After you have resolved all configuration issues, you can migrate the Distributed Firewall configuration. When the configuration is migrated, logical object configurations are realized in NSX-T Data Center environment, which replicate the NSX Data Center for vSphere logical object configurations.

As of NSX-T 3.1.1, the migration coordinator does not modify the NSX-V environment. It is assumed that NSX-V dynamic membership is maintained as long as the VM is in the same vCenter. If you plan to move the VM to another vCenter and maintain security, you must manually create IPsets in NSX-V reflecting the dynamic mappings before moving the VM. You can get the mapping information in NSX-V with the following API call:

GET /api/2.0/services/securitygroup/<objectId>/translation/ipaddresses


Verify that you have completed the Resolve Configuration step.


  1. From the Migrate Configuration page, click Start.
  2. Verify that the Distributed Firewall configuration objects are displayed in your NSX-T environment.

    You can verify the migrated configurations either in the NSX-T NSX Manager interface or by running the NSX-T APIs.

    • During the Migrate Configuration step, Security Tags from NSX-v are not migrated to NSX-T. Therefore, the Security Tag-based migrated dynamic Groups in NSX-T are empty. The reason is that in NSX-v, a Security Tag is an object, whereas in NSX-T, a tag is an attribute of a VM. The tags are applied to the workload VMs only after you migrate the workloads to NSX-T and run the vmgroup API endpoint with a post_migrate action. For more information, see step 2 in Migrate Workload VMs Using vSphere vMotion.

      If the migrated NSX-T Groups have static memberships, these Groups also are empty after this step is finished. The reason is that the static members are not available in NSX-T Groups until the workload VMs are migrated.

      If only IP-based DFW rules are used in the NSX-v environment, you do not have to run the vmgroup API endpoint with pre_migrate and post_migrate action.

    • When the logical configurations are migrated to NSX-T, the configuration changes are made in the NSX-T NSX Manager database, but it might take some time for the configurations to take effect.
  3. Click Continue to proceed.
    If needed, you can roll back the migrated DFW configuration. Roll back of DFW configuration is not supported in NSX-T 3.1. It is supported starting in NSX-T 3.1.1.

    Rolling back does the following:

    • Remove the migrated configuration from NSX-T.
    • Roll back all the resolved issues in the previous step.

    Any NSX-T objects that you manually created after the DFW migration are at risk of being lost during the rollback.