: Migrate Operations-Centric Configuration to Security-Centric Configuration
Focus
Focus

Migrate Operations-Centric Configuration to Security-Centric Configuration

Table of Contents
End-of-Life (EoL)

Migrate Operations-Centric Configuration to Security-Centric Configuration

Complete the following procedure to migrate your Operations Centric configuration into Security Centric formats. This migration is not required. The VM-Series firewall for VMware NSX-V supports both styles of configuration. However, using both styles of configuration in the same deployment is not recommended.
  1. Upgrade Panorama.
  2. Update the match criteria format in your dynamic address groups.
    1. Select ObjectsAddress Groups and click the link name for your first dynamic address group.
    2. Delete the existing match criteria entry.
    3. Enter the new match criteria in the following format:
      ‘_nsx_<dynamic-address-group-name>
    4. Click OK.
    5. Repeat this process for each dynamic address group.
  3. Change security policy used as NSX-V steering rules to intrazone.
    1. Select PoliciesSecurityPre Rules and click the link name for your first security policy rule.
    2. On the General tab, change the Rule Type to intrazone.
    3. Click OK.
    4. Repeat this process for each security policy rule.
  4. Generate new steering rules.
    1. Select PanoramaVMwareNSX-VSteering Rules.
    2. Click Auto-Generate Steering Rules.
  5. Commit your changes.
    When you commit your changes, Panorama pushes updates to NSX-V Manager.
    1. Verify that NSX-V Manager created new security groups.
      1. Login to vCenter and select Networking & SecuritySecurity Groups.
      2. The new security groups (mapped to the updated dynamic address groups) should appear in the following format:
        <service-definition-name> - <dynamic-address-group-name>
    2. Verify that NSX-V Manager created new steering rules.
      1. Select Networking & SecurityFirewallConfigurationPartner security services.
      2. The new steering rules (mapped to the security policy rules you create on Panorama) are listed above the old steering rules.
  6. Add match criteria to the newly created security groups to ensure that your VMs are placed in the correct security group.
    There two ways to complete this task—recreate the match criteria from the old security group in the new security group or nest the old security group within the new security group.
    To recreate the match criteria from the old security group, complete the following procedure.
    1. Select Network & SecurityService ComposerSecurity Groups.
    2. Click on a new security group and select Edit Security Group.
    3. Select Define dynamic membership and click the plus icon.
    4. Add the same match criteria in the corresponding old security group.
    5. Repeat this process for each new security group.
    6. Delete the old security groups.
    To nest the old security group within the new security group, complete the following procedure. In this method, VMs in the old security group are added to the new security group. Additionally, any new VM that meets the criteria of the old security group is automatically added to the new security group.
    1. Select Network & SecurityService ComposerSecurity Groups.
    2. Click on a new security group and select Edit Security Group.
    3. Select Select objects to include.
    4. Select the Security Group Object Type.
    5. Choose the corresponding old security group under Available Objects and move it to Selected Objects by clicking the right arrow icon.
    6. Click Finish.
  7. Delete the old steering rules from vCenter.
    1. Select Networking & SecurityFirewallConfigurationPartner security services.
    2. Delete the old steering rules. Take care not to delete the Palo Alto Networks rules created by the Security-Centric workflow. These steering rule sections use the following naming convention.
      <service-definition-name> - <dynamic-address-group-name>