Generate Steering Policy

Steering policy is used by NSX-T to define the service chain to which traffic will be steered. You can create steering policy manually or you can auto generate steering policy.
When you auto generate steering policy, the Panorama plugin for VMware NSX-T creates a steering policy for each specified service manager and the associated service definitions. By default, TCP strict is disabled and the Failure Policy is set to Allow. Auto-generated policy uses the
auto_<service-def-name>_<zone-name>_steering_policy
naming format.
When TCP Strict is enabled, the firewall enforces the requirement of the three-way handshake. If the firewall picks up traffic mid-session (for example, due to asymmetric traffic) and does not detect a three-way handshake, the session is dropped. See VMware NSX-T documentation for more information.
The Failure Policy defines what happens to traffic if the firewall goes down. If you select Allow, the traffic continues on to its destination. If you select Block, the traffic is dropped.
Additionally, you have the option to select all your service managers instead of selecting specific service managers. Choosing
All
is not recommended if any of your service managers contain operations-centric service definitions. The plugin will create steering policy for each zone associated with the operation-centric service definitions and then push it to NSX-T Manager. If you do choose
All
, verify that the service manager you select when you auto generating steering policy includes only security-centric service definitions.
If you auto-generate steering policy, you must also auto-generate steering rules. And you manually create steering policy, you must also manually create steering rules.
Steering policy changes should be made only on Panorama; do not make changes on NSX-T Manager. If you make changes on NSX-T Manager, the Panorama plugin for VMware NSX show the service definition as out-of-sync. You should click on the
Out-of-Sync
link to see the specific reason for the out-of-sync status. If a steering policy change is the cause, perform a configuration sync by clicking
NSX-T Config-Sync
.

Auto Generate Steering Policy

Use the following procedure to auto generate steering policy.
The following steps are for specifying service managers instead of selecting
All
.
  1. Select
    Panorama
    VMware
    NSX-T
    Network Introspection
    Policy
    .
  2. Click
    Auto Generate
    .
  3. For
    Service Managers
    , choose
    Select
    .
    If you select
    All
    instead of selecting specific service managers, the plugin will generate steering policy for each service definition associated with each service manager in your configuration. Additionally, make sure that your selected service manager includes security-centric service definitions.
  4. Click
    Add
    to select the service manager.
  5. Select a
    Service Manager
    from the drop-down.
  6. Click
    Add
    to select the service definitions.
  7. Select the service definition from the drop-down.
  8. Click
    OK
    and click
    OK
    again.
  9. Commit
    your changes to Panorama.

Manually Create Steering Policy

Use the following procedure to manually create steering policy.
  1. Select
    Panorama
    VMware
    NSX-T
    Network Introspection
    Policy
    .
  2. Click
    Add
    .
  3. Enter a descriptive
    Name
    for your steering policy.
    The steering policy name cannot include any spaces.
  4. Select a
    Service Definition
    from the drop-down.
  5. Select a
    Service Chain
    from the drop-down.
  6. (
    Optional
    ) Enable
    TCP Strict
    . This option is disabled by default.
  7. Choose the
    Failure Policy
    Allow
    or
    Block
    . Allow is the default.
  8. Click
    OK
    .
  9. Commit
    your changes to Panorama.

Recommended For You