VMware Cloud Community
AutoBot
Contributor
Contributor

REST API & vShield Firewall Rules

Hi, I’ve been directed here from VMWare support so am hoping one of you clever guys are able to shed some light on this?

I’m using the REST API to try and configure Firewalls in vShield, me and my colleague have had success in using the API for Groups and Applications; however, firewalls are proving to be a problem. We can obtain the firewall rules using GET, but for POST vShield returns a’ 412 Precondition Failed’ error.

According to excerpt from the documentation below:

----------------------------------------------------------------------------------------------------------------------------------------------------------------

Change Firewall Configuration

To configure vShield App firewall rules,

1 Query the firewall rules for the context you want to configure. The context can be a datacenter, cluster, or

port‐group.

2 Extract the XML from the response body in step 1 and make the desired changes to it.

3 Extract the value of the generation number from the Etag header of the response in Step 1, and add it as

the if‐match header in the POST call.

For example, the generation number in the GET response for the firewall configuration of a datacenter is

1312802020950 (from Example 6‐4). You must now specify the following header in the Request Body of a

POST command for changing the datacenter firewall configuration:

If-Match: "1312802020950"

4 Pass the modified XML from step 2 as the Request Body in a POST call.

IMPORTANT You must specify the complete configuration for a context in the POST call.

----------------------------------------------------------------------------------------------------------------------------------------------------------------

We are supposed to add an If-Match header and specify the value of the generation number that was obtained from the GET command.

I’ve followed step by step the instructions from this blog post:

http://blogs.vmware.com/vcloud/tag/vshield-api

One discrepancy I noticed in the post are the If-Match values in the screenshots have different values to the generation number, could this be an error in the screenshot? i.e. the screenshots were a quick cut and paste job to get the general info across. I bring this up because the documentation says it has to be the same but then why are they different in the blog post? Could it be that the number is somehow calculated using some hidden formula? - ok that’s a bit of an extreme guess but I am stuck and pretty sure I’m either doing something wrong or something is configured differently on our vShield server from the norm?

I’m assuming here that the 412 precondition failed is down to the If-Match header but this could be a red herring? Has anyone else here encountered this before? Any help is greatly appreciated.

Thank you for taking the time to read this.

Reply
0 Kudos
0 Replies