After you have resolved all configuration issues, you can migrate the Distributed Firewall configuration. When the configuration is migrated, logical object configurations are realized in NSX-T environment, which replicate the NSX-T logical object configurations.

DFW exclusion lists are not migrated. You need to re-create them on NSX-T after migration.


Verify that you have completed the Resolve Configuration step.


  1. From the Migrate Configuration page, click Start.
  2. Verify that the Distributed Firewall configuration objects are displayed in your NSX-T environment.

    You can verify the migrated configurations either in the NSX-T NSX Manager interface or by running the NSX-T APIs.

    • During the Migrate Configuration step, Security Tags from NSX-V are not migrated to NSX-T. Therefore, the Security Tag-based migrated dynamic Groups and Groups with static memberships in NSX-T are empty after this step is finished. The reason is that in NSX-V, a Security Tag is an object, whereas in NSX-T, a tag is an attribute of a VM. The tags are applied to the workload VMs only after the workloads are migrated to NSX-T during the Migrate Hosts step.
    • When the logical configurations are migrated to NSX-T, the configuration changes are made in the NSX-T NSX Manager database, but it might take some time for the configurations to take effect.
  3. Click Continue to proceed.
    If needed, you can roll back the migrated DFW configuration.

    Rolling back does the following:

    • Remove the migrated configuration from NSX-T.
    • Roll back all the resolved issues in the previous step.

    Any NSX-T objects that you manually created after the DFW migration are at risk of being lost during the rollback.