>
    Strata Copilot
    Use the Pre Rulebase to Define NSX-T Steering Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on VMware NSX-T
    4. Deploy the VM-Series Using the Security-Centric Workflow
    5. Create Security Policies
    6. Use the Pre Rulebase to Define NSX-T Steering Rules
    Download PDF
    VM-Series

    Use the Pre Rulebase to Define NSX-T Steering Rules

    Table of Contents

    Use the Pre Rulebase to Define NSX-T Steering Rules

    This section describes the use of pre rulebase.
    Where Can I Use This?What Do I Need?
    • VMware NSX
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    • Panorama plugin for NSX
    The following procedure describes how to create the security policy rules that will be used to generate NSX-T steering rules and how to create the security policy Panorama will push to the VM-Series firewaa for traffic inspection and enforcement.
    Don’t apply the traffic redirection policies unless you understand how the rules work on the NSX-T Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped.
    Create security policy rules in the associated device group. For each security rule set the Rule Type to Intrazone, select one zone in the associated template stack, and select the Dynamic Address Groups as the source and destination. Creating a qualifying security policy in Panorama helps in the creation of a corresponding steering rule on NSX-T Manager upon steering rule generation and commit in Panorama.
    1. In Panorama, select PoliciesSecurityPre Rules.
    2. Click Add and enter a Name and Description for your security policy rule.
    3. Verify that you're configuring the security rules in a device group associated with an NSX-T service definition.
    4. Set the Rule Type to intrazone (Devices with PAN-OS 6.1 or later).
    5. In the Source tab, set the source zone to the zone from the template stack associated with the service definition. Then select a Dynamic Address Group (NSX-T security group) you created previously as the Source Address. Don’t add any static address groups, IP ranges, or netmasks as a Source Address.
    6. In the Destination tab, Panorama does not allow you to set a destination zone because you set the rule type to intrazone. Then select a Dynamic Address Group (NSX-T security group) you created previously as the Destination Address. Don’t add any static address groups, IP ranges, or netmasks as a Destination Address.
    7. Click OK.
    8. Repeat steps 1 through 7 for each steering rule you require.
    9. Commit your changes.
    10. Apply Security Policies to the VM-Series Firewall on NSX-T (East-West).

    © 2026 Palo Alto Networks, Inc. All rights reserved.