Add rules to redirect an east-west traffic for network introspection.

Rules are defined in a policy. Policy as a concept is similar to the concept of sections in firewalls. When you add a policy, select the service chain to redirect the traffic for introspection by service profiles of the service chain.

A rule definition consists of source and destination of the traffic, introspection service, the NSX-T Data Center object to apply the rule to, and traffic redirection policy. After you publish the rule, NSX Manager triggers the rule when a matching traffic pattern is found. The rule begins to introspect the traffic. For example, when NSX Manager classifies a traffic flow that must be introspected, it forwards the traffic to the regular distributed firewall and then to the specified service chain in the policy. The service profiles defined in the service chain introspect the traffic for network services the partner offers. If a service profile finishes introspection without detecting any security issues in the traffic, the traffic is forwarded to the next service profile in the service chain. At the end of the service chain, the traffic is forwarded to the destination target.

All notifications are sent to the partner Service Manager and NSX-T Data Center.

Note: By default, a rule exists even when east-west service is not configured. This default rule is not applied and is inactive. You need to create and apply the first rule after deploying east-west serviec on NSX-T Data Center.


A service chain is available to redirect the traffic for a network introspection.


  1. With admin privileges, log in to NSX Manager.
  2. Verify the NSX Manager is in Policy mode.
  3. Select Security > E-W Network Introspection > Add Policy.

    A policy section is similar to a firewall section where you define rules that determine how traffics flows.

  4. Select a service chain.
  5. To add a policy, click Publish.
  6. Click the Three-dot menu vertical ellipsis on a section and click Add Rule.
  7. In the Sources column, click the edit icon, and select the source of the rule. See Add a Group for more information.
    IPv4 and multicast addresses are supported.
  8. Click Save.
  9. In the Destinations column, click the edit icon, and select the destination of the rule. If not defined, the destination matches any. See Add a Group for more information.
    IPv4 and multicast addresses are supported.
    Note: IPv6 is not supported. Do not set the traffic type to IPv6.
  10. By default, the Applied to column is set to DFW, and the rule is applied to all workloads. You can also apply the rule or policy to selected groups. Applied to defines the scope of enforcement per rule, and is used mainly for optimization or resources on ESXi and KVM hosts. It helps in defining a targeted policy for specific zones and tenants, without interfering with other policy defined for other tenants and zones.

    Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied-to text box.

  11. In the Action text box, select Redirect to redirect traffic along the service chain or Do Not Redirect not to apply network introspection on the traffic.
  12. Click Publish.
  13. To revert a published rule, select a rule and click Revert.
  14. To add a policy, click + Add Policy.
  15. To clone a policy or a rule, select the policy or rule and click Clone.
  16. To enable a rule, enable the Enable/Disable icon or select the rule and from the menu click Enable > Enable Rule.
  17. After enabling or disabling a rule, click Publish to enforce the rule.


Traffic going to the source is redirected to the service chain for network introspection. After service profiles in the chain introspect the traffic, it is delivered to the destination.

During deployment, it is possible that the VM group membership for a particular policy changes. NSX-T Data Center notifies the partner Service Manager about these updates.