In order for the VM-Series firewall to secure the traffic, you must complete the following tasks:
Set Up Security Groups on the NSX Manager
A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. Creating security groups makes it easier to manage and secure the guests; to understand how security groups enable policy enforcement, see Policy Enforcement using Dynamic Address Groups.
Set up Security Groups on the NSX Manager
Select Networking and Security > Service Composer > Security Groups, and add a New Security Group.
Add a Name and Description. This name will display in the match criteria list when defining dynamic address groups on Panorama.
Select the guests that constitute the security group. You can either add members dynamically or statically. You can Define Dynamic Membership by matching on Security tags (recommended), or statically Select the Objects to Include. In the following screenshot, the guests that belong to the security group are selected using the Objects Type: Virtual Machine option.
Review the details and click OK to create the security group.
Redirect Traffic to the VM-Series Firewall
Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped. To create policies on Panorama and push them to the VM-Series firewall, see Apply Policies to the VM-Series Firewall.
Define NSX Firewall Rules to Redirect Traffic to the VM-Series Firewall
Select Networking and Security > Service Composer > Security Policies and click Create Security Policy ( ).
Add a rule Name.
Add a network introspection service. Select Network Introspection Services and click the green plus icon. Name the network introspection service and add a Description. Select Redirect to Service under Action. Select your service definition under Service Name. Select your service profile under Profile. Select a Source and a Destination. By default, traffic source is set to Policy’s Security Groups. This option dynamically includes all security groups where this policy is applied. Alternatively, you can choose to have traffic from any source redirected to the firewall or specify certain security groups. However, vSphere requires that Source or Destination (or both) be set Policy’s Security Group. If you select Any or specific security groups for Destination, then Source must be set to Policy’s Security Group. (Optional) Select specific network services to be redirected to the firewall. If you choose any service or services, all other traffic will not be redirected to the firewall. Click OK. Repeat steps 1 through 6 to add additional network introspection services. Click Finish to save your configuration.
Apply redirection policy to security groups. Highlight a security policy by clicking it. Select Networking and Security > Service Composer > Security Policies and click Apply Security Policy ( ). Apply the redirection rules by checking all appropriate zones. Click OK.

Related Documentation