The NSX Manager provides a web-based user interface where you can manage your NSX-T environment. It also hosts the API server that processes API calls.

The NSX Manager interface provides two modes for configuring resources:

  • Policy mode
  • Manager mode

Accessing Policy Mode and Manager Mode

If present, you can use the Policy and Manager buttons to switch between the Policy and Manager modes. Switching modes controls which menus items are available to you.



  • By default, if your environment contains only objects created through Policy mode, your user interface is in Policy mode and you do not see the Policy and Manager buttons.
  • By default, if your environment contains any objects created through Manager mode, you see the Policy and Manager buttons in the top-right corner.

These defaults can be changed by modifying the user interface settings. See Configure User Interface Settings for more information.

The same System tab is used in the Policy and Manager interfaces. If you modify Edge nodes, Edge clusters, or transport zones, it can take up to 5 minutes for those changes to be visible in Policy mode. You can synchronize immediately using POST /policy/api/v1/infra/sites/default/enforcement-points/default?action=reload.

When to Use Policy Mode or Manager Mode

Be consistent about which mode you use. There are a few reasons to use one mode over the other.

  • If you are deploying a new NSX-T Data Center environment, using Policy mode to create and manage your environment is the best choice in most situations.
    • Some features are not available in Policy mode. If you need these features, use Manager mode for all configurations.
  • If you plan to use NSX-T Federation, use Policy mode to create all objects. Global Manager supports only Policy mode.
  • If you are upgrading from an earlier version of NSX-T Data Center and your configurations were created using the Advanced Networking & Security tab, use Manager mode.

    The menu items and configurations that were found under the Advanced Networking & Security tab are available in NSX-T Data Center 3.0 in Manager mode.

Important: If you decide to use Policy mode, use it to create all objects. Do not use Manager mode to create objects.

Similarly, if you need to use Manager mode, use it to create all objects. Do not use Policy mode to create objects.

Table 1. When to Use Policy Mode or Manager Mode
Policy Mode Manager Mode
Most new deployments should use Policy mode.

NSX-T Federation supports only Policy mode. If you want to use NSX-T Federation, or might use it in future, use Policy mode.

Deployments which were created using the advanced interface, for example, upgrades from versions before Policy mode was available.
NSX Cloud deployments Deployments which integrate with other plugins. For example, NSX Container Plug-in, Openstack, and other cloud management platforms.
Networking features available in Policy mode only:
  • DNS Services and DNS Zones
  • VPN
  • Forwarding policies for NSX Cloud
Networking features available in Manager mode only:
  • Forwarding up timer
Security features available in Policy mode only:
  • Endpoint Protection
  • Network Introspection (East-West Service Insertion)
  • Context Profiles
    • L7 applications
    • FQDN
  • New Distributed Firewall and Gateway Firewall Layout
    • Categories
    • Auto service rules
    • Drafts
Security features available in Manager mode only:
  • Bridge Firewall

Names for Objects Created in Policy Mode and Manager Mode

The objects you create have different names depending on which interface was used to create them.

Table 2. Object Names
Objects Created Using Policy Mode Objects Created Using Manager Mode
Segment Logical switch
Tier-1 gateway Tier-1 logical router
Tier-0 gateway Tier-0 logical router
Group NSGroup, IP Sets, MAC Sets
Security Policy Firewall section
Gateway firewall Edge firewall

Policy and Manager APIs

The NSX Manager provides two APIs: Policy and Manager.
  • The Policy API contains URIs that begin with /policy/api.
  • The Manager API contains URIs that begin with /api.

For more information about using the Policy API, see the NSX-T Policy API Getting Started Guide.

Security

NSX Manager has the following security features:
  • NSX Manager has a built-in user account called admin, which has access rights to all resources, but does not have rights to the operating system to install software. NSX-T upgrade files are the only files allowed for installation. You can change the username and role permissions for admin, but you cannot delete admin.
  • NSX Manager supports session timeout and automatic user logout. NSX Manager does not support session lock. Initiating a session lock can be a function of the workstation operating system being used to access NSX Manager. Upon session termination or user logout, users are redirected to the login page.
  • Authentication mechanisms implemented on NSX-T follow security best practices and are resistant to replay attacks. The secure practices are deployed systematically. For example, sessions IDs and tokens on NSX Manager for each session are unique and expire after the user logs out or after a period of inactivity. Also, every session has a time record and the session communications are encrypted to prevent session hijacking.
You can view and change the session timeout value with the following CLI commands:
  • The command get service http displays a list of values including session timeout.
  • To change the session timeout value, run the following commands:
    set service http session-timeout <timeout-value-in-seconds>
    restart service ui-service