After the generated NSX Intelligence recommendation reaches the Ready to Publish status, you can review the recommendation, modify it if necessary, and decide whether to publish it.


Generate a new recommendation. See Generate a New NSX Intelligence Recommendation.


  1. From your browser, log in with enterprise administrator privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Click Plan & Troubleshoot > Recommendations.
  3. To help narrow down the list of recommendations being displayed, click Filter by Name, Path or more on the top right of the screen, and specify the filter criteria to be used.
  4. If you decide not to use the recommendation, click the three-dot menu icon and select Delete.
  5. To view the summary for a recommendation, click the arrowhead next to the recommendation's name to expand the row.
    You see the number of rules generated and the number of groups affected.
  6. Review and manage the details of the recommendation.
    1. Click the recommendation's name.
      The Recommendations wizard is displayed, similar to the following image.

    2. In the Recommended FW Rules tab, review the firewall rule details. To modify any of the details, click the value in the appropriate column and select the edit (pencil) icon.
    3. To define how the packets are to be handled, select Allow, Drop, or Reject in the Action column.
    4. Toggle the button on the right-side to enable or disable the rule. By default the rule that was generated is set to be enabled when published, as shown in the image in the previous step.
    5. Click Recommended Groups.
    6. Click the link in the Members column to review the details about the VMs and IPs that were set for the group recommendation.
    7. Click the menu icon (three-dots) next to the group's name and select Edit to modify the group recommendation.
    8. Click Recommended Services and review the details.
    9. Click the menu icon (three-dots) next to the service's name and select Edit to modify the name or description. Before you delete a service, make sure that there are no rules using the service.
    10. Click Next.
  7. In the Place rules in FW context pane, you can change the order in which the rule recommendation is to be applied with the existing firewall rules. Drag the highlighted section, or click the three-dot menu icon and select Move Above selected section or Move Below selected section.
  8. Click Publish.
  9. In the Publish Recommendations dialog box, click Yes.
  10. In the Enforcement Summary page, verify that the security policies have been published successfully and click Close.
    The Status column for the recommendation is changed to Published in the table of Recommendations.


Once the security policy recommendations have been published successfully, they are in read-only mode in the Plan & Troubleshoot > Recommendations tab. To view and manage the published rule recommendations, go to Security > Distributed Firewall.
Important: After you have published the rule recommendations, the visualization continues to display the affected flows between the VMs as orange-hued arrows (Unprotected Flows) until new flows are generated between the affected VMs. The visualization only reports traffic flows based on the time when they occurred on the host and does not reflect the rule set published after those traffic flows occurred. After the rule set is published and new traffic flows are generated, the new flows are displayed as green-hued arrows (Allowed Flows).