Create Steering Rules on Panorama

Do
not
apply the traffic redirection policies unless you understand how rules work on the NSX-V Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to
deny all
traffic, which means that all traffic redirected to the VM-Series firewall will be dropped. To create policies on Panorama and push them to the VM-Series firewall, see Apply Policies to the VM-Series Firewall.
Create security policy rules in the associated device group. For each security rule set the Rule Type to Intrazone, select one zone in the associated template stack, and select the dynamic address groups as the source and destination. Creating a qualifying security policy in Panorama helps in the creation of a corresponding steering rule on NSX-V Manager upon steering rule generation and commit in Panorama.
  1. Create security policy.
    1. In Panorama, select
      Policies
      Security
      Pre Rules
      .
    2. Verify that you are configuring the dynamic address groups in a device group associated with an NSX-V service definition.
    3. Click
      Add
      and enter a
      Name
      and
      Description
      for your security policy rule.
    4. Set the Rule Type to
      intrazone (Devices with PAN-OS 6.1 or later)
      .
    5. In the Source tab, set the source zone to the zone from the template stack associated with the service definition. Then select a dynamic address group (NSX-V security group) you created previously as the Source Address. Do not add any static address groups, IP ranges, or netmasks as a Source Address.
    6. In the Destination tab, Panorama does not allow you to set a destination zone because you set the rule type to intrazone. Then select a dynamic address group (NSX-V security group) you created previously as the Destination Address. Do not add any static address groups, IP ranges, or netmasks as a Destination Address.
    7. Click
      OK
      .
    8. Repeat steps 1 through 7 for each steering rule you require.
    9. Commit
      your changes.
      NSX_steerin_rule_policy.png
  2. Generate steering rules.
    Panorama generates a steering rule for each qualifying security policy rule.
    1. Select
      Panorama
      VMware NSX-V
      Steering Rules
      .
    2. Select
      Auto-Generate Steering Rules
      .
      Panorama will populate the list of steering rules based on qualified security policy rules in the device group attached in the service definition.
      NSX_steerin_rule_Panorama.png
    3. (
      Optional
      ) Modify the NSX-V Traffic Direction and add NSX-V Services to a Steering Rule.
      By default, the NSX-V Traffic Direction is set to
      inout
      and no NSX-V Services are selected. When no NSX-V Services are specified, any type of traffic is redirected to the VM-Series firewall.
      1. Select the auto-generated steering to be modified.
      2. To change the traffic direction, select the direction from the
        NSX-V Traffic Direction
        drop-down.
      3. Click
        Add
        under NSX-V Services and choose a service from the
        Services
        drop-down. Repeat this step to add additional services.
      4. Click
        OK
        .
    4. If you deleted any steering rules, click
      Auto-Generate Steering Rules
      before committing your changes.
    5. Commit
      your changes.
  3. Verify that the corresponding traffic steering rules were created on the NSX-V Manager.
    1. Select
      Network and Security
      Firewall
      Configuration
      Partner Security Services
      .
    2. Confirm that the traffic steering rules your created on Panorama are listed.
      NSX_steerin_rule_vCenter.png

Related Documentation