Czernobog's Posts

I need to do a password reset on a few NSX-T Edge Appliances. The Appliances were upgraded in the past from older 2.x versions. I've used the standard reset procedure from the documentation: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-8816B842-2EC4-40A8-A618-F68DB29FABD2.html Resetting the Passwords of an Appliance This does not seems to work correctly. I'Ve reset both the root and admin account passwords. I've logged in using admin and activated ssh. Then I've logged in again using admin and reset the password expiry for all acounts. Logging in with root via ssh, using the newly set password, fails! I redid the procedure for the root password only, after the reboot I still cannot log in with root using ssh, however I can using the VMRC (console). While logged in via console, I did a passwd & sync, but this did not allow me to log in with ssh. Note: what prompted me to do the change was, that in the upgrade process to 3.0 a few applainces had their /var/log folder run full. After resetting the root pw and logging in with root via console, I've cleared most of the folder and rebooted the appliance. This did not help with the login issue. edit: Solved! My dumb ass forgot to allow root to ssh login in the sshd config. I forgot this was not set in some of the older applainces.

Hello, does anyone know, when or if NSX-V will be made compatible to vSphere 7.x? I plan an upgrade to my environment, am not able to switch to NSX-T 3.0 right now, but would still like to upgrade vSphere.

I want to monitor firewall rule rejects (blocked communication) using log insight. I've set up remote logging on my nsx manager using: set logging-server [ip] proto udp level info also tried it with set logging-server [ip] proto udp level info facility syslog messageid FIREWALL,FIREWALL-PKTLOG I've also set up a firewall rule to reject some traffic and enabled logging. The remote logging seems to work in some way, because when I filter for the nsx-manager hostname in interactive analytics, I can read some events about configuration changes etc., but none are relevant to the network packets sent or rejected. But when selecting one of the NSX-T filters describing the firewall behavior, like for example vmw_nsxt_firewall_action, no events are displayed. Also the NSX Distributed Firewall Dashboards display no events. What else could be done to import the relevant logs into Log Insight from the NSX-T Manager? edit: nevermind, it seems to work, although the events need >15 minutes to be passed on to log insight, which is another problem now edit2: nevermind again, problem still persists - it seems that some events reach log insight and some don't :smileyplain: eidt3: same syslog is configured on the esxi hosts, nsx-t manager and vrli instance are placed in same subnet, so communication inbetween should not be an issue

Hello, I am looking for an afficient way to request a list of firewall sections AND rules, similar to what can be done in NSX-V with GET /api/4.0/firewall/globalroot-0/config So far, by testig out different calls provided here: NSX-T Manager API Guide I assume I would have to iterate through all of the sections and list member rules for each. This seems terribly inefficient if you need to request the whole firewall configuration. Some background: In my environemnt, users who deploy VMs using vRA are able to list and create new firewall rules & sections in NSX-V. These services are based on vRO workflows. At the moment I poll the whole NSX-V DFW configuration in regular intervals and place it in a vRO Resource Element. When a user wants to list or modify a rule, the value of the Resource Element is queried (amongst other things), which is much faster (which is important for the user interaction) then running an API call for each section and rule which affects the users' vms. Edit 26.06.2018: I have built a workaround for myself in the meantime, you can check it out yourself. It works with vRO 7.4 and NTX-T 2.2, but of course I cannot guarantee it will work in your environment. Just fill in the attribute values and the rest operations in the nested workflows, the rest operations are named like the one in the swagger stack.

I have the exact same issue as posted here: https://communities.vmware.com/thread/517614 but since the thread is 2 years old I've decided to create a new post. The DLR is configured to relay DHCP request to an Edge. The relay is configured as per documentation: the Relay Server is the Edge IP, Relay Agent is the Internal Interface of the DLR. The NSX DFW as well as the Edge and DLR firewalls are configred to pass all communication. When a VM is placed on the logical switch and powered on, the Edge recieves a discover and replies with an offer, however this does not reach the VM: Is this configuration valid or do I have to use an external (Windows or other) DHCP server? AFAIK the issue was adressed in NSX 6.2. Message was edited by: Czernobog, corrected NSX version to 6.3.3

Hello, I need help with modifying a firewall rule in NSX, using the API. I do not know how to format the request body, to get past an error 500 (response: <?xml version="1.0" encoding="UTF-8"?><error><details> : input contained no data</details><errorCode>100</errorCode></error>) I've used information provided in the NSX 6.2 API documentation, there are however some discrepancies therein. I use the following path: Extract the DFW Section ETag with GET https:// NSX-Manager-IP-Address /api/4.0/firewall/globalroot-0/config/layer3sections/1335 Construct the request body, like this for example for allowing communication from IP 10.1.2.3 to vSphere VM VM1-test on port 3389. I have queried the rule using the API beforehand. The new thing I want to add to the rule is a comment "TESTComment": <rule id="1415" disabled="false" logged="false">   <name>RULE_EDIT_TEST</name>   <action>allow</action>   <notes>TESTComment</notes>   <appliedToList>     <appliedTo>       <value>10.1.2.3</value>       <type>Ipv4Address</type>       <isValid>true</isValid>     </appliedTo>     <appliedTo>       <name>VM1-test</name>       <value>vm-9636</value>       <type>VirtualMachine</type>       <isValid>true</isValid>     </appliedTo>   </appliedToList>   <sectionId>1335</sectionId>   <direction>inout</direction>   <packetType>any</packetType>   <sources>     <source>       <value>10.1.2.3</value>       <type>Ipv4Address</type>       <isValid>true</isValid>     </source>   </sources>   <destinations>     <destination>       <name>VM1-test</name>       <value>vm-9636</value>       <type>VirtualMachine</type>       <isValid>true</isValid>     </destination>   </destinations>   <services>     <service>       <isValid>true</isValid>       <destinationPort>3389</destinationPort>       <protocol>6</protocol>       <protocolName>TCP</protocolName>     </service>   </services> </rule> Use PUT https://NSX-Manager-IP-Address/api/4.0/firewall/globalroot-0/config/layer3sections/1335/rules/1415 to edit the rule Following headers are used: Content-Type: application/xml, Authorization: Basic (Base64 string), If-Match: Etag value from 1. Each time the above is executed, I get the response error 500. I use a REST Client and have also wrapped all of the above up into a vRO workflow. I've tried changing the scope to: <appliedTo> <name>DISTRIBUTED_FIREWALL</name> <value>DISTRIBUTED_FIREWALL</value> <type>DISTRIBUTED_FIREWALL</type> <isValid>true</isValid> </appliedTo> since I use the same scope when creating new sections. There are also some discrepancies in the documentation, section "Modify Firewall Rule": "Not all fields are required while sending the request. Refer to the optional field in the schema definition of various objects. All the optional fields are safe to be ignored while sending the rules configuration to server." followed by a simple request body example. Further down in the "Distributed Firewall Examples" it is said that "<appliedTo>, <source> and <destination> sections require the following fields block: <name>, <value>, <type> and <isValid>." The header Content-Type has the value text/xml (I assume this is wrong?) Is there something missing in the request body? EDIT 30.11: I've deconstructed my vRO workflow and rebuilt a simple version of it. You can try it yourself, just set the values for hostResource and restOperation in the nested workflows. The "GET NSX DFW Section and Rule" workflow needs a GET request, the "Edit DFW Rule PUT request" needs the PUT request. I've made following changes to the above listed values: - Content-Type of the PUT request is text/xml, not application/xml - I've added the attribute  excluded="false" to the <sources> and <destinations> nodes in the request body - set the scope to DISTRIBUTED_FIREWALL This works when executed in vRO, I still the same error as described in the beginning of the post when executing the request in my REST client (fiddler). Maybe the fault lies in a misconfiguration of the client, I don't know, since I cannot use FF with RESTClient or Postman in the environment.

Hi, I'm trying to find a list of all services and issigned ports, since the descriptions are missing from the web GUI. When creating new DFW rules, you can assign serivces, besides the common TCP\UDP ports. It is difficult to use them, because, besides the obivous ones like HTTP or HTTPS, descriptions are missing, so I do not know which network ports are assigned to a service. I know I can query all services with https://[IP]/api/2.0/services/applicationgroup/scope/globalroot-0 and after that query each service with https://[IP]/api/2.0/services/applicationgroup/[applicationGroupId] and https://[IP]/api/2.0/services/application/[applicationId] But this is a really cumbersome way to get the information I need. I just simple want a Network port to Service name assignment, so I have a simple overview of what I can set in the NSX Plugin GUI.

I have tagged existing firewall rules with tags, which correspond to the security group names where the vm's the rules are applied to reside. The NSX Appliance is part of a vRA environment, where users can provision VMs themselves and where some NSX DFW rules are applied by default and some can be set by the users themselves. I now want to give my users the ability to get a list of firewall rules that are applied on VM's owned by them or their business groups. In the NSX DFW you can only apply one tag to each rule, but in my case I would have to apply more than one tag. I try to solve this by combining tags into one string and separating them with commas, for example: "DevGroup1,BusinessGroup2,ClientDepartment3" etc. Now if I wanted to filter out rules applied to "ClientDepartment3" I would have to use a wildcard in my URL, which would look like this: https://NSXFQDN/api/4.0/firewall/globalroot-0/config?ruleType=LAYER3&tag=*ClientDepartment3* This does not work and returns an empty response. I've tried different wildcard symbols and also applying a "&wildcard=true" to the URL. I don't exactly know how the server handles wildcards and if it is even possible to apply those in an URL. The API 6.2 documentation does not mention wildcards. Is there a way to get a filter like that to work? Maybe with a regex instead of plain wildcard symbols?