VMware Cloud Community
JonnyL831
Contributor
Contributor
‎12-21-2011 12:48 PM

Error configuring/adding firewall rules using vShield (REST) API

Hello all:

I'd appreciate any and all information anyone could provide about the following:

Using the rest API I can get the current rules.  However when I attempt to add a new rule I'm getting the error:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Errors><Error><code>100030</code><description>Precondition failed.Please update the current configuration.</description></Error></Errors>

Here's the curl command line:

curl -X POST -v -H "Content-Type: application/xml" -k -u "admin:<pwd>"  "https://192.168.8.100/api/2.0/app/firewall/datacenter-2/config" -T myNewRule.xml

And here's the contents of myNewRule.xml:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<VshieldAppConfiguration>
    <firewallConfiguration contextId="datacenter-2" provisioned="true">
        <layer3FirewallRule disabled="false" precedence="high" id="1024">
            <action>allow</action>
            <logged>false</logged>
            <notes></notes>
            <source>
                <address exclude="false">
                    <containerId>securitygroup-195</containerId>
                </address>
            </source>
            <destination>
                <address exclude="false">
                    <containerId>securitygroup-196</containerId>
                </address>
                <application>
                    <portInfo>9999</portInfo>
                    <protocol>6</protocol>
                    <protocolName>TCP</protocolName>
                </application>
            </destination>
        </layer3FirewallRule>
        <layer3FirewallRule disabled="false" precedence="high" id="1023">
            <action>allow</action>
            <logged>false</logged>
            <notes>Kids need to pray</notes>
            <source>
                <address exclude="false">
                    <containerId>securitygroup-195</containerId>
                </address>
            </source>
            <destination>
                <address exclude="false">
                    <containerId>securitygroup-196</containerId>
                </address>
                <application>
                    <portInfo>4444</portInfo>
                    <protocol>17</protocol>
                    <protocolName>UDP</protocolName>
                </application>
            </destination>
        </layer3FirewallRule>
        <layer3FirewallRule disabled="false" precedence="default" id="1008">
            <action>allow</action>
            <logged>false</logged>
            <notes></notes>
            <source />
            <destination />
        </layer3FirewallRule>
        <layer2FirewallRule disabled="false" precedence="default" id="1009">
            <action>allow</action>
            <logged>false</logged>
            <notes></notes>
            <destination />
        </layer2FirewallRule>
    </firewallConfiguration>
</VshieldAppConfiguration>
5 Replies
xarcity
Contributor
Contributor
‎08-15-2012 03:30 PM

Hello there,

Were you able to resolve this issue?

I am gettign the same error.

Thanks

0 Kudos
xarcity
Contributor
Contributor
‎08-15-2012 03:51 PM

I found out why this was erroring out but am getting a new error now

"Unmatched rules found in the configurations"

0 Kudos
Akhan98
Contributor
Contributor
‎02-28-2013 01:46 AM

Change Firewall Configuration


To configure vShield App firewall rules,
1 Query the firewall rules for the context you want to configure. The context can be a datacenter, cluster, or
port‐group.
2 Extract the XML from the response body in step 1 and make the desired changes to it.
3 Extract the value of the generation number from the Etag header of the response in Step 1, and add it as
the if‐match header in the POST call.
For example, the generation number in the GET response for the firewall configuration of a datacenter is
1312802020950 . You must now specify the following header in the Request Body of a
POST command for changing the datacenter firewall configuration:
If-Match: "1312802020950"
4 Pass the modified XML from step 2 as the Request Body in a POST call.
IMPORTANT You must specify the complete configuration for a context in the POST call.

We need to put If-Match in request header to resolve below error.

Precondition failed.Please update the current configuration.

Akhan98
Contributor
Contributor
‎02-28-2013 01:50 AM

For "Unmatched rules found in the configurations" . we need to get the fresh configuration from GET requesteach time before pushing(POST) any configuration.

e.g. in the tag <layer3FirewallRule disabled="false" precedence="none" id="1029">  we have id attribute that get change on every post.  so here we just take latest config and add/modify configuration as per need.

0 Kudos
Craigie123
Contributor
Contributor
‎07-31-2019 01:27 AM

Thanks this sorted out my issue 😉

0 Kudos