apply the traffic redirection
policies unless you understand how rules work on the NSX Manager
as well as on the VM-Series firewall and Panorama. The default policy
on the VM-Series firewall is set to
which means that all traffic redirected to the VM-Series firewall
will be dropped. To create policies on Panorama and push them to
the VM-Series firewall, see Apply
Policies to the VM-Series Firewall.
Create security policy rules in
the associated device group. For each security rule set the Rule
Type to Intrazone, select one zone in the associated template, and
select the dynamic address groups as the source and destination.
Creating a qualifying security policy in Panorama helps in the creation
of a corresponding steering rule on NSX Manager upon steering rule
generation and commit in Panorama.
Create security policy.
In Panorama, select
Verify that you are configuring the dynamic address
groups in a device group associated with an NSX service definition.
and enter a
your security policy rule.
Set the Rule Type to
with PAN-OS 6.1 or later)
In the Source tab, set the source zone to the zone
from the template associate with the service definition. Then select
a dynamic address group (NSX security group) you created previously
as the Source Address. Do not add any static address groups, IP
ranges, or netmasks as a Source Address.
In the Destination tab, Panorama does not allow you
to set a destination zone because you set the rule type to intrazone.
Then select a dynamic address group (NSX security group) you created
previously as the Destination Address. Do not add any static address
groups, IP ranges, or netmasks as a Destination Address.
Repeat steps 1 through 7 for each steering rule you
Generate steering rules.
Panorama generates a steering rule for each qualifying
security policy rule.
Auto-Generate Steering Rules
Panorama will populate the list of steering rules based
on qualified security policy rules in the device group attached
in the service definition.
) Modify the NSX Traffic Direction
and add NSX Services to a Steering Rule.
By default, the NSX Traffic Direction is set to
no NSX Services are selected. When no NSX Services are specified,
any type of traffic is redirected to the VM-Series firewall.
Select the auto-generated steering
to be modified.
To change the traffic direction, select the direction from
NSX Traffic Direction
under NSX Services and choose
a service from the
this step to add additional services.
If you deleted any steering rules, click
before committing your changes.
Verify that the corresponding traffic steering rules
were created on the NSX Manager.
Partner Security Services
Confirm that the traffic steering rules your created
on Panorama are listed.