of broader VPC networking support in NSX.
Security Services Platform
Detection, threat prevention, and network analytics services that run on the Security Services Platform.
Centralized license management for vDefend and Avi Load Balancer across up to 120 NSX Manager instances. Replaces per-instance 25-character key entry with digitally signed subscription files, supports connected and disconnected (air-gapped) modes, and provides unified usage reporting across vDefend and Avi endpoints. Required for vDefend with VCF 9.1.
GenAI-powered assistant (delivered as a Chrome extension) that explains security events in plain English, correlates campaigns across multiple alerts, and surfaces remediation recommendations — reducing the time from alert to analyst action on NDR and ATP findings.
Multi-context correlation engine that aggregates signals from DFW flow data, IDS/IPS events, and NTA anomalies to reach verdicts on network activity — lateral movement, beaconing, and east-west attack campaigns — without requiring a tap, mirror, or external sensor.
ML-based behavioral analysis that builds per-workload baselines and flags deviations — unusual protocols, unexpected peer relationships, volume spikes. Feeds into NDR verdicts and reduces the signal-to-noise ratio for east-west anomaly detection.
Policy recommendation engine that visualizes observed traffic flows, detects anomalies, and classifies workloads to accelerate micro-segmentation planning. Maps findings to MITRE ATT&CK and surfaces candidate DFW rules based on real flow data rather than guesswork.
Signature and behavior-based inspection of east-west traffic using a Suricata-powered engine. Signature profiles, exclusions, and event thresholds can be managed centrally across all federated sites via NSX Global Manager — a capability added in vDefend 9.0.
Guest introspection service that uses ML and memory analysis to detect fileless attacks — PowerShell, VBScript, JScript — targeting in-memory code injection patterns. Runs out-of-band from the guest OS, so the malware cannot tamper with the sensor.
Application Delivery
Load balancing, WAF, GSLB, and application delivery services for modern multi-cloud environments.
Virtual server–based load balancing with full Layer 4 (TCP/UDP) and Layer 7 (HTTP/HTTPS) support. Per-pool health monitors with active and passive checks. Persistence via source IP, cookies, or TLS session ID. Service Engines provision automatically to match declared capacity.
Load balancing for Model Context Protocol traffic with session persistence and OAuth 2.0 authorization. Keeps AI agent sessions pinned to the correct backend across requests — essential for stateful MCP server deployments where context must be maintained between tool calls.
Deep integration with VMware Cloud Foundation 9.1 — centralized deployment and lifecycle management via VCF Operations, automatic discovery of vCenter and NSX Manager, self-service load balancing provisioning through VCF Automation, organization-based resource governance with quotas and tenant isolation, and automatic AKO deployment on vSphere Kubernetes Service clusters.
Kubernetes controller that maps Ingress resources and Services of type LoadBalancer directly to Avi virtual services. Policy is declared as Kubernetes objects (AviInfraSetting, HTTPRule, HostRule). Supports OpenShift Routes. No sidecar required — the SE handles data-plane traffic outside the cluster.
Per-transaction telemetry with no sampling — response time, server errors, client geography, WAF events — searchable in the Avi UI or streamed to Elasticsearch, Splunk, or syslog. The application health score is a composite of performance, security events, and anomaly signals.
Stateful HTTP session tracking with behavioral analysis to identify and classify automated traffic — scrapers, scanners, credential stuffing bots. CSRF protection is built in. Policy can allow, rate-limit, challenge, or block by bot classification without a separate appliance.
Lua-inspired scripting engine embedded in the Service Engine data path. Used to implement custom load balancing logic, rewrite URLs, inject or strip headers, or enforce access controls that the UI doesn't expose. Executes on every connection or request with no external call — no latency penalty.
DNS-based active-active and active-standby load balancing across multiple datacenters or clouds. Health-aware — removes sites from DNS rotation on pool failure. Supports GeoIP-based routing, site persistence, and canary deployments with configurable traffic weights per site.
ML-based Service Engine scaling that learns traffic patterns and capacity thresholds — CPU, memory, PPS, connection table — and scales proactively before exhaustion. Scales down during off-peak periods. Works across VMware, AWS, Azure, and GCP Service Engine deployments.
Full SSL/TLS termination at the Service Engine with hardware-accelerated crypto. Manages the full certificate lifecycle including ACME/Let's Encrypt integration. Re-encrypts to backends or passes cleartext — configurable per virtual service. Supports TLS 1.3, OCSP stapling, and SNI-based routing.
OWASP CRS-based WAF integrated directly into the Avi Service Engine data path — no separate appliance. Supports detection and blocking modes, custom rules, per-URI overrides, JSON/XML payload inspection, and a learning mode that builds an application profile from production traffic before enforcing.