Within the VMware vDefend Network Detection and Response (NDR) UI and alerting systems, the term "hosts" is used from a cybersecurity perspective, not an infrastructure perspective. It refers directly to the network endpoints or virtual machines—specifically, your Workloads —that are participating in the analyzed traffic. It does not refer to the underlying physical hypervisors (like vSphere ESXi hosts or VCF nodes) that run the compute layer. NDR monitors these workload "hosts" to correlate suspicious activities into broader threat campaigns.

The VMware vDefend Gateway Firewall provides stateful perimeter firewalling capabilities for the software-defined data center. Architecturally, it is supported and can be instantiated on both Tier-0 (T0) and Tier-1 (T1) Edge nodes.

On a Tier-0 Gateway: The firewall acts as the primary North-South boundary, inspecting and securing traffic entering and leaving the entire physical data center.

On a Tier-1 Gateway: The firewall acts as an inter-tenant or inter-zone boundary, providing advanced security (like Gateway Identity Firewall or Gateway IDS/IPS) closer to the workloads before traffic ever reaches the main T0 edge.

=========================

VMware vDefend natively supports Time-Based Firewall Policies (also known as Time Schedules). This feature allows administrators to define specific recurring schedules (e.g., "Monday to Friday, 8:00 AM to 5:00 PM" or a specific weekend backup window).

Once the schedule is created in the system, it can be attached directly to a Distributed Firewall policy section or individual rule. During the active window, the rule is enforced; outside the window, the rule automatically disables itself. This eliminates the need to write custom API scripts (Option C) or manually toggle rules during maintenance windows.

=========================

When integrating container orchestration (like Kubernetes) with VMware vDefend, a Container Network Interface (CNI) plugin (such as Antrea) is utilized. The fundamental, non-optional requirement of a CNI is providing basic pod network connectivity (Option B). However, advanced features like East-West service load balancing (kube-proxy replacement), enforcing Kubernetes NetworkPolicies (security), and handling IP Address Management (IPAM) are considered optional or configurable functionalities depending on the specific CNI implementation and how the cluster is architected to integrate with vDefend.

To understand Network Detection and Response (NDR), you must understand the hierarchy of security telemetry: Events , Incidents , and Campaigns .

An Event is a single anomaly or triggered detector (e.g., an IDS signature matching, or NTA noticing an unusual DNS query).

An Incident is a formalized alert presented to the security analyst in the NDR dashboard, indicating an actual threat that requires investigation.

While the primary power of vDefend NDR is its Artificial Intelligence engine—which correlates multiple seemingly low-level events (like a port scan followed by a suspicious file download and lateral movement) into a single, high-confidence Incident—an Incident does not strictly require multiple events.

If a single, highly critical event occurs—such as the Malware Prevention engine definitively detonating and confirming a severe piece of zero-day ransomware—the NDR engine will immediately escalate that single event into a full-blown Incident . Therefore, an incident may consist of just one highly critical event, or dozens of lower-level events correlated together over time.

=========================

Within the vDefend Network Detection and Response (NDR) dashboard, every threat event is assigned an Impact Score (a numerical value typically ranging from 0 to 100) to help security operations teams prioritize their incident response.

This Impact Score is a calculated composite metric derived from two distinct factors:

Severity (Option D): This represents the potential theoretical damage the attack could cause to the environment if successful (e.g., a critical remote code execution vs. a low-level port scan).

Confidence (Option A): This represents how certain the AI/NTA engine is that this event is a true positive attack and not just benign, anomalous background noise.

"Campaign" and "Detector" are metadata tags used to group and identify the alert, but they are not the mathematical values used to calculate the Impact Score.

=========================

To answer this, you must separate Gateway features (perimeter) from Distributed features (hypervisor).

Guest Introspection (Option C) is an API framework that uses VMware Tools to look inside the Guest Operating System of a Virtual Machine (used for Identity Firewall user logons or agentless Anti-Virus). Because it interacts directly with the local VM OS, it is strictly a Distributed/Hypervisor-level feature .

The Gateway Firewall sits far away on the Edge Node (Option A). It does not have Guest Introspection capabilities because it cannot directly talk to the OS of a VM. Instead, it relies on network-level features like Layer 7 App-ID (Option B) and TLS Decryption (Option D) to secure North-South traffic.

=========================