Migrate the Distributed Firewall Configuration

After you have resolved all configuration issues, you can migrate the Distributed Firewall configuration. When the configuration is migrated, logical object configurations are realized in NSX environment, which replicate the NSX-V logical object configurations.

In the Prepare Infrastructure step, temporary IP sets will be added to NSX-V if the NSX-V security groups are used in a distributed firewall rule. This is required to maintain security while the VMs are migrated from NSX-V to NSX. After the migration, during the finalize infrastructure phase, the temporary IP sets will be deleted.

You can skip the Prepare Infrastructure step. However, doing so may compromise security until the finalize infrastructure phase is complete.

Prerequisites

Verify that you have completed the Resolve Configuration step.

Procedure

From the Migrate Configuration page, click Start.
Verify that the Distributed Firewall configuration objects are displayed in your NSX environment.
You can verify the migrated configurations either in the NSX NSX Manager interface or by running the NSX APIs.
Note:
- During the Migrate Configuration step, Security Tags from NSX-V are not migrated to NSX. Therefore, the Security Tag-based migrated dynamic Groups in NSX are empty. The reason is that in NSX-V, a Security Tag is an object, whereas in NSX, a tag is an attribute of a VM. The tags are applied to the workload VMs only after you migrate the workloads to NSX and run the vmgroup API endpoint with a post_migrate action. For more information, see step 2 in Migrate Workload VMs (Complex Case).
  If the migrated NSX Groups have static memberships, these Groups also are empty after this step is finished. The reason is that the static members are not available in NSX Groups until the workload VMs are migrated.
  If only IP-based DFW rules are used in the NSX-V environment, you do not have to run the vmgroup API endpoint with pre_migrate and post_migrate action.
- When the logical configurations are migrated to NSX, the configuration changes are made in the NSX NSX Manager database, but it might take some time for the configurations to take effect.
Click Continue to proceed.
If needed, you can roll back the migrated DFW configuration.
Rolling back does the following:
- Remove the migrated configuration from NSX.
- Roll back all the resolved issues in the previous step.
Any NSX objects that you manually created after the DFW migration are at risk of being lost during the rollback.
In the Prepare Infrastructure step, click Start to prepare the infrastructure.
If the status is Failed, the details of the failure are displayed. Click Rollback to resolve the issues.

Results

After the prepare infrastructure step is completed, the next steps are:

Switch the Default Gateway to NSX
Depending on your environment, perform the step Migrate Workload VMs (Simple Case) or the following two steps.
Create VM Groups for Workload Migration
Migrate Workload VMs (Complex Case)