: Migrate Operations-Centric Configuration to Security-Centric Configuration
Focus
Focus

Migrate Operations-Centric Configuration to Security-Centric Configuration

Table of Contents

Migrate Operations-Centric Configuration to Security-Centric Configuration

Complete the following procedure to migrate your Operations Centric configuration into Security Centric formats. This migration is not required. The VM-Series firewall for VMware NSX-V supports both styles of configuration. However, using both styles of configuration in the same deployment is not recommended.
  1. Update the match criteria format in your dynamic address groups.
    1. Select
      Objects
      Address Groups
      and click the link name for your first dynamic address group.
    2. Delete the existing match criteria entry.
    3. Enter the new match criteria in the following format:
      ‘_nsx_
      <dynamic-address-group-name>
    4. Click
      OK
      .
    5. Repeat this process for each dynamic address group.
  2. Change security policy used as NSX-V steering rules to intrazone.
    1. Select
      Policies
      Security
      Pre Rules
      and click the link name for your first security policy rule.
    2. On the General tab, change the
      Rule Type
      to intrazone.
    3. Click
      OK
      .
    4. Repeat this process for each security policy rule.
  3. Generate new steering rules.
    1. Select
      Panorama
      VMware
      NSX-V
      Steering Rules
      .
    2. Click
      Auto-Generate Steering Rules
      .
  4. Commit
    your changes.
    When you commit your changes, Panorama pushes updates to NSX-V Manager.
    1. Verify that NSX-V Manager created new security groups.
      1. Login to vCenter and select
        Networking & Security
        Security Groups
        .
      2. The new security groups (mapped to the updated dynamic address groups) should appear in the following format:
        <service-definition-name> - <dynamic-address-group-name>
    2. Verify that NSX-V Manager created new steering rules.
      1. Select
        Networking & Security
        Firewall
        Configuration
        Partner security services
        .
      2. The new steering rules (mapped to the security policy rules you create on Panorama) are listed above the old steering rules.
  5. Add match criteria to the newly created security groups to ensure that your VMs are placed in the correct security group.
    There two ways to complete this task—recreate the match criteria from the old security group in the new security group or nest the old security group within the new security group.
    To recreate the match criteria from the old security group, complete the following procedure.
    1. Select
      Network & Security
      Service Composer
      Security Groups
      .
    2. Click on a new security group and select
      Edit Security Group
      .
    3. Select
      Define dynamic membership
      and click the plus icon.
    4. Add the same match criteria in the corresponding old security group.
    5. Repeat this process for each new security group.
    6. Delete the old security groups.
    To nest the old security group within the new security group, complete the following procedure. In this method, VMs in the old security group are added to the new security group. Additionally, any new VM that meets the criteria of the old security group is automatically added to the new security group.
    1. Select
      Network & Security
      Service Composer
      Security Groups
      .
    2. Click on a new security group and select
      Edit Security Group
      .
    3. Select
      Select objects to include
      .
    4. Select the
      Security Group
      Object Type.
    5. Choose the corresponding old security group under Available Objects and move it to Selected Objects by clicking the right arrow icon.
    6. Click
      Finish
      .
  6. Delete the old steering rules from vCenter.
    1. Select
      Networking & Security
      Firewall
      Configuration
      Partner security services
      .
    2. Delete the old steering rules. Take care not to delete the Palo Alto Networks rules created by the Security-Centric workflow. These steering rule sections use the following naming convention.
      <service-definition-name> - <dynamic-address-group-name>

Recommended For You