Migrate Operations-Centric Configuration
to Security-Centric Configuration
Complete the following procedure to migrate
your Operations Centric configuration into Security Centric formats.
This migration is not required. The VM-Series firewall for VMware
NSX-V supports both styles of configuration. However, using both styles
of configuration in the same deployment is not recommended.
- Update the match criteria format in your dynamic address groups.
- Selectand click the link name for your first dynamic address group.ObjectsAddress Groups
- Delete the existing match criteria entry.
- Enter the new match criteria in the following format:‘_nsx_<dynamic-address-group-name>’
- ClickOK.
- Repeat this process for each dynamic address group.
- Change security policy used as NSX-V steering rules to intrazone.
- Selectand click the link name for your first security policy rule.PoliciesSecurityPre Rules
- On the General tab, change theRule Typeto intrazone.
- ClickOK.
- Repeat this process for each security policy rule.
- Generate new steering rules.
- Select.PanoramaVMwareNSX-VSteering Rules
- ClickAuto-Generate Steering Rules.
- Commityour changes.When you commit your changes, Panorama pushes updates to NSX-V Manager.
- Verify that NSX-V Manager created new security groups.
- Login to vCenter and select.Networking & SecuritySecurity Groups
- The new security groups (mapped to the updated dynamic address groups) should appear in the following format:<service-definition-name> - <dynamic-address-group-name>
- Verify that NSX-V Manager created new steering rules.
- Select.Networking & SecurityFirewallConfigurationPartner security services
- The new steering rules (mapped to the security policy rules you create on Panorama) are listed above the old steering rules.
- Add match criteria to the newly created security groups to ensure that your VMs are placed in the correct security group.There two ways to complete this task—recreate the match criteria from the old security group in the new security group or nest the old security group within the new security group.To recreate the match criteria from the old security group, complete the following procedure.
- Select.Network & SecurityService ComposerSecurity Groups
- Click on a new security group and selectEdit Security Group.
- SelectDefine dynamic membershipand click the plus icon.
- Add the same match criteria in the corresponding old security group.
- Repeat this process for each new security group.
- Delete the old security groups.
To nest the old security group within the new security group, complete the following procedure. In this method, VMs in the old security group are added to the new security group. Additionally, any new VM that meets the criteria of the old security group is automatically added to the new security group.- Select.Network & SecurityService ComposerSecurity Groups
- Click on a new security group and selectEdit Security Group.
- SelectSelect objects to include.
- Select theSecurity GroupObject Type.
- Choose the corresponding old security group under Available Objects and move it to Selected Objects by clicking the right arrow icon.
- ClickFinish.
- Delete the old steering rules from vCenter.
- Select.Networking & SecurityFirewallConfigurationPartner security services
- Delete the old steering rules. Take care not to delete the Palo Alto Networks rules created by the Security-Centric workflow. These steering rule sections use the following naming convention.<service-definition-name> - <dynamic-address-group-name>
Recommended For You
Recommended Videos
Recommended videos not found.