Overview
How to connect
How to extract edge firewall rules config
How to update edge firewall rules config
Overview
This post is to share the process to change the existing available protocols in NSX-v Edge firewall rule (Not DFW). Available protocols are TCP, UDP, ICMP and Any on vCD's Edge Service Gateway page. See below image. 
My customer's demand was to set another protocol here which is ESP. I checked on GUI and it was clear that it is not possible from here so I could change it successfully from API queries.
How to connect
Before updating this firewall rule field, we must know that how to connect vCloud Director in any API tool. You can use Postman, Insomnia, ARC (Advance Rest Client) as a tool to connect vCD. You might need to disable SSL check before executing any api call. Below snippet is from Postman API tool.
Once that SSL check is disabled then
1. Set Authorization as Basic Auth. See below image
2. Set header as mentioned below
Accept application/*;version=32.0
Version can be according to your vCD version.
Once that SSL check is disabled then
1. Set Authorization as Basic Auth. See below image
2. Set header as mentioned below
Accept application/*;version=32.0
Version can be according to your vCD version.
3. Now create api query like https://vcloud_ip_or_fqdn/api/sessions and select POST in query type. It will be like
POST https://vcloud_ip_or_fqdn/api/sessions
This query is to get authorization and access token. Once you entered the URL and selected query type as POST then hit "Send" button to run this query.
Post run you will get "200 OK" and authorization and access token headers. See below images
Use above two headers as shown in below images
Now, you are ready to do any operations in vCD using this API tool
How to extract edge firewall rules config
Use below api query to extract your Org detail
1. GET https://vcloud_ip_or_fqdn/api/org
Copy the output and paste in Notepad++. Search for target OrgvDC name where your edge is residing. Then create another query and run it
2. GET https://vcloud_ip_or_fqdn/api/vdc/a038859f-bf22-4d64-b6dc-e1cb8fdf2fbc"
You will see similar output in your Notepad++ data. Just copy vdc href from notepad++ file not from here and paste in Postman and then hit send
Here, you will have another output from OrgvDC. Search here the edge name. You will get line like below. Copy that line similar below and run another query
https://iaas-sin.aticloud.aero/network/vdc/a038859f-bf22-4d64-b6dc-e1cb8fdf2fbc/edges
Now, create a API call like
3. GET https://vcloud_ip_or_fqdn/network/vdc/a038859f-bf22-4d64-b6dc-e1cb8fdf2fbc/edges
It will give you output like below. Only single line.
https://vcloud_ip_or_fqdn/network/edges/1343b683-bdca-4b80-9e19-8d668f98d8bc
Now, again create a query to fetch edge firewall services. It will be like
4. GET https://vcloud_ip_or_fqdn/network/edges/1343b683-bdca-4b80-9e19-8d668f98d8bc/firewall/config.
It will give you all configuration of this edge.
How to update edge firewall rules config
It is a simple process. Copy the output of point 4 in text editor like notepad++ and search for entries like below-
<application>
<service>
<protocol>tcp</protocol>
<port>any</port>
<sourcePort>any</sourcePort>
Here in protocol we need to replace it from tcp to esp. In notepad++ itself change the field to esp. It will be like below
<application>
<service>
<protocol>esp</protocol>
<port>any</port>
<sourcePort>any</sourcePort>
Now, copy entire output from notepad++. Full output not these 5 lines. and paste in postman. where? See below-
Once done, create below query
PUT https://vcloud_ip_or_fqdn/network/edges/1343b683-bdca-4b80-9e19-8d668f98d8bc/firewall/config
and hit send button. That's it. To cross check it either you can check in GUI or again follow "How to extract edge firewall rules config"
Typically I never remark on online journals yet your article is persuading to the point that I never stop myself to say something regarding it. You're working admirably keep it up. firewall services
ReplyDelete