Re: ISSUE: Can not create an (distributed) Firewal...

i1wan · ‎12-09-2015

Hi,

After my issues with the EDGE firewall I now have an issue with adding firewall rules using the REST API for the distributed firewall.

I am following page 272 of the NSX REST API Guide.

I have created a section and this section-id is "1011".

I retrieved the id using the REST API call to query all current rules and sections.

To add the rule I am using this syntax and POST link:

POST -- https://<nsx-manager-ip>/api/4.0/firewall//globalroot-0/config/layer3sections/1011/rules

<?xml version="1.0" encoding="UTF-8"?>

<name>AddRuleTest</name>

<action>allow</action>

<value>datacenter-26</value>

<type>Datacenter</type>

</appliedTo>

</appliedToList>

<value>datacenter-26</value>

<type>Datacenter</type>

</source>

</sources>

</service>

</services>

</rule>

hat am I doing wrong here?

DaleCoghlan · ‎12-10-2015

The documentation is not 100% clear for what you are trying to achieve.

The whole firewall config (all rules and all sections) has a ETag, however each section also has its own ETag.

By grabbing the ETag for all rules and sections, when you are trying to add the rule, you are also specifying the particular sectionId, and as the ETag you have specified, doesn't match the section ETag, it will fail (more than likely with a "412 Precondition Failed" message)

As you are trying to add a firewall rule to a firewall section, when you grab the ETag, rather than grab the ETag for ALL rules and sections, you actually need to query the specific firewall section you wish to add a rule to and grab the ETag from that particular section.

So to grab the ETag for section 1011, you need to run the following:

GET https://<nsx-manager-ip>/api/4.0/firewall/globalroot-0/config/layer3sections/1011

The NSX_62_API guide will be updated in a future release to make this clearer.

Dale

larsonm · ‎12-10-2015

Adding to Dale's comment - Pages 303 & 30 of the NSX 6.2 API guide detail this process.

1. Get the firewall config to list the section ID's (will also link a section ID to section name)

GET https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config

2. Get the section in question

GET https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config/layer3sections/1123

3. ETag will be returned (item 5 below)

4. Add the If-Match header with the Etag

5. POST https://<NSX MGR IP>/api/4.0/firewall/globalroot-0/config/layer3sections/1123/rules

with the correct syntax in the body (example below)

<name>Allow vRealize/RC Traffic</name>

<action>allow</action>

<name>DISTRIBUTED_FIREWALL</name>

<value>DISTRIBUTED_FIREWALL</value>

<type>DISTRIBUTED_FIREWALL</type>

</appliedTo>

</appliedToList>

<name>vROps-RC</name>

<value>ipset-6</value>

<type>IPSet</type>

</source>

</sources>

<name>vRealize</name>

<value>ipset-5</value>

<type>IPSet</type>

</destination>

</destinations>

<name>vRealize Operations - RC</name>

<value>application-383</value>

<type>Application</type>

</service>

</services>

<direction>inout</direction>

</rule>

***Note - application-383, ipset-5, and ipset-6 are all custom values and may not apply to your environment.

All

ISSUE: Can not create an (distributed) Firewall rule with the REST API