You can create custom network and security objects to use in Distributed Firewall rules in the universal section.
Universal Security Groups (USGs) can have the following:
- Universal IP Sets
- Universal MAC Sets
- Universal Security Groups
- Universal Security Tags
- Dynamic criteria
Universal network and security objects are created, deleted, and updated only on the primary NSX Manager, but are readable on the secondary NSX Manager. Universal Synchronization Service synchronizes universal objects across vCenters immediately, as well as on demand using force synchronization.
Universal security groups are used in two types of deployments: multiple live cross-vCenter NSX environments, and cross-vCenter NSX active standby deployments, where one site is live at a given time and the rest are on standby. Only active standby deployments can have universal security groups with dynamic membership based on VM name static membership based on universal security tag. Once a universal security group is created it cannot be edited to be enabled or disabled for the active standby scenario functionality. Membership is defined by included objects only, you cannot use excluded objects.
Universal security groups cannot be created from Service Composer. Security groups created from Service Composer will be local to that NSX Manager.