This is a fast write up which I am creating based on the question I got from one of the readers.
In this post show and example API call payload which can be used to create Distributed Firewall Security Policy(aka Section) with several Firewall Rules in it (2 in this example)
Note: Detailed information on API calls provided here is available in NSX-T API guide.
Overview
The API call in this example will create the following:
- Security Policy called “Test_API_Policy”
- Two firewall rules:
- “Test_API_Rule1” – to allow ICMP from ANY to 1.1.1.1
- “Test_API_Rule2” – to allow ICMP from ANY to 1.2.3.4
The Code
The method to use is PATCH, as in most cases with Policy API
PATCH https://{{NSX_MANAGER}}//policy/api/v1/infra And here is the example payload
{
"resource_type": "Infra",
"children": [
{
"resource_type": "ChildDomain",
"Domain": {
"id": "default",
"resource_type": "Domain",
"children": [
{
"resource_type": "ChildSecurityPolicy",
"marked_for_delete": "false",
"SecurityPolicy": {
"id": "Test_API_Policy",
"resource_type": "SecurityPolicy",
"category": "Application",
"rules": [
{
"resource_type": "Rule",
"display_name": "Test_API_Rule1",
"sequence_number": 1,
"source_groups": [
"ANY"
],
"destination_groups": [
"1.1.1.1"
],
"services": [
"/infra/services/ICMP-ALL"
],
"action": "ALLOW"
},
{
"resource_type": "Rule",
"display_name": "Test_API_Rule2",
"sequence_number": 2,
"source_groups": [
"ANY"
],
"destination_groups": [
"1.2.3.4"
],
"services": [
"/infra/services/ICMP-ALL"
],
"action": "ALLOW"
}
]
}
}
]
}
}
]
}
The expected status is 200
Additional Note:
If you will want to have Security Group as source or destination, just replace the IP or ANY with API path of Security Group. For example, if you would have a Security Group names “WEB-VMs” the path to it will be “/infra/domains/default/groups/WEB-VMs“. You can always click the ⠇next to the Security Group name and select “Copy path to clipboard”.
Latest posts by Aram Avetisyan (see all)
- Make Youtube Videos About Technology? Why not… The Cross-Cloud Guy - October 7, 2021
- Automating (NSX-T) REST API using Ansible URI module - December 29, 2020
- Quick Reference: Create Security Policy with Firewall Rules using NSX-T Policy API - May 4, 2020
Hey, thanks for this post!
I couldn’t find a way to make rules by IP using NSX-T Manager UI, only by security groups. Are you sure that adding rules like this will work? How can you do this in the UI (version 2.5.1)?
image: https://i.paste.pics/322a1b4c01e9c8a16bb9c6bdb4b21af6.png
Hmmm. interesting… To be honest i dont have any 2.5.1 to check on. May be worths to raise this question with VMware support.
What I can say for sure is that in version 3.0 the option to add IPs is available.
Here is a screenshot https://paste.pics/ef436753f564397047e2620fec11d91f
Thx. I’ll try that on 3.0 later.
Hi.. me again! Lol thanks for this. So I have this script working exactly as expected in my sandbox… How would I specify a rule for the “infrastructure” category? When I read through the DFW material it mentioned infrastructure would contain rules like AD, DNS, etc.. Would that category be a child to the resource_type : RULE?
I ran a GET on the DFW and saw “category” : “Infrastructure” in the return from a test rule I made, but could not get that to work with a patch method..
here is a clip of my code:
“resource_type”: “Rule”,
“category” : “Infrastructure”,
“display_name”: “Test_API_Rule-ad-api”,
“sequence_number”: 2,
“source_groups”: [
“ANY”
Hello JH,
Category is an attribute of “SecurityPolicy” and not the “Rule”, so you will have to add it there.
I updated the example i have in the article to show “category”: “Application”, feel free to change it to “category”: “Infrastructure”, in your case.
Hope this helps.