You can upgrade to NSX Firewall only from vShield App version 5.5. If you have a prior version of vShield App in your infrastructure, you must upgrade to version 5.5 before upgrading to version 6.0. For information on upgrading to version 5.5, see vShield Installation and Upgrade Guide version 5.5.

When vShield Manager 5.5 is upgraded to NSX Manager 6.0, vShield App 5.5 rules are migrated to NSX in the following way:


A new section is created for each namespace (datacenter and virtual wire) configured in vShield App version 5.5. Each section includes the corresponding firewall rules.


All rules in each section have the same value in the AppliedTo field - datacenter ID for datacenter namespace, virtual wire ID for virtual wire namespace, and port group ID for port group based namespace.


Containers created at different namespace levels are moved to the global level.


Section order is as below to ensure that firewall behavior after the upgrade remains the same:











Source ports have been moved from the rule level in 5.5 to services and applications in NSX 6.0. If your vShield App firewall rules included a source port, the following changes are made during the rules upgrade:

Generated applications are translated into raw service objects. Source port is included as part of service.

For user defined applications, new applications are created with source ports.

Application groups are expanded and for each application, a corresponding new application is created with source port.

After the upgrade, you must modify the rules to use their application sets.

These rules are displayed in the Firewall table, but you cannot edit them. To use NSX Firewall, you must follow the procedure below.


vShield Manager has been upgraded to NSX Manager.


Virtual wires have been upgraded to NSX Logical Switches. For non-VXLAN users, network virtualization components have been installed.


After you update all the clusters in your infrastructure while upgrading to NSX logical switches (or installing network virtualization components), a pop up message indicates that Firewall is ready to be upgraded. upgrade


Click Upgrade.

After the upgrade is complete, the Firewall column displays Enabled.


Inspect each upgraded section and rule to ensure it works as intended.

Once you upgrade firewall to NSX, you should move the grouping objects used by firewall rules to global scope. To do this, use NSX APIs to create new grouping objects with the same members and then update the relevant firewall rules with the new IDs.