Some embodiments provide a method for managing firewall protection in a datacenter that includes multiple host machines that each hosts a set of data compute nodes. The method maintains a firewall configuration for the host machines at a network manager of the data center. The firewall configuration includes multiple firewall rules to be enforced at the host machines. The method aggregates a first set of updates to the firewall configuration into a first aggregated update and associates the first aggregated update with a first version number. The method distributes a first host-level firewall configuration update to a first host machine based on the first aggregated update and associates the first host machine with the first version number. The method aggregates a second set of updates to the firewall configuration into a second aggregated update and associates the second aggregated update with a second version number.