NSX

Disabling the NSX-T DFW

Background:

It is possible to disable the NSX-T Distributed Firewall (DFW) using a REST API Client or using cURL (Client URL) via the command line. This article reviews both methods.

Get the current DFW Status with Postman:

Let’s begin with a REST API Client, in this case it’s Postman for Google Chrome. Start by setting up the two required Headers:

  • Authorization Type: Basic, with Username admin
  • Content-Type: application/json

It’s important to note that as of NSX-T 2.4 there is a Policy API, and a Management Plane API. Disabling DFW is not currently available in the Policy API, so the operation needs to be performed via the Management Plane API. This is expected to change on an upcoming NSX-T release.

Here is the Management Plane API call to get the current DFW status:

     GET https://<nsx-mgr>/api/v1/firewall/status/

In my NSX-T 2.4.1 lab, this is:

     GET https://nsxtmgr.core.hypervizor.com/api/v1/firewall/status/

This GET results in the following body, with Status OK.

Notice that there are two resulting firewall contexts, one for logical routers and one for transport nodes:

Disable NSX-T DFW
{
     "results": [
         {
             "context": "logical_routers",
             "global_status": "ENABLED",
             "resource_type": "FirewallStatus",
             "id": "61f64780-7f87-4d71-8118-65663749eeab",
             "display_name": "61f64780-7f87-4d71-8118-65663749eeab",
             "_create_user": "system",
             "_create_time": 1561055768641,
             "_last_modified_user": "admin",
             "_last_modified_time": 1563848504462,
             "_system_owned": false,
             "_protection": "NOT_PROTECTED",
             "_revision": 2
         },
 {
             "context": "transport_nodes",
             "global_status": "ENABLED",
             "resource_type": "FirewallStatus",
             "id": "f66b2d97-9b52-4174-8182-d74133b62c14",
             "display_name": "f66b2d97-9b52-4174-8182-d74133b62c14",
             "_create_user": "system",
             "_create_time": 1561055768637,
             "_last_modified_user": "admin",
             "_last_modified_time": 1563839907901,
             "_system_owned": false,
             "_protection": "NOT_PROTECTED",
             "_revision": 16
         }
     ],
     "result_count": 2
 }

Note that these properties will be required for the disable operation:

  • context
  • global_status
  • id
  • _revision

The _revision property describes the current revision of the resource. To prevent clients from overwriting each other’s changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.

Disable DFW on Transport Nodes with Postman:

Here is the Management Plane API call to change the current DFW status. In this example the goal is to change the transport nodes DFW status:

PUT https://nsxtmgr.core.hypervizor.com/api/v1/firewall/status/transport_nodes
Disable NSX-T DFW

From the PUT, the global_status has been successfully changed to DISABLED, and _revision has been incremented to reflect the new configuration:

Disable NSX-T DFW

The result is that the Distributed Firewall is disabled. All rules, including those containing groups with identity entities (e.g. AD groups), will not be enforced. This can be seen in the NSX-T Web UI:

Get the current DFW Status with cURL:

In preparation for disabling the NSX-T Distributed Firewall, begin by using cURL to get the current DFW state. From the work we did with Postman, we expect it to be currently disabled:

nsxtmgr01> st en
 Password:

 NOTICE TO USERS
 WARNING! Changes made to NSX Data Center while logged in as the root user
 can cause system failure and potentially impact your network. Please be
 advised that changes made to the system as the root user must only be made
 under the guidance of VMware.

 root@nsxtmgr01:~# curl -k -H "Content-Type: application/json" -H "Authorization: Basic YWRtaW46Vk13YXJlMSFWTXdhcmUxIQ==" -X GET https://nsxtmgr.core.hypervizor.com/api/v1/firewall/status/transport_nodes
 {
   "context" : "transport_nodes",
   "global_status" : "DISABLED", <---- as expected global_status is currently DISABLED
   "resource_type" : "FirewallStatus",
   "id" : "f66b2d97-9b52-4174-8182-d74133b62c14",
   "display_name" : "f66b2d97-9b52-4174-8182-d74133b62c14",
   "_create_user" : "system",
   "_create_time" : 1561055768637,
   "_last_modified_user" : "admin",
   "_last_modified_time" : 1563974356388,
   "_system_owned" : false,
   "_protection" : "NOT_PROTECTED",
   "_revision" : 17
 }

Enable DFW on Transport Nodes with cURL:

Now let’s use cURL, from the NSX-T Manager CLI, to roll back DFW to an enabled state:

root@nsxtmgr01:~# curl -k -H "Content-Type: application/json" -H "Authorization: Basic YWRtaW46Vk13YXJlMSFWTXdhcmUxIQ==" -X PUT -d '{ "context" : "transport_nodes",  "global_status" : "ENABLED", "resource_type" : "FirewallStatus",  "id" : "f66b2d97-9b52-4174-8182-d74133b62c14",  "_revision" : 17} ' https://nsxtmgr.core.hypervizor.com/api/v1/firewall/status/transport_nodes
 {
   "context" : "transport_nodes",
   "global_status" : "ENABLED", <---- it worked, global_status is ENABLED
   "resource_type" : "FirewallStatus",
   "id" : "f66b2d97-9b52-4174-8182-d74133b62c14",
   "display_name" : "f66b2d97-9b52-4174-8182-d74133b62c14",
   "_create_user" : "system",
   "_create_time" : 1561055768637,
   "_last_modified_user" : "admin",
   "_last_modified_time" : 1563976523446,
   "_system_owned" : false,
   "_protection" : "NOT_PROTECTED",
   "_revision" : 18
 }

The result is that the Distributed Firewall has been re-enabled:

Example of using an incorrect revision number when using cURL:

If you specify _revision in a PUT to a value other than current, the requested change will not be made, and the attempt will result in an error:

 root@nsxtmgr01:~# curl -k -H "Content-Type: application/json" -H "Authorization: Basic YWRtaW46Vk13YXJlMSFWTXdhcmUxIQ==" -X PUT -d '{ "context" : "transport_nodes",  "global_status" : "ISABLED", "resource_type" : "FirewallStatus",  "id" : "f66b2d97-9b52-4174-8182-d74133b62c14",  "_revision" :14} ' https://nsxtmgr.core.hypervizor.com/api/v1/firewall/status/transport_nodes
 {
   "httpStatus" : "PRECONDITION_FAILED",
   "error_code" : 604,
   "module_name" : "common-services",
   "error_message" : "The object FirewallStatusConfiguration/f66b2d97-9b52-4174-8182-d74133b62c14 used in this operation has different version 14 than the current system version. Fetch the latest copy of the object and retry operation."
 }

I hope this article serves as a good Postman and cURL refresher, as well as a introduction into using the NSX-T API. Find the API Documentation here.

Begin typing your search term above and press enter to search. Press ESC to cancel.