VMware Cloud Community
xarcity
Contributor
Contributor
‎08-15-2012 05:50 PM
Jump to solution

Unable to add App Firewall Rules using vShield REST API's

Hello All,

I am getting the following error

"<Errors><Error><code>100039</code><description>Unmatched rules found in the configuration.</description></Error></Errors>"

When using the vSheild App API's:

POST     https://<vsm-ip>/api/2.0/app/firewall/dvportgroup-55/config

XML paylod:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VshieldAppConfiguration>
    <firewallConfiguration contextId="dvportgroup-55">
        <layer3FirewallRule disabled="false" precedence="none" id="1021">
            <action>allow</action>
            <logged>false</logged>
            <source>
                <address>
                    <ipAddress>172.30.68.212</ipAddress>
                </address>
                <portInfo>222</portInfo>
            </source>
            <destination>
                <address>
                    <ipAddress>172.30.68.166</ipAddress>
                </address>
                <application>
                    <portInfo>333</portInfo>
                    <protocol>6</protocol>
                </application>
            </destination>
        </layer3FirewallRule>
    </firewallConfiguration>
</VshieldAppConfiguration>

Has anyone seen this before or any idea as to why this could be happening?

Also, for setting the fire wall rules we need to provide the "id" variable .. how to know what id to use for creating a new firewall rule. I am using id="1021" as I can see the last one created after quesrying the API .. but when calling this through automation what will be the process to set a valid id ??

Thanks,

xar

0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
‎09-05-2012 09:44 PM
Jump to solution

Id needs to be present, for new rule Id should be "0" while for other it should kept as is. That's the reason for this error I believe is the same. Replacing 1021 with 0 should resolve this. http://blogs.vmware.com/security/2011/11/using-the-vshield-api.html should also be helpful to getting started with vShield App Firewall REST APIs.

--Kaushal

View solution in original post

0 Kudos
2 Replies
admin
Immortal
Immortal
‎09-05-2012 09:44 PM
Jump to solution

Id needs to be present, for new rule Id should be "0" while for other it should kept as is. That's the reason for this error I believe is the same. Replacing 1021 with 0 should resolve this. http://blogs.vmware.com/security/2011/11/using-the-vshield-api.html should also be helpful to getting started with vShield App Firewall REST APIs.

--Kaushal

0 Kudos
kruskakli
Contributor
Contributor
‎09-24-2012 06:51 AM
Jump to solution

Compared to the examples in that blog, you now get this kind of error

when trying to create a new firewall-rule:

  "Support for Port-Protocol has been deprecated. Please use Application instead of Port : 80 and Protocol: 6"

So I noticed that in the 5.1 API documentation they now are talking about "applicationsetId".

I wonder: what is that?

And where can I find that data?

Cheers, Toby

0 Kudos