>
    Strata Copilot
    Generate Steering Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on VMware NSX-T
    4. Deploy the VM-Series Using the Security-Centric Workflow
    5. Generate Steering Rules
    Download PDF
    VM-Series

    Generate Steering Rules

    Table of Contents

    Generate Steering Rules

    If you auto-generate steering policy, you must also auto-generate steering rules. And if you manually create steering policy, you must also manually create steering rules.
    Where Can I Use This?What Do I Need?
    • VMware NSX
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series Plugin
    • Panorama plugin for NSX
    Steering rules are defined in steering policy. A rule defines the source and destination of the traffic, introspection services, the NSX-T objects the rule is applied to, and the traffic redirection policy. You can create steering rules manually or generate steering rules automatically.
    You must generate or create steering policy before generating or creating steering rules.
    To auto generate a steering rule based on a security rules created on Panorama, the security rule must meet the following criteria:
    • Belongs to a parent or child device group registered with an NSX-T Service Manager.
    • Is an intrazone policy and includes only one zone.
    • Does not include a static address group, IP range, or netmask configured for the rule.
    Auto-generated steering rules uses the auto_<device-group-name>_<device-group-rule-name> naming format.
    By default, auto-generated steering rules are configured without an NSX services specified. Additionally, the NSX Traffic Direction is set to in-out, Logging is disabled, IP protocol is ipv4-ipv6, and the Action is set to redirect. After auto-generating rules, you can update the steering to change the default values.
    Additionally, you have the option to select all your service managers instead of selecting specific service managers. Choosing All is not recommended.
    If you auto-generate steering policy, you must also auto-generate steering rules. And if you manually create steering policy, you must also manually create steering rules.
    Steering rules changes should be made only on Panorama; do not make changes on NSX-T Manager. If you make changes on NSX-T Manager, the Panorama plugin for VMware NSX show the service definition as out-of-sync. You should click on the Out-of-Sync link to see the specific reason for the out-of-sync status. If a steering rules change is the cause, perform a configuration sync by clicking NSX-T Config-Sync.

    Auto Generate Steering Rules

    Use the following procedure to auto generate steering rules.
    When you auto generate a steering rule, where the rule is applied (NSX-T Distributed Firewall or Security Group) depends on the source and destination you specified when configuring the security rule. If you selected Any for the source or destination, NSX-T Manager applies the steering rule to the Distributed Firewall. If you select a dynamic address group for the source and destination, the steering is applied to the guest VMs in those security groups.
    If you make any changes to device group configuration that is also part of steering rule configuration, such as source and destination address group that map to the Applied To setting in a steering rule, you must auto generate the steering rule again for the changes to take effect.
    The following steps are for specifying service managers instead of selecting All.
    1. Select PanoramaVMwareNSX-TNetwork IntrospectionRule.
    2. Click Auto Generate.
    3. Select the type of Security Rules from the drop-down—All, Pre Rulebase only, or Post Rulebase only. The security rules are pulled from the service definitions specified in the following steps.
      If you regenerate steering rules, all current rules are deleted and new rules are created based on the selected rule base. If you originally created steering rules using the Pre Rulebase and then regenerate steering rules using the Post Rulebase, only the post-rulebase steering rules will remain.
    4. For Type, choose Select.
    5. Click Add to specify the Service Manager(s) and Service Definition(s).
    6. Select a Service Manager from the drop-down.
    7. Click Add to select the service definition(s).
    8. Click OK.
    9. Click OK to finish or Add to specify additional service managers and service definitions.
    10. (Optional) Click on an auto-generated rule to modify the following default options.
      If you regenerate steering rules, any changes you made to a previously-generate steering rule will be overwritten.
      • Enable NSX-T Logging.
      • Click Add to specify NSX Services, such as Active Directory Server, HTTPS, DNS, etc.
      • Disable the rule. If you disable a steering rule but the corresponding security rule is enabled (Device GroupPoliciesSecurity), the steering rule will also be enabled.
      • Applied to allows you change where the steering rule is applied—DFW or Security Group.
    11. Clean up unwanted or incorrect steering rules.
      If, for example, your device group contains security rules in the same rulebase as your NSX-T steering rules, the plugin generates security rules based on those non-NSX-T security rules. Because those rules do not refer to an NSX-T dynamic address group, the source and destination for those rules will be set to Any Any in NSX-T Manager. This condition can impact how NSX-T Manager directs traffic. To avoid this, you must manually delete the incorrect steering rules.
      1. Select the incorrect steering rules.
      2. Click Delete.
      3. Click Yes to confirm the deletion.
    12. Commit your configuration to push it to NSX-T Manager.

    Manually Create Steering Rules

    Use the following procedure to manually create steering rules.
    1. Select PanoramaVMwareNSX-TNetwork IntrospectionRule.
    2. Click Add.
    3. Enter a descriptive Name for the steering rule.
      The steering rule name cannot include any spaces.
    4. Select a Steering Policy from the drop-down.
    5. Select a Device Group from the drop-down.
    6. Select a Security Rule from the drop-down.
      The Security Rule drop-down displays rules from all security rules across all device groups of Service Definition. Ensure you select the appropriate security rule.
    7. Specify the ActionRedirect or Do Not Redirect.
    8. (Optional) Enable NSX-T Logging.
    9. Specify the IP Protocolipv4-ipv6, ipv4, or ipv6.
    10. Specify the NSX Traffic Directionin-out, in, or out.
    11. (Optional) Click Add to specify NSX Services, such as Active Directory Server, HTTPS, DNS, etc.
      The following ALG services are not supported: FTP, TFTP, ORACLE_TNS, SUN_RPC_TCP, SUN_RPC_UDP, MS_RPC_TCP, MS_RPC_UDP, NBNS_BROADCAST, NBDG_BROADCAST.
    12. Applied ToDFW or Security Groups. You can select one or more security group. Security groups are created from dynamic address groups configured on Panorama. The security group names are formatted as follows <servicedefinition>_<dynamic-address-group>. If you select DFW, the steering rule is applied to all guest VMs, regardless of their security membership.
    13. (Optional) Disable the rule.
    14. Click OK.
    15. Commit your configuration to push it to NSX-T Manager.

    © 2026 Palo Alto Networks, Inc. All rights reserved.