Sarathvmw
Contributor
Contributor

Creating a firewall rule on NSX manager from VRO

Hi All,

Created a work flow using existing workflow "Create Firewall Layer 3 Section" and entered the values for all the inputs. But its failing to execute with the following error.

|  'output': name=firewallSection type=NSX:FirewallSection value=null

|  'no inputs'

--workflow: 'Create Firewall Layer 3 Section' (ccaf987f-fd4b-458f-8118-71bfe8692128)

  |  'input': name=connection type=NSX:Connection value=dunes://service.dunes.ch/CustomSDKObject?id='3869bbfb-bf38-42fe-80cd-514fc481bdd2'&dunesName='NSX:Connection'

  |  'input': name=sectionName type=string value=SecurityPolicy-Global :: NSX Service Composer - Firewall

  |  'input': name=listRules type=Array/CompositeType(ruleName:string,enabled:boolean,action:string,direction:string,packetType:string,logging:boolean,appliedToList:Array/string,isSourcesExcluded:boolean,sourcesList:Array/string,isDestinationsExcluded:boolean,destinationsList:Array/string,services:Array/string,serviceGroups:Array/string):NSXFirewallSectionRulesWithSAndSG value=#{#CompositeType(ruleName:string,enabled:boolean,action:string,direction:string,packetType:string,logging:boolean,appliedToList:Array/string,isSourcesExcluded:boolean,sourcesList:Array/string,isDestinationsExcluded:boolean,destinationsList:Array/string,services:Array/string,serviceGroups:Array/string):NSXFirewallSectionRulesWithSAndSG##[#packetType#=#string#icmp#+#appliedToList#=#Array##{#string#any#}##+#destinationsList#=#Array##{#string#any#}##+#isSourcesExcluded#=#boolean#false#+#serviceGroups#=#Any#Any#__NULL__#+#sourcesList#=#Array##{#string#any#}##+#isDestinationsExcluded#=#boolean#false#+#services#=#Any#Any#__NULL__#+#enabled#=#boolean#false#+#ruleName#=#string#TestRule#+#action#=#string#Allow#+#logging#=#boolean#false#+#direction#=#string#Any#]##}#

  |  'input': name=operation type=string value=insert_after

  |  'input': name=anchorId type=string value=

  |  'input': name=autoSaveDraft type=string value=true

  |  'output': name=firewallSection type=NSX:FirewallSection value=null

  |  'no attributes'

*** End of execution stack.

Lot of variables are unknown and I could not find any documentation. Please help. I am listing some of them below.

  1. Connection: Gave NSX connection information
  2. sectionToGet = Ignored it
  3. sectionName = Input name of the firewall group.
  4. operation = insert_after
  5. autoSaveDraft = true
  6. anchorId = not sure what should be the value

Also while creating firewall rule, following inputs need to be given and I don't find any documentation to input these values. Please help.

  1. ruleName = TestRule
  2. action = Allow
  3. direction = Any (not sure of all the available values)
  4. packetType = icmp
  5. appliedToList = any
  6. isSourcesExcluded = no
  7. sourcesList = any
  8. is DestinationsExcluded = no
  9. destinationsList = any
  10. services = I didn’t provide any value
  11. serviceGroups = I didn’t provide any value

Thanks,

Sarath

0 Kudos
2 Replies
iiliev
VMware Employee
VMware Employee

Hi,

The NSX plug-in is not implemented/supported by vRO team, and I'm not sure whether NSX guys are visiting vRO forums regularly, so you may want to post the same question also on NSX community forum, which is available at https://communities.vmware.com/community/vmtn/nsx

0 Kudos
crenaudtam
VMware Employee
VMware Employee

Hi,

Not sure if you were able to figure out what is the expected value of the anchor id, but in case you're still wondering.

The anchor id should be equal to the Id of the Firewall Section that match where you wish to add the new section (before or after)

For example, if you wish to add a section before the default section - layer 3 you would add the id (in my case) 1003

These Firewall Section Id's can be found either via

  • the vRO NSX plugin inventory (see attachment)
  • REST API
    • https://[NSX Manager FQDN]/api/4.0/firewall/globalroot-0/config/layer3sections?name=L3 - Default Section
      • "section" id="1003"
  • Also available if you hit the information button in the firewall section (see attachment)

Thanks!

0 Kudos