VMware Networking Community
Czernobog
Expert
Expert

NSX 6.2.4 REST API - need help with modifying firewall rule

Hello,

I need help with modifying a firewall rule in NSX, using the API. I do not know how to format the request body, to get past an error 500 (response: <?xml version="1.0" encoding="UTF-8"?><error><details> : input contained no data</details><errorCode>100</errorCode></error>)

I've used information provided in the NSX 6.2 API documentation, there are however some discrepancies therein.

I use the following path:

  1. Extract the DFW Section ETag with GET https:// NSX-Manager-IP-Address /api/4.0/firewall/globalroot-0/config/layer3sections/1335
  2. Construct the request body, like this for example for allowing communication from IP 10.1.2.3 to vSphere VM VM1-test on port 3389. I have queried the rule using the API beforehand. The new thing I want to add to the rule is a comment "TESTComment":
    1. <rule id="1415" disabled="false" logged="false">

        <name>RULE_EDIT_TEST</name>

        <action>allow</action>

        <notes>TESTComment</notes>

        <appliedToList>

          <appliedTo>

            <value>10.1.2.3</value>

            <type>Ipv4Address</type>

            <isValid>true</isValid>

          </appliedTo>

          <appliedTo>

            <name>VM1-test</name>

            <value>vm-9636</value>

            <type>VirtualMachine</type>

            <isValid>true</isValid>

          </appliedTo>

        </appliedToList>

        <sectionId>1335</sectionId>

        <direction>inout</direction>

        <packetType>any</packetType>

        <sources>

          <source>

            <value>10.1.2.3</value>

            <type>Ipv4Address</type>

            <isValid>true</isValid>

          </source>

        </sources>

        <destinations>

          <destination>

            <name>VM1-test</name>

            <value>vm-9636</value>

            <type>VirtualMachine</type>

            <isValid>true</isValid>

          </destination>

        </destinations>

        <services>

          <service>

            <isValid>true</isValid>

            <destinationPort>3389</destinationPort>

            <protocol>6</protocol>

            <protocolName>TCP</protocolName>

          </service>

        </services>

      </rule>

  3. Use PUT https://NSX-Manager-IP-Address/api/4.0/firewall/globalroot-0/config/layer3sections/1335/rules/1415 to edit the rule
  4. Following headers are used: Content-Type: application/xml, Authorization: Basic (Base64 string), If-Match: Etag value from 1.

Each time the above is executed, I get the response error 500. I use a REST Client and have also wrapped all of the above up into a vRO workflow.

I've tried changing the scope to:

<appliedTo>
<name>DISTRIBUTED_FIREWALL</name>
<value>DISTRIBUTED_FIREWALL</value>
<type>DISTRIBUTED_FIREWALL</type>
<isValid>true</isValid>
</appliedTo>

since I use the same scope when creating new sections.

There are also some discrepancies in the documentation, section "Modify Firewall Rule":

  • "Not all fields are required while sending the request. Refer to the optional field in the schema definition of various objects. All the optional fields are safe to be ignored while sending the rules configuration to server." followed by a simple request body example. Further down in the "Distributed Firewall Examples" it is said that "<appliedTo>, <source> and <destination> sections require the following fields block: <name>, <value>, <type> and <isValid>."
  • The header Content-Type has the value text/xml (I assume this is wrong?)

Is there something missing in the request body?

EDIT 30.11:

I've deconstructed my vRO workflow and rebuilt a simple version of it. You can try it yourself, just set the values for hostResource and restOperation in the nested workflows. The "GET NSX DFW Section and Rule" workflow needs a GET request, the "Edit DFW Rule PUT request" needs the PUT request.

I've made following changes to the above listed values:

- Content-Type of the PUT request is text/xml, not application/xml

- I've added the attribute  excluded="false" to the <sources> and <destinations> nodes in the request body

- set the scope to DISTRIBUTED_FIREWALL

This works when executed in vRO, I still the same error as described in the beginning of the post when executing the request in my REST client (fiddler). Maybe the fault lies in a misconfiguration of the client, I don't know, since I cannot use FF with RESTClient or Postman in the environment.

Reply
0 Kudos
0 Replies