2 Replies Latest reply on Dec 10, 2015 6:10 PM by larsonm

    ISSUE: Can not create an (distributed) Firewall rule with the REST API

    i1wan Novice
    vExpert

      Hi,

       

      After my issues with the EDGE firewall I now have an issue with adding firewall rules using the REST API for the distributed firewall.

       

      I am following page 272 of the NSX REST API Guide.

       

      I have created a section and this section-id is "1011".

      I retrieved the id using the REST API call to query all current rules and sections.

       

      To add the rule I am using this syntax and POST link:

       

      POST -- https://<nsx-manager-ip>/api/4.0/firewall//globalroot-0/config/layer3sections/1011/rules

       

      <?xml version="1.0" encoding="UTF-8"?>

       

      <rule disabled="enabled" logged="false">

      <name>AddRuleTest</name>

      <action>allow</action>

      <notes />

      <appliedToList>

      <appliedTo>

      <value>datacenter-26</value>

      <type>Datacenter</type>

      </appliedTo>

      </appliedToList>

      <sectionId>1011</sectionId>

      <sources excluded="true">

      <source>

      <value>datacenter-26</value>

      <type>Datacenter</type>

      </source>

      </sources>

      <services>

      <service>

      <value></value>

      </service>

      </services>

      </rule>

       

      hat am I doing wrong here?

        • 1. Re: ISSUE: Can not create an (distributed) Firewall rule with the REST API
          DaleCoghlan Enthusiast
          VMware Employees

          The documentation is not 100% clear for what you are trying to achieve.

           

          The whole firewall config (all rules and all sections) has a ETag, however each section also has its own ETag.

           

          By grabbing the ETag for all rules and sections, when you are trying to add the rule, you are also specifying the particular sectionId, and as the ETag you have specified, doesn't match the section ETag, it will fail (more than likely with a "412 Precondition Failed" message)

           

          As you are trying to add a firewall rule to a firewall section, when you grab the ETag, rather than grab the ETag for ALL rules and sections, you actually need to query the specific firewall section you wish to add a rule to and grab the ETag from that particular section.

           

          So to grab the ETag for section 1011, you need to run the following:

          GET https://<nsx-manager-ip>/api/4.0/firewall/globalroot-0/config/layer3sections/1011


          The NSX_62_API guide will be updated in a future release to make this clearer.


          Dale

          • 2. Re: ISSUE: Can not create an (distributed) Firewall rule with the REST API
            larsonm Expert
            vExpert

            Adding to Dale's comment - Pages 303 & 30 of the NSX 6.2 API guide detail this process.

             

            1.  Get the firewall config to list the section ID's (will also link a section ID to section name)

            GET https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config

             

            2.  Get the section in question

            GET https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config/layer3sections/1123

             

            3.  ETag will be returned (item 5 below)

            ETAG.JPG

             

            4.  Add the If-Match header with the Etag

            If-Match.JPG

             

            5.  POST https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config/layer3sections/1123/rules

             

            with the correct syntax in the body (example below)

             

            <rule disabled="false" logged="false">

            <name>Allow vRealize/RC Traffic</name>

                      <action>allow</action>

                      <appliedToList>

                        <appliedTo>

                          <name>DISTRIBUTED_FIREWALL</name>

                          <value>DISTRIBUTED_FIREWALL</value>

                          <type>DISTRIBUTED_FIREWALL</type>

                          <isValid>true</isValid>

                        </appliedTo>

                      </appliedToList>

                      <sectionId>1123</sectionId>

                      <sources excluded="false">

                        <source>

                          <name>vROps-RC</name>

                          <value>ipset-6</value>

                          <type>IPSet</type>

                          <isValid>true</isValid>

                        </source>

                      </sources>

                      <destinations excluded="false">

                        <destination>

                          <name>vRealize</name>

                          <value>ipset-5</value>

                          <type>IPSet</type>

                          <isValid>true</isValid>

                        </destination>

                      </destinations>

                      <services>

                        <service>

                          <name>vRealize Operations - RC</name>

                          <value>application-383</value>

                          <type>Application</type>

                          <isValid>true</isValid>

                        </service>

                      </services>

                      <direction>inout</direction>

                      <packetType>any</packetType>

                    </rule>

             

             

             

            ***Note - application-383, ipset-5, and ipset-6 are all custom values and may not apply to your environment.