Create Steering Rules on Panorama
Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped. To create policies on Panorama and push them to the VM-Series firewall, see Apply Policies to the VM-Series Firewall.
Create security policy rules in the associated device group. For each security rule set the Rule Type to Intrazone, select one zone in the associated template stack, and select the dynamic address groups as the source and destination. Creating a qualifying security policy in Panorama helps in the creation of a corresponding steering rule on NSX Manager upon steering rule generation and commit in Panorama.
- Create security policy.
- In Panorama, select PoliciesSecurityPre Rules.
- Verify that you are configuring the dynamic address groups in a device group associated with an NSX service definition.
- Click Add and enter a Name and Description for your security policy rule.
- Set the Rule Type to intrazone (Devices with PAN-OS 6.1 or later).
- In the Source tab, set the source zone to the zone from the template stack associated with the service definition. Then select a dynamic address group (NSX security group) you created previously as the Source Address. Do not add any static address groups, IP ranges, or netmasks as a Source Address.
- In the Destination tab, Panorama does not allow you to set a destination zone because you set the rule type to intrazone. Then select a dynamic address group (NSX security group) you created previously as the Destination Address. Do not add any static address groups, IP ranges, or netmasks as a Destination Address.
- Click OK.
- Repeat steps 1 through 7 for each steering rule you require.
- Commit your changes.
- Generate steering rules.Panorama generates a steering rule for each qualifying security policy rule.
- Select PanoramaVMware NSXSteering Rules.
- Select Auto-Generate Steering Rules.Panorama will populate the list of steering rules based on qualified security policy rules in the device group attached in the service definition.
- (Optional) Modify the NSX Traffic Direction
and add NSX Services to a Steering Rule.By default, the NSX Traffic Direction is set to inout and no NSX Services are selected. When no NSX Services are specified, any type of traffic is redirected to the VM-Series firewall.
- Select the auto-generated steering to be modified.
- To change the traffic direction, select the direction from the NSX Traffic Direction drop-down.
- Click Add under NSX Services and choose a service from the Services drop-down. Repeat this step to add additional services.
- Click OK.
- Commit your changes.
- Verify that the corresponding traffic steering rules
were created on the NSX Manager.
- Select Network and SecurityFirewallConfigurationPartner Security Services.
- Confirm that the traffic steering rules your created on Panorama are listed.
Create Steering Rules
Create Steering Rules Panorama > VMware NSX > Steering Rules Steering rules determine what traffic from which guests in the cluster is steered to the ...
Create Security Groups and Steering Rules in a Security Centric Deployment
Create Security Groups and Steering Rules in a Security Centric Deployment The following topics describe how to create policies on Panorama to steer traffic to ...
Create Security Groups and Steering Rules in an Operations Centric Deployment
Create Security Groups and Steering Rules in an Operations Centric Deployment In an operations-centric deployment, you create security groups and traffic redirection rules on the ...
Integrated Policy Rules
Integrated Policy Rules Panorama serves as the single point of configuration that provides the NSX Manager with the contextual information required to redirect traffic from ...
Create Security Groups and Steering Rules
Create Security Groups and Steering Rules The following topics describe how to create security groups and policies to steer traffic to the VM-Series firewall. Follow ...
Migrate Operations-Centric Configuration to Security-Centric Configuration
Migrate Operations-Centric Configuration to Security-Centric Configuration Complete the following procedure to migrate your Operations Centric configuration into Security Centric formats. This migration is not required. ...
Deploy the VM-Series Firewall in a Multi-NSX Manager Environment
Deploy the VM-Series Firewall in a Multi-NSX Manager Environment Whether you are deploying a single NSX Manager or a multi-NSX Manager environment, set up the ...
Panorama > VMware NSX
Panorama > VMware NSX To automate the provisioning of a VM-Series NSX edition firewall, you must enable communication between the NSX Manager and Panorama. When ...
VM-Series Firewall for NSX Deployment Checklist
VM-Series Firewall for NSX Deployment Checklist To deploy the VM-Series firewall for NSX, use the following workflow: Step 1: Set up the Components —To deploy ...