ravik3677
Contributor
Contributor

REST API Call to check if an object exists in DFW policy

Hi All!!

I am trying to do some automation using the Policy API and wanted to know how to  check if an object is used in the policy anywhere. If it is not used, I would like to delete it. I am stuck at the point where I cannot see the REST  API call I can issue to see where the object is used. I am basically trying to simualte the "where used" feature in the NSX GUI. Would appreciate if anyone can assist.

 

Thanks

ravik3677_1-1619525527451.png

 

0 Kudos
4 Replies
p0wertje
Hot Shot
Hot Shot

Hi,

 

Did a check on the query nsx does. It does a post to /policy/api/v1/search/aggregate

With a quiet long body (json) (Raplace the "/infra/domains/default/groups/Group-Test-Seg2" with the path to your group.

It will return allot of related stuff (if any)

{"primary":{"resource_type":"Group","filters":[{"field_names":"path","value":"\"/infra/domains/default/groups/Group-Test-Seg2\""}]},"related":[{"resource_type":"Rule","join_condition":"source_groups:path","alias":"SrcDfwRules"},{"resource_type":"SecurityPolicy OR GatewayPolicy","join_condition":"path:$0.parent_path","alias":"SrcDfwSections"},{"resource_type":"Rule","join_condition":"destination_groups:path","alias":"DestDfwRules"},{"resource_type":"SecurityPolicy OR GatewayPolicy","join_condition":"path:$2.parent_path","alias":"DestDfwSections"},{"resource_type":"PortMirroringInstance","join_condition":"parent_path:path","alias":"srcPortMirror"},{"resource_type":"PortMirroringInstance","join_condition":"destination_group:path","alias":"destPortMirror"},{"resource_type":"PortMirroringProfile","join_condition":"destination_group:path","alias":"destPortMirrorProfile"},{"resource_type":"GroupMonitoringProfileBindingMap","join_condition":"parent_path:path","alias":"groupMonitoringProfileBindingMap"},{"resource_type":"PortMirroringProfile","join_condition":"path:$7.port_mirroring_profile_path","alias":"srcPortMirrorProfile"},{"resource_type":"IPFIXL2Profile","join_condition":"path:$7.ipfix_l2_profile_path","alias":"AppliedToIPFIXL2Profile"},{"resource_type":"Rule","join_condition":"scope:path","alias":"DfwRuleAppliedTo"},{"resource_type":"SecurityPolicy","join_condition":"path:$10.parent_path","alias":"DfwAppliedToSections"},{"resource_type":"Group","join_condition":"expression.paths:path","alias":"ParentGroups"},{"resource_type":"SecurityPolicy","join_condition":"scope:path","alias":"SecurityPolicyAppliedToSection"},{"resource_type":"PolicyExcludeList","join_condition":"members:path","alias":"ExclusionList"},{"resource_type":"IdsRule","join_condition":"source_groups:path","alias":"SrcIdsRules"},{"resource_type":"IdsRule","join_condition":"destination_groups:path","alias":"DestIdsRules"},{"resource_type":"IdsSecurityPolicy","join_condition":"path:$15.parent_path","alias":"SrcIdsSections"},{"resource_type":"IdsSecurityPolicy","join_condition":"path:$16.parent_path","alias":"DestIdsSections"},{"resource_type":"RedirectionRule","join_condition":"source_groups:path","alias":"SrcRedirectionRules"},{"resource_type":"RedirectionPolicy","join_condition":"path:$19.parent_path","alias":"SrcRedirectionSections"},{"resource_type":"RedirectionRule","join_condition":"destination_groups:path","alias":"DestRedirectionRules"},{"resource_type":"RedirectionPolicy","join_condition":"path:$21.parent_path","alias":"DestRedirectionSections"},{"resource_type":"EndpointRule","join_condition":"groups:path","alias":"EndpointRules"},{"resource_type":"EndpointPolicy","join_condition":"path:$23.parent_path","alias":"EndpointSections"},{"resource_type":"PolicyLbPoolAccess","join_condition":"parent_path:path","alias":"poolaccess"},{"resource_type":"PolicyLbRule","join_condition":"parent_path:$25.path","alias":"lbrules"},{"resource_type":"TcpPolicyLbVirtualServer OR UdpPolicyLbVirtualServer OR HttpPolicyLbVirtualServer OR HttpsPolicyLbVirtualServer OR CustomPolicyLbVirtualServer","join_condition":"path:$20.lb_virtual_server","alias":"lbservers"},{"resource_type":"RedirectionCommunicationEntry","join_condition":"source_groups:path","alias":"srcSICommEntries"},{"resource_type":"RedirectionCommunicationMap","join_condition":"path:$28.parent_path","alias":"srcSICommMap"},{"resource_type":"PolicyServiceInstance","join_condition":"path:$29.service_instance_path","alias":"srcServiInstances"},{"resource_type":"RedirectionCommunicationEntry","join_condition":"destination_groups:path","alias":"destSICommEntries"},{"resource_type":"RedirectionCommunicationMap","join_condition":"path:$31.parent_path","alias":"destSICommMap"},{"resource_type":"PolicyServiceInstance","join_condition":"path:$32.service_instance_path","alias":"destServiInstances"},{"resource_type":"ForwardingRule","join_condition":"source_groups:path","alias":"SrcForwardingRules"},{"resource_type":"ForwardingPolicy","join_condition":"path:$34.parent_path","alias":"SrcForwardingSections"},{"resource_type":"ForwardingRule","join_condition":"destination_groups:path","alias":"DestForwardingRules"},{"resource_type":"ForwardingPolicy","join_condition":"path:$36.parent_path","alias":"DestForwardingSections"},{"resource_type":"IPFIXDFWProfile","join_condition":"path:$7.ipfix_dfw_profile_path","alias":"AppliedToIPFIXDFWProfile"},{"resource_type":"LBPool","join_condition":"member_group.group_path:path","alias":"LBPool"},{"resource_type":"RedirectionRule","join_condition":"scope:path","alias":"RedirectionRuleAppliedTo"},{"resource_type":"RedirectionPolicy","join_condition":"path:$40.parent_path","alias":"RedirectionAppliedToSections"},{"resource_type":"PolicyFirewallFloodProtectionProfileBindingMap","join_condition":"parent_path:path","alias":"PolicyFirewallFloodProtectionProfileBindingMap"},{"resource_type":"DistributedFloodProtectionProfile","join_condition":"path:$42.profile_path","alias":"DistributedFloodProtectionProfile"},{"resource_type":"DnsSecurityProfileBindingMap","join_condition":"parent_path:path","alias":"DnsSecurityProfileBindingMap"},{"resource_type":"DnsSecurityProfile","join_condition":"path:$44.profile_path","alias":"DnsSecurityProfile"},{"resource_type":"PolicyFirewallSessionTimerProfileBindingMap","join_condition":"parent_path:path","alias":"PolicyFirewallSessionTimerProfileBindingMap"},{"resource_type":"PolicyFirewallSessionTimerProfile","join_condition":"path:$46.firewall_session_timer_profile_path","alias":"PolicyFirewallSessionTimerProfile"}]}
Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
0 Kudos
p0wertje
Hot Shot
Hot Shot

Seems like nsx is doing a post to : /policy/api/v1/search/aggregate

 

The body it uses: (change the path to the group you want to search. In my case it is Group-Test-Seg2)

 

{"primary":{"resource_type":"Group","filters":[{"field_names":"path","value":"\"/infra/domains/default/groups/Group-Test-Seg2\""}]},"related":[{"resource_type":"Rule","join_condition":"source_groups:path","alias":"SrcDfwRules"},{"resource_type":"SecurityPolicy OR GatewayPolicy","join_condition":"path:$0.parent_path","alias":"SrcDfwSections"},{"resource_type":"Rule","join_condition":"destination_groups:path","alias":"DestDfwRules"},{"resource_type":"SecurityPolicy OR GatewayPolicy","join_condition":"path:$2.parent_path","alias":"DestDfwSections"},{"resource_type":"PortMirroringInstance","join_condition":"parent_path:path","alias":"srcPortMirror"},{"resource_type":"PortMirroringInstance","join_condition":"destination_group:path","alias":"destPortMirror"},{"resource_type":"PortMirroringProfile","join_condition":"destination_group:path","alias":"destPortMirrorProfile"},{"resource_type":"GroupMonitoringProfileBindingMap","join_condition":"parent_path:path","alias":"groupMonitoringProfileBindingMap"},{"resource_type":"PortMirroringProfile","join_condition":"path:$7.port_mirroring_profile_path","alias":"srcPortMirrorProfile"},{"resource_type":"IPFIXL2Profile","join_condition":"path:$7.ipfix_l2_profile_path","alias":"AppliedToIPFIXL2Profile"},{"resource_type":"Rule","join_condition":"scope:path","alias":"DfwRuleAppliedTo"},{"resource_type":"SecurityPolicy","join_condition":"path:$10.parent_path","alias":"DfwAppliedToSections"},{"resource_type":"Group","join_condition":"expression.paths:path","alias":"ParentGroups"},{"resource_type":"SecurityPolicy","join_condition":"scope:path","alias":"SecurityPolicyAppliedToSection"},{"resource_type":"PolicyExcludeList","join_condition":"members:path","alias":"ExclusionList"},{"resource_type":"IdsRule","join_condition":"source_groups:path","alias":"SrcIdsRules"},{"resource_type":"IdsRule","join_condition":"destination_groups:path","alias":"DestIdsRules"},{"resource_type":"IdsSecurityPolicy","join_condition":"path:$15.parent_path","alias":"SrcIdsSections"},{"resource_type":"IdsSecurityPolicy","join_condition":"path:$16.parent_path","alias":"DestIdsSections"},{"resource_type":"RedirectionRule","join_condition":"source_groups:path","alias":"SrcRedirectionRules"},{"resource_type":"RedirectionPolicy","join_condition":"path:$19.parent_path","alias":"SrcRedirectionSections"},{"resource_type":"RedirectionRule","join_condition":"destination_groups:path","alias":"DestRedirectionRules"},{"resource_type":"RedirectionPolicy","join_condition":"path:$21.parent_path","alias":"DestRedirectionSections"},{"resource_type":"EndpointRule","join_condition":"groups:path","alias":"EndpointRules"},{"resource_type":"EndpointPolicy","join_condition":"path:$23.parent_path","alias":"EndpointSections"},{"resource_type":"PolicyLbPoolAccess","join_condition":"parent_path:path","alias":"poolaccess"},{"resource_type":"PolicyLbRule","join_condition":"parent_path:$25.path","alias":"lbrules"},{"resource_type":"TcpPolicyLbVirtualServer OR UdpPolicyLbVirtualServer OR HttpPolicyLbVirtualServer OR HttpsPolicyLbVirtualServer OR CustomPolicyLbVirtualServer","join_condition":"path:$20.lb_virtual_server","alias":"lbservers"},{"resource_type":"RedirectionCommunicationEntry","join_condition":"source_groups:path","alias":"srcSICommEntries"},{"resource_type":"RedirectionCommunicationMap","join_condition":"path:$28.parent_path","alias":"srcSICommMap"},{"resource_type":"PolicyServiceInstance","join_condition":"path:$29.service_instance_path","alias":"srcServiInstances"},{"resource_type":"RedirectionCommunicationEntry","join_condition":"destination_groups:path","alias":"destSICommEntries"},{"resource_type":"RedirectionCommunicationMap","join_condition":"path:$31.parent_path","alias":"destSICommMap"},{"resource_type":"PolicyServiceInstance","join_condition":"path:$32.service_instance_path","alias":"destServiInstances"},{"resource_type":"ForwardingRule","join_condition":"source_groups:path","alias":"SrcForwardingRules"},{"resource_type":"ForwardingPolicy","join_condition":"path:$34.parent_path","alias":"SrcForwardingSections"},{"resource_type":"ForwardingRule","join_condition":"destination_groups:path","alias":"DestForwardingRules"},{"resource_type":"ForwardingPolicy","join_condition":"path:$36.parent_path","alias":"DestForwardingSections"},{"resource_type":"IPFIXDFWProfile","join_condition":"path:$7.ipfix_dfw_profile_path","alias":"AppliedToIPFIXDFWProfile"},{"resource_type":"LBPool","join_condition":"member_group.group_path:path","alias":"LBPool"},{"resource_type":"RedirectionRule","join_condition":"scope:path","alias":"RedirectionRuleAppliedTo"},{"resource_type":"RedirectionPolicy","join_condition":"path:$40.parent_path","alias":"RedirectionAppliedToSections"},{"resource_type":"PolicyFirewallFloodProtectionProfileBindingMap","join_condition":"parent_path:path","alias":"PolicyFirewallFloodProtectionProfileBindingMap"},{"resource_type":"DistributedFloodProtectionProfile","join_condition":"path:$42.profile_path","alias":"DistributedFloodProtectionProfile"},{"resource_type":"DnsSecurityProfileBindingMap","join_condition":"parent_path:path","alias":"DnsSecurityProfileBindingMap"},{"resource_type":"DnsSecurityProfile","join_condition":"path:$44.profile_path","alias":"DnsSecurityProfile"},{"resource_type":"PolicyFirewallSessionTimerProfileBindingMap","join_condition":"parent_path:path","alias":"PolicyFirewallSessionTimerProfileBindingMap"},{"resource_type":"PolicyFirewallSessionTimerProfile","join_condition":"path:$46.firewall_session_timer_profile_path","alias":"PolicyFirewallSessionTimerProfile"}]}
Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
0 Kudos
ravik3677
Contributor
Contributor

Hi Hot shot

Thanks for the response...It is helping me some but not entirely yet. If I may ask, how did you find out about the post URL it is making along with the body parameters. I ask as I could not find this documented in the API guide.

 

Also the call did not work for me by the group name, I had to get  the ID.

so /infra/domains/default/groups/Group-Test-Seg2\ did not work...i had to pass /infra/domains/default/groups/67027f72-246c-4682-b506-06809763732a\

 

Let me know

Thanks again

0 Kudos
p0wertje
Hot Shot
Hot Shot

Hi,

When you use "Web developer" in you browser you can see the requests.

 

p0wertje_0-1619554250448.png

 

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
0 Kudos