Within NSX, there are two kinds of firewalls available. The Edge Firewall is centralized. Its primary function is to filter North-South traffic in and out of the NSX environment. In many ways, it behaves like a traditional firewall. The real game changer, though, is the NSX Distributed Firewall (DFW), which is the main focus of this chapter. Instead of sending all traffic to be inspected through a centralized point, the firewall rules are distributed to all hosts and applied to the vNICs of the individual VMs. As we will see, applying security this close to the VM not only improves performance, but it allows for much tighter security through microsegmentation.