: Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
Focus
Focus

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Table of Contents
End-of-Life (EoL)

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Use the following procedure to migrate your operations-centric NSX-T deployment to a security-centric NSX-T deployment.
  1. Log in to Panorama.
  2. Modify the match criteria of your dynamic address groups to follow the format required for a security-centric deployment.
    1. Select ObjectsAddress Groups.
    2. Verify that you are configuring the dynamic address groups in a device group associated with an NSX-T service definition.
    3. Click on the name of a previously created NSX-T dynamic address group.
    4. Edit the match criteria.
      For the dynamic address group to become a security group in NSX-T Manager, the match criteria string must be enclosed in single quotes with the prefix _nsxt_ followed by the exact name of the Address Group. For example, ‘_nsxt_PAN_APP_NSX’.
    5. Repeat this process for each security group you require.
  3. Set the security rules to be as NSX-T steering rules to intrazone.
    1. In Panorama, select PoliciesSecurityPre Rules.
    2. Verify that you are configuring the security rules in a device group associated with an NSX-T service definition.
    3. Click Add and enter a Name and Description for your security policy rule.
    4. Set the Rule Type to intrazone (Devices with PAN-OS 6.1 or later).
    5. In the Source tab, set the source zone to the zone from the template stack associated with the service definition. Then select a dynamic address group you created previously as the Source Address. Do not add any static address groups, IP ranges, or netmasks as a Source Address.
    6. In the Destination tab, Panorama does not allow you to set a destination zone because you set the rule type to intrazone. Then select a dynamic address group you created previously as the Destination Address. Do not add any static address groups, IP ranges, or netmasks as a Destination Address.
    7. Click OK.
    8. Repeat steps 1 through 7 for each steering rule you require.
    9. Commit your changes.
  4. Auto generate new steering policy.
    The following steps are for specifying service managers instead of selecting All.
    1. Select PanoramaVMwareNSX-TNetwork IntrospectionPolicy.
    2. Click Auto Generate.
    3. For Service Managers, choose Select.
      If you select All instead of selecting specific service managers, the plugin will generate steering policy for each service definition associated with each service manager in your configuration.
    4. Click Add to select the service manager.
    5. Select a Service Manager from the drop-down.
    6. Click Add to select the service definitions.
    7. Select the service definition from the drop-down.
    8. Click OK and click OK again.
    9. Commit your changes.
  5. Auto generate new steering rules.
    If you auto-generate steering policy, you must also auto-generate steering rules. And if you manually create steering policy, you must also manually create steering rules.
    The following steps are for specifying service managers instead of selecting All.
    1. Select PanoramaVMwareNSX-TNetwork IntrospectionRule.
    2. Click Auto Generate.
    3. Select the type of Security Rules from the drop-down—All, Pre Rulebase only, or Post Rulebase only. The security rules are pulled from the service definitions specified in the following steps.
    4. For Type, choose Select.
    5. Click Add to specify the Service Manager(s) and Service Definition(s).
    6. Select a Service Manager from the drop-down.
    7. Click Add to select the service definition(s).
    8. Click OK.
    9. Click OK to finish or Add to specify additional service managers and service definitions.
    10. (Optional) Click on an auto-generated rule to modify the default options.
  6. Create Dynamic Address Group Membership Criteria.
  7. Commit your changes to Panorama.
  8. Delete the operations-centric steering rules from NSX-T Manager.
    1. Log in to NSX-T Manager.
    2. Select SecurityNetwork Introspection (E-W)Rules.
    3. Select each operations-centric steering rules.
    4. Click Delete.
  9. Delete the operations-centric service chain from NSX-T Manager.
    1. Log in to NSX-T Manager.
    2. Select SecurityNetwork Introspection SettingsService Chains.
    3. Click the vertical ellipses.
    4. Click Delete.