dFW Mover

Feature Description


dFW Mover provides the capability to copy rules and associated objects, when possible, to another NSX data source of the same type (NSX-v / NSX T). For rules containing objects such as IP Sets, a copy of the IP Set will be created at the destination and automatically associated with the new rule(s). This action can be performed by selected individual rules or sections.

Minimum Release: 2.5 
Application: NSX-v, NSX T 
License: Enterprise 
Privilege level: Security Engineer or higher

Setup


No setup required. Minimum of two data sources of the same type are required.


Supported Objects


dFW Mover supports the most common objects in dFW rules. Other objects, such as vNIC ID, are not supported as it these type of objects are locally significant. Below is a list of supported objects.

Sections: Matched by Name

  • If matched, the section on the target manager will be replaced with the same rule names
  • Else, the new section will be created to the top of the dFW section list

Objects referenced in the rule: Matched by Name

  • If the source object matches the destination object name, Mover will use the existing destination object.
    Supported objects include:
    • IP Sets
    • Virtual Machines
    • Security Groups
    • Logical Switches
    • Services
    • Service Groups
    • Edge Service Gateways
  • Else, the user has the option to create the dependent object on the target.
    Supported objects include:
    • IP Sets
    • Services
    • Service Groups
    • Security Groups

Copy a Rule


To copy one or more rules, navigate to Operations > Distributed Firewall, select the desired rules and Copy Selected Rules To… from the section menu. This action will open a new window to select the NSX data source destination for analyzing how rule objects will be copied.

In this example, a single rule is selected from NSX Manager named NSX 6.4 -MAT. This rule has two source criteria – Raw IP and a local IP Set name IPSet1 that contains two entries:

Upon launch, the first step is to select the destination NSX data source(s). Once a selection is made, dFW Mover performs a compatibility check to validate the destination supports the object types. Secondly, an inventory search is performed to determine if the dependent objects already exist. In this example IPset1 does not yet exist on NSX 6.4 – MAT 36 and is flagged for the user to acknowledge by selecting Create missing objects at destination.

If an object with the same name exists on the destination NSX Manager, it will be referenced. Otherwise, if selected, a new object will be created.

Once the acknowledgement is made, the window will update with the intended actions.

To complete the task, select the Copy button and the rule and corresponding objects (if necessary) will be created or referenced.

The active data source is switched to NSX 6.4 – MAT 36 for verification. The Section, rule criteria and IP Set were all created.

Rollback is supported in release 3.3 or higher. The most recent action is stored in the user profile. As result, each user can rollback their most recent copy between NSX Managers.

Roll-back is available immediately within the NSX Mover window or it can be run at a future time using the global menu within Operations > dFW

Copy a Section


The process to copy one or more sections is similar to copying rules except the global dFW Mover copy command is used once the desired section(s) are selected.

Group Copy


ReSTNSX supports grouping like data sources together for one to many operations. Within the scope of dFW Mover, groups allow users to copy rules or sections to multiple destinations at once.

Data source grouping is performed by the System Administrator or user with an Enterprise Administrator role.

When groups are enabled, users can now select a new destination in the dFW Mover destination drop-down. Once a group is selected, the process for copying objects is the same experience as copying to a singular destination.

Was this article helpful?
Dislike 0
Views: 257