Use the Pre Rulebase to Define NSX-T Steering Rules
The following procedure describes how to create
the security policy rules that will be used to generate NSX-T steering
rules and how to create the security policy Panorama will push to
the VM-Series firewaa for traffic inspection and enforcement.
the traffic redirection policies unless you understand how rules
work on the NSX-T Manager as well as on the VM-Series firewall and
Panorama. The default policy on the VM-Series firewall is set to deny
all traffic, which means that all traffic redirected to the
VM-Series firewall will be dropped.
Create security policy rules in
the associated device group. For each security rule set the Rule
Type to Intrazone, select one zone in the associated template stack,
and select the dynamic address groups as the source and destination.
Creating a qualifying security policy in Panorama helps in the creation
of a corresponding steering rule on NSX-T Manager upon steering
rule generation and commit in Panorama.
In Panorama, select
and enter a
your security policy rule.
Verify that you are configuring the security rules in
a device group associated with an NSX-T service definition.
Set the Rule Type to
intrazone (Devices with
PAN-OS 6.1 or later)
In the Source tab, set the source zone to the zone from
the template stack associated with the service definition. Then
select a dynamic address group (NSX-T security group) you created
previously as the Source Address. Do not add any static address
groups, IP ranges, or netmasks as a Source Address.
In the Destination tab, Panorama does not allow you to
set a destination zone because you set the rule type to intrazone.
Then select a dynamic address group (NSX-T security group) you created
previously as the Destination Address. Do not add any static address groups,
IP ranges, or netmasks as a Destination Address.
Repeat steps 1 through 7 for each steering rule you require.