We have an existing vSphere 6.7U3 / NSX-T 3.1.3 environment (3 node cluster). This environment contains around 500 VMs and this is a whitelisted deployment and all VMs are using overlay backed segments with DFW rules.
We have recently built a new VCF 4.4 environment that uses NSX-T 18.104.22.168.4 (3 node cluster) and we are planning on implementing the same security posture and use the DFW and Gateway firewalls extensively.
The vSphere 6.7U3 / NSX-T 3.1.3 environment is being decommissioned and VMs will be migrated over to the new VCF 4.4 environment using HCX.
The challenge here is that we need to migrate 500VMS along with approximately 2800 DFW rules over to the new platform. We are also using security groups and custom services that also need to be recreated in the new platform. Of course having to recreate these DFW rules will be a very laborious task and is error prone.
We upgraded from 3.0.3 to 3.1.3 in order to be able to export the Firewall configuration, as described in this document: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-FCE6567E-1174-49CC-90F1-...
There is VERY little information out there around how to port rule configurations between manager instances. We thought. The thinking here was that we could use the FW rule export feature and then upload the bundle into the new NSX instance. But this does not seem to work. After performing the import, it shows the objects as deleted.
It also appears that there is no way to export / import the security groups either.
I am sure that there must be a way to do this, but again this dosnt seem to be documented anywhere. I am not exactly sure if this export method show above was meant to be used for this.
Any help would be greatly appreciated!
This is expected behaviour of UI as groups needs to be manually created at destination site. You can use scripts or API calls to export daw rules along with services and groups and then import them on destination side.
There are couple of helper scripts for DFW backup and restore which you can give a try.
Use file - nsx-dfw-backup-n-restore.py
Or, there is another blog by Luca to export dfw rules without exporting System Owned entries, which you can refer as well and using Patch API you can import exported rules.
Blog - https://lucacamarda.wordpress.com/2020/08/20/exporting-the-nsx-t-dfw-configuration-via-the-policy-ap...
Script Location - https://github.com/lcamarda/blog/blob/master/nsxt_export_dfw.py
Please note, these are community scripts and as with any script, should be well tested before running in production to avoid any unforeseen issues.
Hope this helps.
Thanks for the information here. I actually read that blog and was able to get the DFW rules out using the commands in the blog. But now when I try to PATCH the rules over to the new NSX instance I get the error: ""Error in hierarchical API, cause: request payload size exceeds the permitted limit, max 2,000 objects are allowed per request."
The .json file is quite large and I have tried cutting it down but it appears that there are issues when you try to reduce the object count by deleting objects. Thanks!
Yes, maximum object you can do via API call is limited to 2000. Dirty solution in case of count is exceeding 2000, then you can break the objects in two separate files and patch them separately, but you need to ensure that overall json structure remains valid.