After you successfully add a Local Manager location to the Global Manager, you can import all network and security Local Manager configurations to the Global Manager.
- Context Profiles
- DHCP
- DNS
- Firewall Security Policies
- Gateway Profiles
- Groups
- NAT
- Security Profiles
- Services
- T0 Gateway
- T1 Gateway
- Time-based firewall (import/onboard now supported)
Local Manager Configurations Not Supported for Importing into Global Manager
The following features are not supported with NSX Federation. Import of configurations into the Global Manager is blocked if you have any of these configurations in your Local Manager. You must remove unsupported configurations to proceed with importing. After your supported Local Manager configurations are successfully imported into Global Manager, you can add the configurations for any of the unsupported features back into your Local Manager.
- DHCP dynamic binding
- Distributed IDS
- Distributed security for vCenter VDS Port Group only (Global Manager does not see the vCenter VDS port groups to assign them in security groups. However, Global Manager can use dynamic membership in groups based on vCenter VDS port groups tags added by Local Managers.)
- Endpoint protection
- Forwarding policies
- Guest introspection
- Identity firewall
- IDS/IPS
- L2 Bridge
- Load balancer
- Malware prevention
- Metadata proxy
- Multicast
- Network detection and response
- Network introspection
- Routing protocols (OSPF)
- Routing VPN and EVPN
- Service insertion
- T0 VRF
- TLS inspection
- URL filtering
Importing Configurations if you have a Load Balancer service on the Local Manager
- The load balancer service must be in one-arm mode on a standalone tier-1 gateway.
- The standalone tier-1 gateway that the one-arm load balancer is attached to:
- must have only the load balancer service and no other services
- must not have any downlink segments
- must not share Gateway Firewall rules with any other tier-0 or tier-1 gateways.
- Groups used in load balancer service must not be used in any firewall rules. If you have groups common to both load balancer and firewall rules, you must either remove the group from the firewall rule or create an identical group to use with the load balancer.
Configurations Created by a Principal Identity User in Local Manager
If you have configurations in the Local Manager that are created by the Principal Identity user and the same Principal Identity user is not present in the Global Manager, import is blocked.
- The system displays a list of Principal Identity usernames that are being used on the Local Managerr to create configurations. Create each of these Principal Identity users in the Global Manager before proceeding to import.
- If you do not want to create Principal Identity usernames in Global Manager, remove all configurations in theLocal Manager that are created using the Principal Identity username. You can then proceed with importing other configurations from the Local Manager.
Prerequisites
- The Local Manager appliance must register with the Global Manager.
- The Local Manager appliance must have a backup that you can restore in case the importing procedure fails.
- You must remove configurations for unsupported features from your Local Manager appliance. You are provided guidance in the NSX UI on how to resolve any importing conflicts.
Procedure
- Log in to the Global Manager and navigate to .
- A system message appears for each location that has been successfully added into the Global Manager and has objects that can be imported.
- Click Import Now from the system message. You can also import objects by clicking from the location tile.
- You see a list of objects that can be imported into the Global Manager.
- If there are naming conflicts, you can provide a prefix or suffix for configurations. The total length of the object including the prefix and suffix must not exceed 256 characters.
The prefix or suffix gets applied to the following objects being imported:
- Tier-0 gateway
- Tier-1 gateway
- Segments
- DNS zones
- DHCP profiles
- Switching profiles: IPv6, VNI Pool, Gateway QoS, BFD, IPFIX
- Security profiles: IPFIX, Flood-Protection, DNS Security, Session Timer, Context Profiles
- L4-L7 services (all services listed under ).
- For other conflicts, follow the guidance provided in the UI.
- If there are naming conflicts, you can provide a prefix or suffix for configurations. The total length of the object including the prefix and suffix must not exceed 256 characters.