Generate Steering Rules

Steering rules are defined in steering policy. A rule defines the source and destination of the traffic, introspection services, the NSX-T objects the rule is applied to, and the traffic redirection policy. You can create steering rules manually or generate steering rules automatically.
You must generate or create steering policy before generating or creating steering rules.
To auto generate a steering rule based on a security rules created on Panorama, the security rule must meet the following criteria:
  • Belongs to a parent or child device group registered with an NSX-T Service Manager.
  • Is an intrazone policy and includes only one zone.
  • Does not include a static address group, IP range, or netmask configured for the rule.
Auto-generated steering rules uses the
auto_<device-group-name>_<device-group-rule-name>
naming format.
By default, auto-generated steering rules are configured without an NSX services specified. Additionally, the NSX Traffic Direction is set to in-out, Logging is disabled, IP protocol is ipv4-ipv6, and the Action is set to redirect. After auto-generating rules, you can update the steering to change the default values.
Additionally, you have the option to select all your service managers instead of selecting specific service managers. Choosing
All
is not recommended.
If you auto-generate steering policy, you must also auto-generate steering rules. And if you manually create steering policy, you must also manually create steering rules.
Steering rules changes should be made only on Panorama; do not make changes on NSX-T Manager. If you make changes on NSX-T Manager, the Panorama plugin for VMware NSX show the service definition as out-of-sync. You should click on the
Out-of-Sync
link to see the specific reason for the out-of-sync status. If a steering rules change is the cause, perform a configuration sync by clicking
NSX-T Config-Sync
.

Auto Generate Steering Rules

Use the following procedure to auto generate steering rules.
When you auto generate a steering rule, where the rule is applied (NSX-T Distributed Firewall or Security Group) depends on the source and destination you specified when configuring the security rule. If you selected
Any
for the source or destination, NSX-T Manager applies the steering rule to the Distributed Firewall. If you select a dynamic address group for the source and destination, the steering is applied to the guest VMs in those security groups.
If you make any changes to device group configuration that is also part of steering rule configuration, such as source and destination address group that map to the Applied To setting in a steering rule, you must auto generate the steering rule again for the changes to take effect.
The following steps are for specifying service managers instead of selecting
All
.
  1. Select
    Panorama
    VMware
    NSX-T
    Network Introspection
    Rule
    .
  2. Click
    Auto Generate
    .
  3. Select the type of Security Rules from the drop-down—
    All
    ,
    Pre Rulebase
    only, or
    Post Rulebase
    only. The security rules are pulled from the service definitions specified in the following steps.
    If you regenerate steering rules, all current rules are deleted and new rules are created based on the selected rule base. If you originally created steering rules using the Pre Rulebase and then regenerate steering rules using the Post Rulebase, only the post-rulebase steering rules will remain.
  4. For
    Type
    , choose
    Select
    .
  5. Click
    Add
    to specify the
    Service Manager
    (s) and
    Service Definition
    (s).
  6. Select a
    Service Manager
    from the drop-down.
  7. Click
    Add
    to select the service definition(s).
  8. Click
    OK
    .
  9. Click
    OK
    to finish or
    Add
    to specify additional service managers and service definitions.
  10. (
    Optional
    ) Click on an auto-generated rule to modify the following default options.
    If you regenerate steering rules, any changes you made to a previously-generate steering rule will be overwritten.
    • Enable NSX-T
      Logging
      .
    • Click
      Add
      to specify
      NSX Services
      , such as Active Directory Server, HTTPS, DNS, etc.
    • Disable
      the rule. If you disable a steering rule but the corresponding security rule is enabled (
      Device Group
      Policies
      Security
      ), the steering rule will also be enabled.
    • Applied to
      allows you change where the steering rule is applied—
      DFW
      or
      Security Group
      .
  11. Clean up unwanted or incorrect steering rules.
    If, for example, your device group contains security rules in the same rulebase as your NSX-T steering rules, the plugin generates security rules based on those non-NSX-T security rules. Because those rules do not refer to an NSX-T dynamic address group, the source and destination for those rules will be set to Any Any in NSX-T Manager. This condition can impact how NSX-T Manager directs traffic. To avoid this, you must manually delete the incorrect steering rules.
    1. Select the incorrect steering rules.
    2. Click
      Delete
      .
    3. Click
      Yes
      to confirm the deletion.
  12. Commit
    your configuration to push it to NSX-T Manager.

Manually Create Steering Rules

Use the following procedure to manually create steering rules.
  1. Select
    Panorama
    VMware
    NSX-T
    Network Introspection
    Rule
    .
  2. Click
    Add
    .
  3. Enter a descriptive
    Name
    for the steering rule.
    The steering rule name cannot include any spaces.
  4. Select a
    Steering Policy
    from the drop-down.
  5. Select a
    Device Group
    from the drop-down.
  6. Select a
    Security Rule
    from the drop-down.
    The Security Rule drop-down displays rules from all security rules across all device groups of Service Definition. Ensure you select the appropriate security rule.
  7. Specify the
    Action
    Redirect
    or
    Do Not Redirect
    .
  8. (
    Optional
    ) Enable NSX-T
    Logging
    .
  9. Specify the
    IP Protocol
    ipv4-ipv6
    ,
    ipv4
    , or
    ipv6
    .
  10. Specify the
    NSX Traffic Direction
    in-out
    ,
    in
    , or
    out
    .
  11. (
    Optional
    ) Click Add to specify
    NSX Services
    , such as Active Directory Server, HTTPS, DNS, etc.
    The following ALG services are not supported: FTP, TFTP, ORACLE_TNS, SUN_RPC_TCP, SUN_RPC_UDP, MS_RPC_TCP, MS_RPC_UDP, NBNS_BROADCAST, NBDG_BROADCAST.
  12. Applied To
    DFW
    or
    Security Groups
    . You can select one or more security group. Security groups are created from dynamic address groups configured on Panorama. The security group names are formatted as follows
    <servicedefinition>_<dynamic-address-group>
    . If you select DFW, the steering rule is applied to all guest VMs, regardless of their security membership.
  13. (
    Optional
    ) Disable the rule.
  14. Click
    OK
    .
  15. Commit
    your configuration to push it to NSX-T Manager.

Recommended For You