1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on VMware NSX
    5. Set Up the VM-Series Firewall on VMware NSX-V
    6. Migrate Operations-Centric Configuration to Security-Centric Configuration

    Migrate Operations-Centric Configuration to Security-Centric Configuration

    Complete the following procedure to migrate your Operations Centric configuration into Security Centric formats. This migration is not required. The VM-Series firewall for VMware NSX-V supports both styles of configuration. However, using both styles of configuration in the same deployment is not recommended.
    2. Update the match criteria format in your dynamic address groups.
      1. Select
        Objects
        Address Groups
         and click the link name for your first dynamic address group.
      2. Delete the existing match criteria entry.
      3. Enter the new match criteria in the following format:
        ‘_nsx_
        <dynamic-address-group-name>
        nsx_plugin_DAG.png
      4. Click
        OK
        .
      5. Repeat this process for each dynamic address group.
    3. Change security policy used as NSX-V steering rules to intrazone.
      1. Select
        Policies
        Security
        Pre Rules
         and click the link name for your first security policy rule.
      2. On the General tab, change the
        Rule Type
         to intrazone.
        nsx_plugin_policy_rule_intrazone.png
      3. Click
        OK
        .
      4. Repeat this process for each security policy rule.
    4. Generate new steering rules.
      1. Select
        Panorama
        VMware
        NSX-V
        Steering Rules
        .
      2. Click
        Auto-Generate Steering Rules
        .
        nsx_plugin_auto_generate_steering_rules.png
    5. Commit
       your changes.
      When you commit your changes, Panorama pushes updates to NSX-V Manager.
      1. Verify that NSX-V Manager created new security groups.
        1. Login to vCenter and select
          Networking & Security
          Security Groups
          .
        2. The new security groups (mapped to the updated dynamic address groups) should appear in the following format:
          <service-definition-name> - <dynamic-address-group-name>
        nsx_migration_security_groups.png
      2. Verify that NSX-V Manager created new steering rules.
        1. Select
          Networking & Security
          Firewall
          Configuration
          Partner security services
          .
        2. The new steering rules (mapped to the security policy rules you create on Panorama) are listed above the old steering rules.
        nsx_migration_security_rules.png
    6. Add match criteria to the newly created security groups to ensure that your VMs are placed in the correct security group.
      There two ways to complete this task—recreate the match criteria from the old security group in the new security group or nest the old security group within the new security group.
      To recreate the match criteria from the old security group, complete the following procedure.
      1. Select
        Network & Security
        Service Composer
        Security Groups
        .
      2. Click on a new security group and select
        Edit Security Group
        .
      3. Select
        Define dynamic membership
         and click the plus icon.
      4. Add the same match criteria in the corresponding old security group.
      5. Repeat this process for each new security group.
      6. Delete the old security groups.
        nsx_migration_copy_match_criteria.png
      To nest the old security group within the new security group, complete the following procedure. In this method, VMs in the old security group are added to the new security group. Additionally, any new VM that meets the criteria of the old security group is automatically added to the new security group.
      1. Select
        Network & Security
        Service Composer
        Security Groups
        .
      2. Click on a new security group and select
        Edit Security Group
        .
      3. Select
        Select objects to include
        .
      4. Select the
        Security Group
         Object Type.
      5. Choose the corresponding old security group under Available Objects and move it to Selected Objects by clicking the right arrow icon.
      6. Click
        Finish
        .
      nsx_migration_nest_SG.png
    7. Delete the old steering rules from vCenter.
      1. Select
        Networking & Security
        Firewall
        Configuration
        Partner security services
        .
      2. Delete the old steering rules. Take care not to delete the Palo Alto Networks rules created by the Security-Centric workflow. These steering rule sections use the following naming convention.
        <service-definition-name> - <dynamic-address-group-name>
        nsx_migration_steering_rules.png

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo