>
    Strata Copilot
    Generate Steering Policy
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on VMware NSX-T
    4. Deploy the VM-Series Using the Security-Centric Workflow
    5. Generate Steering Policy
    Download PDF
    VM-Series

    Generate Steering Policy

    Table of Contents

    Generate Steering Policy

    Learn how to generate a steering policy.
    Where Can I Use This?What Do I Need?
    • VMware NSX
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series Plugin
    • Panorama plugin for NSX
    Steering policy is used by NSX-T to define the service chain to which traffic will be steered. You can create steering policy manually or you can auto generate steering policy.
    When you auto generate steering policy, the Panorama plugin for VMware NSX-T creates a steering policy for each specified service manager and the associated service definitions. By default, TCP strict is disabled and the Failure Policy is set to Allow. Auto-generated policy uses the auto_<service-def-name>_<zone-name>_steering_policy naming format.
    When TCP Strict is enabled, the firewall enforces the requirement of the three-way handshake. If the firewall picks up traffic mid-session (for example, due to asymmetric traffic) and does not detect a three-way handshake, the session is dropped. See VMware NSX-T documentation for more information.
    The Failure Policy defines what happens to traffic if the firewall goes down. If you select Allow, the traffic continues on to its destination. If you select Block, the traffic is dropped.
    Additionally, you have the option to select all your service managers instead of selecting specific service managers. Choosing All is not recommended if any of your service managers contain operations-centric service definitions. The plugin will create steering policy for each zone associated with the operation-centric service definitions and then push it to NSX-T Manager. If you do choose All, verify that the service manager you select when you auto generating steering policy includes only security-centric service definitions.
    If you auto-generate steering policy, you must also auto-generate steering rules. And you manually create steering policy, you must also manually create steering rules.
    Steering policy changes should be made only on Panorama; do not make changes on NSX-T Manager. If you make changes on NSX-T Manager, the Panorama plugin for VMware NSX show the service definition as out-of-sync. You should click on the Out-of-Sync link to see the specific reason for the out-of-sync status. If a steering policy change is the cause, perform a configuration sync by clicking NSX-T Config-Sync.

    Auto Generate Steering Policy

    Use the following procedure to auto generate steering policy.
    The following steps are for specifying service managers instead of selecting All.
    1. Select PanoramaVMwareNSX-TNetwork IntrospectionPolicy.
    2. Click Auto Generate.
    3. For Service Managers, choose Select.
      If you select All instead of selecting specific service managers, the plugin will generate steering policy for each service definition associated with each service manager in your configuration. Additionally, make sure that your selected service manager includes security-centric service definitions.
    4. Click Add to select the service manager.
    5. Select a Service Manager from the drop-down.
    6. Click Add to select the service definitions.
    7. Select the service definition from the drop-down.
    8. Click OK and click OK again.
    9. Commit your changes to Panorama.

    Manually Create Steering Policy

    Use the following procedure to manually create steering policy.
    1. Select PanoramaVMwareNSX-TNetwork IntrospectionPolicy.
    2. Click Add.
    3. Enter a descriptive Name for your steering policy.
      The steering policy name cannot include any spaces.
    4. Select a Service Definition from the drop-down.
    5. Select a Service Chain from the drop-down.
    6. ( Optional) Enable TCP Strict. This option is disabled by default.
    7. Choose the Failure PolicyAllow or Block. Allow is the default.
    8. Click OK.
    9. Commit your changes to Panorama.

    © 2026 Palo Alto Networks, Inc. All rights reserved.