: Use the Pre Rulebase to Define NSX-T Steering Rules
Focus
Focus

Use the Pre Rulebase to Define NSX-T Steering Rules

Table of Contents
End-of-Life (EoL)

Use the Pre Rulebase to Define NSX-T Steering Rules

The following procedure describes how to create the security policy rules that will be used to generate NSX-T steering rules and how to create the security policy Panorama will push to the VM-Series firewaa for traffic inspection and enforcement.
Do not apply the traffic redirection policies unless you understand how rules work on the NSX-T Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped.
Create security policy rules in the associated device group. For each security rule set the Rule Type to Intrazone, select one zone in the associated template stack, and select the dynamic address groups as the source and destination. Creating a qualifying security policy in Panorama helps in the creation of a corresponding steering rule on NSX-T Manager upon steering rule generation and commit in Panorama.
  1. In Panorama, select PoliciesSecurityPre Rules.
  2. Click Add and enter a Name and Description for your security policy rule.
  3. Verify that you are configuring the security rules in a device group associated with an NSX-T service definition.
  4. Set the Rule Type to intrazone (Devices with PAN-OS 6.1 or later).
  5. In the Source tab, set the source zone to the zone from the template stack associated with the service definition. Then select a dynamic address group (NSX-T security group) you created previously as the Source Address. Do not add any static address groups, IP ranges, or netmasks as a Source Address.
  6. In the Destination tab, Panorama does not allow you to set a destination zone because you set the rule type to intrazone. Then select a dynamic address group (NSX-T security group) you created previously as the Destination Address. Do not add any static address groups, IP ranges, or netmasks as a Destination Address.
  7. Click OK.
  8. Repeat steps 1 through 7 for each steering rule you require.
  9. Commit your changes.
  10. Apply Security Policies to the VM-Series Firewall on NSX-T (East-West).