posted

0 Comments

By: Michael Haines (Senior Cloud Security Architect)

In my last blog, I introduced a hypothetical situation using a Network and Security System Administrator at the company, “Example Systems,” in order to best describe how to get started with the vShield API. Their company intends to use vShield REST API to rapidly provision security and turn CodeNebulous' Tier-1 Application into a business offering to multiple organizations. The Network and Security System Administrator has already learned some basic principles about REST and the vShield API and is now ready to use Automation tools with vShield App for scalability through REST APIs.

The Network and Security System Administrator Begins to Work with the vShield App REST Firewall API

The Network and Security System Administrator is now ready to start configuring the vShield App Firewall rules. They have a choice to make with regards to how they want to configure the Firewall rules. The Network and Security System Administrator can choose either:

  1. Datacenter
  2. Cluster
  3. Portgroup or Network

With vShield App there will be 'Two' default rules (1 Layer3 , and 1 Layer2) which are configured at DC level. There are 'None' at Cluster and 'None' at Portgroup level.

Before the Network and Security System Administrator can start to use the vShield App REST API Firewall API they must:

1.Get and return vShield's App stat for a datacenter. This will provide them with the status of vShield App.

2.Provide the correct vShield Authorization.

  • All vShield REST requests require authorization and which by default (in the product documentation) use the following basic authorization: Basic YWRtaW46ZGVmYXVsdA== 

Where YWRtaW46ZGVmYXVsdA== represents the Base 64 encoding of the vShield Manager default login credentials which are admin:default

How the Network and Security System Administrator Determines the Datacenter Context Identifier

Mhaines2_1

Before the Network and Security System Administrator can submit any requests to the vShield App Firewall there is a key piece of information that they are required to supply. But how are they going to obtain this information. The first task is for the Network and Security System Administrator to login to the Virtual Center as in this example (1)

Providing the Virtual Center Credentials

Mhaines2_2

Once the Network and Security System Administrator has completed the above step they are asked for the Virtual Center 'username' and 'password'. But what is the username and password? Well the username can be obtained from the vShield Manager as in the following example. The Network and Security System Administrator goes to Settings and Reports (1) and the Administrators User Name is shown as denoted by (2). 

The Network and Security System Administrator now Logs In

Mhaines2_3

Once the Network and Security System Administrator has successfully logged in they will see the ManagedObjectReference:ServiceInstance. 

Traversing the ManagedObjectReferenceServiceInstance

Mhaines2_4The Network and Security System Administrator has successfully logged in and is now presented with the following. They now select the 'content' URI as shown by (1).

Traversing the Data Object Type ServiceContent

Mhaines2_5

After selecting the content property the Network and Security System Administrator now is presented with the ServiceInstance properties. Here the Network and Security System Administrator is looking for the rootFolder as in the example above (1) and on the rightmost side they should be seeing something like group-d1 (Datacenters) (2). The Network and Security System Administrator selects the group-d1 (Datacenters).

Getting the Datacenter ID

Mhaines2_6

After the Network and Security System Administrator selects the group-d1 (Datacenters) they can see the ManagedObjectReference group-d1. The important piece of information they require is shown in the ManagedObjectReference:ManagedEntity[] as shown in the example above (1). 

The vShield Manager View of the Datacenter

Mhaines2_7

The Network and Security System Administrator can also see the reference to CORP within the vShield Manager as shown here (1)

Getting the State of vShield App (Basic)

Mhaines2_8

To get the state of vShield App run the following command vShield-App-State.bat

Mhaines2_9Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks. 

Additionally, There is no REST call like firewall state. As soon as you install App on any of the ESX host, it configures to allow rules on the datacenter and publish them on the appliance. So default state is firewall on with everything allowed. The status call actually tells whether the rules are successfully published on the appliance. 

Getting the State of vShield App (Advanced)

Mhaines2_10

In this example, the Network and Security System Administrator wants to get the basic state of vShield App. To do this they issue the following request as in the above example (1).

Mhaines2_11

Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.

Getting the Status of vShield App (Advanced)

Mhaines2_12

In this example, the Network and Security System Administrator wants to get the status of vShield App. To do this they issue the following request as in the above example (1).

Mhaines2_13

Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks. 

Getting the Complete vShield App Firewall Configuration (Basic)

Mhaines2_14

To get the complete vShield App firewall configuration run the following command vShield-App-Current-Configuration.bat

Mhaines2_15Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks. 

Getting the Complete vShield App Firewall Configuration (Advanced)

Mhaines2_16

In this example, the Network and Security System Administrator wants to get the complete vShield App Firewall configuration for the context datacenter-2 . To do this they issue the following request as in the above example (1).

Mhaines2_17

Note: The above command must be executed on one line, so if you are experiencing any problems check for carrage returns and line breaks.

Special thanks to Kaushal Bansal, Sr MTS at VMware for all his help and support. In my next blog, I will introduce the Network and Security System Administrator to the RESTClient Firefox Extension.  Make sure you catch the next installment in this series by following @vCloud and @VMwareSP on Twitter.