The NSX Manager provides a web-based user interface where you can manage your NSX environment. It also hosts the API server that processes API calls.
The NSX Manager interface provides two modes for configuring resources:
- Policy mode
- Manager mode
Accessing Policy Mode and Manager Mode
If present, you can use the Policy and Manager buttons to switch between the Policy and Manager modes. Switching modes controls which menus items are available to you.
- By default, if your environment contains only objects created through Policy mode, your user interface is in Policy mode and you do not see the Policy and Manager buttons.
- By default, if your environment contains any objects created through Manager mode, you see the Policy and Manager buttons in the top-right corner.
These defaults can be changed by modifying the user interface settings. See Configure the User Interface Settings for more information.
The same System tab is used in the Policy and Manager interfaces. If you modify Edge nodes, Edge clusters, or transport zones, it can take up to 5 minutes for those changes to be visible in Policy mode. You can synchronize immediately using POST /policy/api/v1/infra/sites/default/enforcement-points/default?action=reload.
When to Use Policy Mode or Manager Mode
Be consistent about which mode you use. There are a few reasons to use one mode over the other.
- If you are deploying a new NSX environment, using Policy mode to create and manage your environment is the best choice in most situations.
- Some features are not available in Policy mode. If you need these features, use Manager mode for all configurations.
- If you plan to use NSX Federation, use Policy mode to create all objects. Global Manager supports only Policy mode.
- If you are upgrading from an earlier version of NSX and your configurations were created using the Advanced Networking & Security tab, use Manager mode.
The menu items and configurations that were found under the Advanced Networking & Security tab are available in NSX 3.0 in Manager mode.
Similarly, if you need to use Manager mode, use it to create all objects. Do not use Policy mode to create objects.
Policy Mode | Manager Mode |
---|---|
Most new deployments should use Policy mode. NSX Federation supports only Policy mode. If you want to use NSX Federation, or might use it in future, use Policy mode. |
Deployments which were created using the advanced interface, for example, upgrades from versions before Policy mode was available. |
NSX Cloud deployments | Deployments which integrate with other plugins. For example, NSX Container Plug-in, Openstack, and other cloud management platforms. |
Networking features available in Policy mode only:
|
|
Security features available in Policy mode only:
|
Security features available in Manager mode only:
|
Names for Objects Created in Policy Mode and Manager Mode
The objects you create have different names depending on which interface was used to create them.
Objects Created Using Policy Mode | Objects Created Using Manager Mode |
---|---|
Segment | Logical switch |
Tier-1 gateway | Tier-1 logical router |
Tier-0 gateway | Tier-0 logical router |
Group | NSGroup, IP Sets, MAC Sets |
Security Policy | Firewall section |
Gateway firewall | Edge firewall |
Policy and Manager APIs
- The Policy API contains URIs that begin with
/policy/api
. - The Manager API contains URIs that begin with
/api
.
For more information about using the Policy API, see the NSX Policy API: Getting Started Guide.
Security
- NSX Manager has a built-in user account called admin, which has access rights to all resources, but does not have rights to the operating system to install software. NSX upgrade files are the only files allowed for installation.
- NSX Manager supports session timeout and automatic user logout. NSX Manager does not support session lock. Initiating a session lock can be a function of the workstation operating system being used to access NSX Manager. Upon session termination or user logout, users are redirected to the login page.
- Authentication mechanisms implemented on NSX follow security best practices and are resistant to replay attacks. The secure practices are deployed systematically. For example, sessions IDs and tokens on NSX Manager for each session are unique and expire after the user logs out or after a period of inactivity. Also, every session has a time record and the session communications are encrypted to prevent session hijacking.
- The command get service http displays a list of values including session timeout.
- To change the session timeout value, run the following commands:
set service http session-timeout <timeout-value-in-seconds> restart service ui-service