NSX-T Data Center Global Manager REST API

Associated URIs:

API Description	API Path
List distributed firewall security policies List all distributed firewall (DFW) security policies for a domain.	GET /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies
Delete a distributed firewall security policy Delete a distributed firewall (DFW) security policy along with all its rules.	DELETE /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}
Read a distributed firewall security policy Read a distributed firewall (DFW) security policy for a domain.	GET /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}
Patch a distributed firewall security policy Create or partially update a distributed firewall (DFW) security policy for a domain. If a security policy for the given security-policy-id is not present, the object will get created and if it is present it will be updated. This is a full replace. Performance Note: If you want to edit several rules in a security policy use this API. It will perform better than several individual rule APIs. Just pass all the rules which you wish to edit as embedded rules to it.	PATCH /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}
Revise the positioning of a distributed firewall security policy This is used to set a precedence of a distributed firewall (DFW) security policy w.r.t others.	POST /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}?action=revise
Create or update a distributed firewall security policy Create or update a distributed firewall (DFW) security policy for a domain. This is a full replace. All the rules are replaced. Performance Note: If you want to edit several rules in a security policy, use this API. It will perform better than several individual rule APIs. Just pass all the rules which you wish to edit as embedded rules to it.	PUT /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}
List distributed firewall rules in a security policy Returns a paginated list of all distributed firewall rules within a specific security policy.	GET /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/rules
Delete a distributed firewall rule Delete a distributed firewall (DFW) rule from a security policy.	DELETE /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/rules/{rule-id}
Read a distributed firewall rule by ID Returns the configuration of a specific distributed firewall rule within a security policy.	GET /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/rules/{rule-id}
Patch a distributed firewall rule Create or partially update a distributed firewall (DFW) rule within a security policy. If a rule with the given rule-id does not exist it will be created; otherwise only the specified fields will be updated. Performance Note: If you want to edit several rules in a security policy, prefer below mentioned API for optimal performance. Pass all the rules which you wish to edit as embedded rules to it. Use this API - PATCH (or PUT) /infra/domains/<domain-id>/security-policies/<security-policy-id>	PATCH /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/rules/{rule-id}
Revise the positioning of a distributed firewall rule This is used to re-order a distributed firewall (DFW) rule within a security policy. NOTE: Default rule sequence numbers cannot be modified.	POST /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/rules/{rule-id}?action=revise
Create or update a distributed firewall rule Create or update a distributed firewall (DFW) rule within a security policy. If a rule with the given rule-id does not exist it will be created; otherwise it will be replaced in full. Performance Note: If you wish to edit several rules in a security policy, prefer below mentioned API for optimal performance. Pass all the rules which you wish to edit as embedded rules to it. Use this API - PATCH (or PUT) /infra/domains/<domain-id>/security-policies/<security-policy-id>	PUT /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/rules/{rule-id}
Get distributed firewall rule statistics Get statistics of a distributed firewall (DFW) rule. - no enforcement point path specified: Stats will be evaluated on each enforcement point. - {enforcement_point_path}: Stats are evaluated only on the given enforcement point.	GET /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/rules/{rule-id}/statistics
Get security policy statistics Get statistics of a security policy. - no enforcement point path specified: Stats will be evaluated on each enforcement point. - {enforcement_point_path}: Stats are evaluated only on the given enforcement point.	GET /global-manager/api/v1/global-infra/domains/{domain-id}/security-policies/{security-policy-id}/statistics
List all policy configuration drafts Returns a paginated list of all DFW drafts.	GET /global-manager/api/v1/global-infra/drafts
Delete a manual draft Delete a manual draft.	DELETE /global-manager/api/v1/global-infra/drafts/{draft-id}
Read a policy configuration draft by ID Returns the configuration of a specific NSX policy draft identified by the draft ID. Drafts allow administrators to stage and review configuration changes before publishing them to the live environment.	GET /global-manager/api/v1/global-infra/drafts/{draft-id}
Patch a manual draft Create a new manual draft if the specified draft id does not correspond to an existing draft. Update the manual draft otherwise. Auto draft can not be updated.	PATCH /global-manager/api/v1/global-infra/drafts/{draft-id}
Publish a policy draft and apply its changes Publishes a draft by applying its staged configuration changes onto the live environment. If there are additional changes on top of draft configuration, pass it as a request body, in form of Infra object. Otherwise, if there are no additional changes, then pass empty Infra object as a request body.	POST /global-manager/api/v1/global-infra/drafts/{draft-id}?action=publish
Create or update a manual draft Create a new manual draft if the specified draft id does not correspond to an existing draft. Update the manual draft otherwise. Auto draft can not be updated.	PUT /global-manager/api/v1/global-infra/drafts/{draft-id}
Get an aggregated configuration for the draft Get an aggregated configuration that will get applied onto current configuration during publish of this draft. The response is a hierarchical payload containing the aggregated configuration differences from the latest auto draft till the specified draft.	GET /global-manager/api/v1/global-infra/drafts/{draft-id}/aggregated
Get paginated aggregated configuration for the draft Get a paginated aggregated configuration of a given draft. This aggregated configuration is the differnece between the current published firewall configuration and a firewall configuration stored in a given draft. For an initial API call, if request_id is present in a response, then this is a paginated aggregated configuration of a given draft, containing all the security policies from the aggregated configuration. Using this request_id, more granular aggregated configuration, at security policy level, can be fetched from subsequent API calls. Absence of request_id suggests that whole aggregated configuration has been returned as a response to initial API call, as the size of aggregated configuration is not big enough to need pagination.	GET /global-manager/api/v1/global-infra/drafts/{draft-id}/aggregated_with_pagination
Get a preview of a configuration after publish of a draft Get a preview of a configuration which will be present after publish of a specified draft. The response essentially is a hierarchical payload containing the configuration, which will be in active after a specified draft gets published onto current configuration.	GET /global-manager/api/v1/global-infra/drafts/{draft-id}/complete
Get PolicyFirewallSchedulers Get all PolicyFirewallSchedulers	GET /global-manager/api/v1/global-infra/firewall-schedulers
Delete Policy Firewall Scheduler Deletes the specified PolicyFirewallScheduler. If scheduler is consumed in a security policy, it won't get deleted.	DELETE /global-manager/api/v1/global-infra/firewall-schedulers/{firewall-scheduler-id}
Get PolicyFirewallScheduler Get a PolicyFirewallScheduler by id	GET /global-manager/api/v1/global-infra/firewall-schedulers/{firewall-scheduler-id}
Create or Update PolicyFirewallScheduler Creates/Updates a PolicyFirewallScheduler, which can be set at security policy. Note that at least one property out of "days", "start_date", "time_interval", "end_date" is required if "recurring" field is true. Also "start_time" and "end_time" should not be present. And if "recurring" field is false then "start_date" and "end_date" is mandatory, "start_time" and "end_time" is optional. Also the fields "days" and "time_interval" should not be present.	PATCH /global-manager/api/v1/global-infra/firewall-schedulers/{firewall-scheduler-id}
Create or Update PolicyFirewallScheduler Updates a PolicyFirewallScheduler, which can be set at security policy. Note that at least one property out of "days", "start_date", "time_interval", "end_date" is required if "recurring" field is true. Also "start_time" and "end_time" should not be present. And if "recurring" field is false then "start_date" and "end_date" is mandatory, "start_time" and "end_time" is optional. Also the fields "days" and "time_interval" should not be present.	PUT /global-manager/api/v1/global-infra/firewall-schedulers/{firewall-scheduler-id}
Import K8s network policies to DFW Security Policies This is used to import a set of K8s network policies into DFW security policies	POST /global-manager/api/v1/global-infra/import-k8s-np-to-dfw
Get the information of export task Get the information of the latest export task.	GET /global-manager/api/v1/global-infra/settings/firewall/export
Download exported file Download the exported file generated from the last export task. The request should have proper headers set to download the file. Please add the below two headers, if it is not already present Accept application/json, text/plain, / Accept-Encoding gzip, deflate, br	GET /global-manager/api/v1/global-infra/settings/firewall/export?action=download
Cancel a running export task This operation cancels an export task. Task needs to be in running state.	POST /global-manager/api/v1/global-infra/settings/firewall/export?action=cancel
Invoke export task Invoke export task. There can be only one export task run at any point of time. Hence invocation of another export task will be discarded, when there exist an already running export task. Exported configuration will be in a CSV format. This CSV file will be zipped into a ZIP file, that can be downloaded after the completion of export task.	POST /global-manager/api/v1/global-infra/settings/firewall/export
Get the information of import task Get the information of the latest import task.	GET /global-manager/api/v1/global-infra/settings/firewall/import
Invoke import task Invoke import task. There can be only one import task run at any point of time. Hence invocation of another import task will be discarded, when there exist an already running import task.	POST /global-manager/api/v1/global-infra/settings/firewall/import
Cancel a running import task This operation cancels an import task. Task needs to be in running state.	POST /global-manager/api/v1/global-infra/settings/firewall/import?action=cancel
Get dfw firewall configuration Get the current dfw firewall configurations.	GET /global-manager/api/v1/global-infra/settings/firewall/security
Update dfw firewall configuration Update dfw firewall related configurations. Turning off distributed services ("enable_firewall": false) will turn off Distributed Firewall, Identity Firewall, Distributed Intrusion Detection and Prevention Service, Distributed Load Balancer.	PATCH /global-manager/api/v1/global-infra/settings/firewall/security
Update dfw firewall configuration Update dfw firewall related configurations. Turning off distributed services ("enable_firewall": false) will turn off Distributed Firewall, Identity Firewall, Distributed Intrusion Detection and Prevention Service, Distributed Load Balancer.	PUT /global-manager/api/v1/global-infra/settings/firewall/security
Get the list of distributed firewall dependent services Get the list of distributed firewall dependent services	GET /global-manager/api/v1/global-infra/settings/firewall/security/dependent-services
Read the distributed firewall exclude list Read the exclude list for the distributed firewall (DFW). Members in this list are excluded from DFW enforcement.	GET /global-manager/api/v1/global-infra/settings/firewall/security/exclude-list
Read the distributed firewall exclude list including system and user excluded members Read the distributed firewall (DFW) exclude list including both system-owned and user-defined excluded members.	GET /global-manager/api/v1/global-infra/settings/firewall/security/exclude-list?system_owned=true
Patch exclusion list for security policy Patch exclusion list for security policy.	PATCH /global-manager/api/v1/global-infra/settings/firewall/security/exclude-list
Filter the firewall exclude list Filter the firewall exclude list by the given object, to check whether the object is a member of this exclude list.	POST /global-manager/api/v1/global-infra/settings/firewall/security/exclude-list?action=filter
Create or update exclusion list for security policy Update the exclusion list for security policy	PUT /global-manager/api/v1/global-infra/settings/firewall/security/exclude-list
Reset firewall rule statistics Sets firewall rule statistics counter to zero. This operation is supported for given category, for example: DFW i.e. for all layer3 firewall (transport nodes only) rules or EDGE i.e. for all layer3 edge firewall (edge nodes only) rules. - no enforcement point path specified: On global manager, it is mandatory to give an enforcement point path. On local manager, reset of stats will be executed for each enforcement point. - {enforcement_point_path}: Reset of stats will be executed only for the given enforcement point.	POST /global-manager/api/v1/global-infra/settings/firewall/stats?action=reset

Additional Links

Distributed Firewall

Rules

Settings

Distributed Firewall Settings

Drafts

Exclusion List

Firewall Scheduler

Statistics

Task

NSX-T Data Center Global Manager REST API

Associated URIs:

List distributed firewall security policies

Delete a distributed firewall security policy

Read a distributed firewall security policy

Patch a distributed firewall security policy

Revise the positioning of a distributed firewall security policy

Create or update a distributed firewall security policy

List distributed firewall rules in a security policy

Delete a distributed firewall rule

Read a distributed firewall rule by ID

Patch a distributed firewall rule

Revise the positioning of a distributed firewall rule

Create or update a distributed firewall rule

Get distributed firewall rule statistics

Get security policy statistics

List all policy configuration drafts

Delete a manual draft

Read a policy configuration draft by ID

Patch a manual draft

Publish a policy draft and apply its changes

Create or update a manual draft

Get an aggregated configuration for the draft

Get paginated aggregated configuration for the draft

Get a preview of a configuration after publish of a draft

Get PolicyFirewallSchedulers

Delete Policy Firewall Scheduler

Get PolicyFirewallScheduler

Create or Update PolicyFirewallScheduler

Create or Update PolicyFirewallScheduler

Import K8s network policies to DFW Security Policies

Get the information of export task

Download exported file

Cancel a running export task

Invoke export task

Get the information of import task

Invoke import task

Cancel a running import task

Get dfw firewall configuration

Update dfw firewall configuration

Update dfw firewall configuration

Get the list of distributed firewall dependent services

Read the distributed firewall exclude list

Read the distributed firewall exclude list including system and user excluded members

Patch exclusion list for security policy

Filter the firewall exclude list

Create or update exclusion list for security policy

Reset firewall rule statistics