In a Software Defined Datacenter (SDDC) environment, distributed network firewall is replacing traditional firewall in order to meet new requirements of granularity and scalability. Typically, a firewall controller is deployed on each hypervisor to protect the virtual machines (VMs) running on the hypervisor, and a centralized management component distributes firewall rules to all firewall controllers in the SDDC. Often, every firewall controller receives a large set of rules targeting at the entire datacenter. The firewall controller then applies all the rules to every protected VM in the datacenter. FIG. 1 illustrates a distributed firewall scheme in a datacenter 100 in which the complete set of firewall rules is applied to every VM. In this scenario, the large rule set can cause significant burden to firewall engine because every single network packet has to be inspected against the entire rule set. In addition, it also consumes large amount of memory because the rule set is replicated to every protected VM.