Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Use the following procedure to migrate your operations-centric NSX-T deployment to a security-centric NSX-T deployment.
  1. Log in to Panorama.
  2. Modify the match criteria of your dynamic address groups to follow the format required for a security-centric deployment.
    1. Select
      Objects
      Address Groups
      .
    2. Verify that you are configuring the dynamic address groups in a device group associated with an NSX-T service definition.
    3. Click on the name of a previously created NSX-T dynamic address group.
    4. Edit the match criteria.
      For the dynamic address group to become a security group in NSX-T Manager, the match criteria string must be enclosed in single quotes with the prefix _nsxt_ followed by the exact name of the Address Group. For example,
      ‘_nsxt_PAN_APP_NSX’
      .
    5. Repeat this process for each security group you require.
  3. Set the security rules to be as NSX-T steering rules to intrazone.
    1. In Panorama, select
      Policies
      Security
      Pre Rules
      .
    2. Verify that you are configuring the security rules in a device group associated with an NSX-T service definition.
    3. Click
      Add
      and enter a
      Name
      and
      Description
      for your security policy rule.
    4. Set the Rule Type to
      intrazone (Devices with PAN-OS 6.1 or later)
      .
    5. In the Source tab, set the source zone to the zone from the template stack associated with the service definition. Then select a dynamic address group you created previously as the Source Address. Do not add any static address groups, IP ranges, or netmasks as a Source Address.
    6. In the Destination tab, Panorama does not allow you to set a destination zone because you set the rule type to intrazone. Then select a dynamic address group you created previously as the Destination Address. Do not add any static address groups, IP ranges, or netmasks as a Destination Address.
    7. Click
      OK
      .
    8. Repeat steps 1 through 7 for each steering rule you require.
    9. Commit
      your changes.
  4. Auto generate new steering policy.
    The following steps are for specifying service managers instead of selecting
    All
    .
    1. Select
      Panorama
      VMware
      NSX-T
      Network Introspection
      Policy
      .
    2. Click
      Auto Generate
      .
    3. For
      Service Managers
      , choose
      Select
      .
      If you select
      All
      instead of selecting specific service managers, the plugin will generate steering policy for each service definition associated with each service manager in your configuration.
    4. Click
      Add
      to select the service manager.
    5. Select a
      Service Manager
      from the drop-down.
    6. Click
      Add
      to select the service definitions.
    7. Select the service definition from the drop-down.
    8. Click
      OK
      and click
      OK
      again.
    9. Commit
      your changes.
  5. Auto generate new steering rules.
    If you auto-generate steering policy, you must also auto-generate steering rules. And if you manually create steering policy, you must also manually create steering rules.
    The following steps are for specifying service managers instead of selecting
    All
    .
    1. Select
      Panorama
      VMware
      NSX-T
      Network Introspection
      Rule
      .
    2. Click
      Auto Generate
      .
    3. Select the type of Security Rules from the drop-down—
      All
      ,
      Pre Rulebase
      only, or
      Post Rulebase
      only. The security rules are pulled from the service definitions specified in the following steps.
    4. For
      Type
      , choose
      Select
      .
    5. Click Add to specify the
      Service Manager
      (s) and
      Service Definition
      (s).
    6. Select a
      Service Manager
      from the drop-down.
    7. Click
      Add
      to select the service definition(s).
    8. Click
      OK
      .
    9. Click
      OK
      to finish or
      Add
      to specify additional service managers and service definitions.
    10. (
      Optional
      ) Click on an auto-generated rule to modify the default options.
  6. Commit
    your changes to Panorama.
  7. Delete the operations-centric steering rules from NSX-T Manager.
    1. Log in to NSX-T Manager.
    2. Select
      Security
      Network Introspection (E-W)
      Rules
      .
    3. Select each operations-centric steering rules.
    4. Click
      Delete
      .
  8. Delete the operations-centric service chain from NSX-T Manager.
    1. Log in to NSX-T Manager.
    2. Select
      Security
      Network Introspection Settings
      Service Chains
      .
    3. Click the vertical ellipses.
    4. Click
      Delete
      .

Recommended For You