Migrating Identity Firewall (End-to-End and Lift-and-Shift)

If you plan to migrate Identity Firewall (IDFW), some preparations are required.

Before the migration, make sure that the following requirements are met:

The Active Directory (AD) domains registered in NSX-V are registered in NSX.
The LDAP servers registered in NSX-V are registered in NSX.
The event log servers registered in NSX-V are registered in NSX.
A successful full sync for each newly registered AD domain is completed in NSX.
The IDFW environment in NSX-V is supported by NSX. For more information, see the topic Identity Firewall Supported Configurations in the NSX Administration Guide.

Note the following:

During the migration, do not allow new users to log in.
Some IDFW rules in NSX-V are not supported in NSX. Those rules cannot be migrated to NSX. You must skip or change them to continue the migration.
For IP-based IDFW connections, users must re-login after the migration for IDFW to work. If you want IDFW connections for these users to be maintained during the migration, you must manually create shadow firewall rules for these users.
For SID-based IDFW connections, users do not need to re-login for IDFW to work.
In NSX, IDFW can be configured on a global level and on a cluster level. Because NSX-V does not support IDFW on a cluster level, after the migration, IDFW will be enabled for all clusters in NSX.
You must manually undeploy Guest Introspection (GI) in NSX-V after the migration if GI is not undeployed by other migration operations.

Creating and deleting a shadow firewall rule

To create a shadow firewall rule, after the configuration is imported, do the following in NSX:

After the VMs are migrated and the users are logged out of the VMs, do the following:

Remove the IP addresses from the IP set.
After all the IP addresses are removed from the IP-Set, remove the IP set from the NSGroup and delete the IP-set.