You can upgrade to Distributed Firewall only from vShield App version 5.5. If you have a prior version of vShield App in your infrastructure, you must upgrade to version 5.5 before upgrading to version 6.2.x. For information on upgrading to version 5.5, see vShield Installation and Upgrade Guide version 5.5.

About this task

The duration of the following procedure depends on the number of rules in your environment. When you migrate from vShield App to NSX distributed firewall (enhanced mode), the rules are migrated and pushed. This causes a traffic disruption. This work should be completed during a maintenance window.

Prerequisites

  • vShield Manager has been upgraded to NSX Manager.

  • Virtual wires have been upgraded to NSX Logical Switches. For non-VXLAN users, network virtualization components have been installed.

  • If you want to migrate vShield App 5.5 rules to Distributed Firewall, do not delete the vShield App appliances before upgrading to Distributed Firewall.

Procedure

  1. After you prepare all clusters in your environment for network virtualization components, a message indicates that Firewall is ready to be upgraded.

  2. Click Upgrade.

    vShield App 5.5 rules are migrated to NSX in the following way:

    1. A new section is created in the central firewall table for each namespace (datacenter and virtual wire) configured in vShield App version 5.5. Each section includes the corresponding firewall rules.

    2. All rules in each section have the same value in the AppliedTo field - datacenter ID for datacenter namespace, virtual wire ID for virtual wire namespace, and port group ID for port group based namespace.

    3. Containers created at different namespace levels are moved to the global level.

    4. Section order is as below to ensure that firewall behavior after the upgrade remains the same:

      Section_Namespace_Portgroup-1

      ..................

      Section_Namespace_Portgroup-N

      Section_Namespace_VirtualWire-1

      ..................

      Section_Namespace_VirtualWire-N

      Section_Namespace_Datacenter_1

      ..................

      Section_Namespace_Datacenter_N

      Default_Section_DefaultRule

    After the upgrade is complete, the Firewall column displays Enabled.

  3. Click on Home > Hosts and Clusters and navigate to the hosts that have vShield App service virtual machines running. Shut down the legacy vShield App service virtual machines.
  4. Navigate to Networking & Security > Firewall and nspect each upgraded section and rule and test that it works as intended.
  5. Navigate to the Installation > Service Deployments tab and ensure that all alarms are resolved and that the legacy vShield App service status displays Succeeded.
  6. If the rules are working correctly, from the Service Deployments tab, select vShield App and click Delete Service Deployment () to delete the legacy vShield App service virtual machines.

What to do next

Upgrade vShield Edge to NSX Edge