NSX-T Data Center REST API

Update an Existing Section with Rules (Removed in 9.0)

Modifies an existing firewall section along with its relative position
among other firewall sections with rules. When invoked on a large number
of rules, this API is supported only at low rates of invocation (not more
than 2 times per minute). The typical latency of this API with about 1024
rules is about 15 seconds in a cluster setup. This API should not be
invoked with large payloads at automation speeds.

Instead, to move a section above or below another section, use:
POST /api/v1/firewall/sections/<section-id>?action=revise

To modify rules, use:
PUT /api/v1/firewall/sections/<section-id>/rules/<rule-id>

Simultaneous update (modify) operations on same section are not allowed to
prevent overwriting stale contents to firewall section. If a concurrent
update is performed, HTTP response code 409 will be returned to the client
operating on stale data. That client should retrieve the firewall section
again and re-apply its update.
Deprecated:
Use the following Policy API -
POST /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>?action=revise

Request:

Method:

POST

URI Path(s):

/api/v1/firewall/sections/{section-id}?action=revise_with_rules

Request Headers:

n/a

Query Parameters:

FirewallInsertParameters+

Name	Description	Type	Notes
id	Identifier of the anchor rule or section. This is a required field in case operation like 'insert_before' and 'insert_after'.	string	Maximum length: 64
operation	Operation	string	Enum: insert_top, insert_bottom, insert_after, insert_before Default: "insert_top"

Request Body:

FirewallSectionRuleList+

FirewallSectionRuleList (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
applied_tos	AppliedTo List List of objects where the rules in this section will be enforced. This will take precedence over rule level appliedTo.	array of ResourceReference	Maximum items: 128
autoplumbed	Tells if a section is auto-plumbed or not This flag indicates whether it is an auto-plumbed section that is associated to a LogicalRouter. Auto-plumbed sections are system owned and cannot be updated via the API.	boolean	Readonly Default: "False"
category	Section category Category from policy framework.	string	Readonly
comments	Section lock/unlock comments Comments for section lock/unlock.	string	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforced_on	Firewall Section Enforcement type This attribute represents enforcement point of firewall section. For example, firewall section enforced on logical port with attachment type bridge endpoint will have 'BRIDGEENDPOINT' value, firewall section enforced on logical router will have 'LOGICALROUTER' value and rest have 'VIF' value.	string	Readonly
firewall_schedule	Firewall Schedule Reference Reference of the firewall schedule during which this section will be valid.	ResourceReference
id	Unique identifier of this resource	string	Sortable
is_default	Default section flag It is a boolean flag which reflects whether a distributed service section is default section or not. Each Layer 3 and Layer 2 section will have at least and at most one default section.	boolean	Readonly
lock_modified_by	Lock modified by user ID of the user who last modified the lock for the section.	string	Readonly
lock_modified_time	Section locked/unlocked time Section locked/unlocked time in epoch milliseconds.	EpochMsTimestamp	Readonly
locked	Section Locked Section is locked/unlocked.	boolean	Readonly Default: "False"
priority	Section priority Priority of current section with respect to other sections. In case the field is empty, the list section api should be used to get section priority.	integer	Readonly
resource_type	Must be set to the value FirewallSectionRuleList	string
rule_count	Rule count Number of rules in this section.	integer	Readonly
rules	List of the firewall rules List of firewall rules in the section. Only homogenous rules are supported.	array of FirewallRule	Required Maximum items: 1000
section_type	Section Type Type of the rules which a section can contain. Only homogeneous sections are supported.	string	Required Enum: LAYER2, LAYER3, L3REDIRECT, IDS
stateful	Stateful nature of the distributed service rules in the section. Stateful or Stateless nature of distributed service section is enforced on all rules inside the section. Layer3 sections can be stateful or stateless. Layer2 sections can only be stateless.	boolean	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tcp_strict	TCP Strict If TCP strict is enabled on a section and a packet matches rule in it, the following check will be performed. If the packet does not belong to an existing session, the kernel will check to see if the SYN flag of the packet is set. If it is not, then it will drop the packet.	boolean	Default: "False"

Example Request:

POST https://<nsx-mgr>/api/v1/firewall/sections/2111d18f-27ba-4f19-a51d-2173c3972410?action=revise_with_rules&operation=insert_after&id=79b29ea5-051a-4ab2-af85-fb6520a9f881 { "section_type":"LAYER3", "id": "2111d18f-27ba-4f19-a51d-2173c3972410", "display_name":"another Layer3 Section with Rules", "stateful":true, "rules":[ { "display_name":"layer3rule1", "action":"ALLOW", "direction":"IN_OUT", "sources": [ { "target_display_name": "192.168.100.5", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.5" } ], "destinations": [ { "target_display_name": "192.168.100.6", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.6" } ] } ] } example_response: | { "resource_type": "FirewallSectionRuleList", "id": "2111d18f-27ba-4f19-a51d-2173c3972410", "display_name": "another Layer3 Section with Rules", "section_type": "LAYER3", "is_default": false, "stateful": true, "rule_count": 1, "rules": [ { "id": "7168", "display_name": "layer3rule1", "destinations_excluded": false, "sources": [ { "target_display_name": "192.168.100.5", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.5" } ], "destinations": [ { "target_display_name": "192.168.100.5", "is_valid": true, "target_type": "IPv4Address", "target_id": "192.168.100.5" } ], "ip_protocol": "IPV4_IPV6", "logged": false, "action": "ALLOW", "sources_excluded": false, "disabled": false, "direction": "IN_OUT", "_revision": 1 } ], "locked": true, "comments": "Locked the section", "lock_modified_by": "admin", "lock_modified_time": "1446245476600", "_last_modified_user": "admin", "_last_modified_time": 1446245476635, "_revision": 1 }

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

FirewallSectionRuleList+

FirewallSectionRuleList (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
applied_tos	AppliedTo List List of objects where the rules in this section will be enforced. This will take precedence over rule level appliedTo.	array of ResourceReference	Maximum items: 128
autoplumbed	Tells if a section is auto-plumbed or not This flag indicates whether it is an auto-plumbed section that is associated to a LogicalRouter. Auto-plumbed sections are system owned and cannot be updated via the API.	boolean	Readonly Default: "False"
category	Section category Category from policy framework.	string	Readonly
comments	Section lock/unlock comments Comments for section lock/unlock.	string	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforced_on	Firewall Section Enforcement type This attribute represents enforcement point of firewall section. For example, firewall section enforced on logical port with attachment type bridge endpoint will have 'BRIDGEENDPOINT' value, firewall section enforced on logical router will have 'LOGICALROUTER' value and rest have 'VIF' value.	string	Readonly
firewall_schedule	Firewall Schedule Reference Reference of the firewall schedule during which this section will be valid.	ResourceReference
id	Unique identifier of this resource	string	Sortable
is_default	Default section flag It is a boolean flag which reflects whether a distributed service section is default section or not. Each Layer 3 and Layer 2 section will have at least and at most one default section.	boolean	Readonly
lock_modified_by	Lock modified by user ID of the user who last modified the lock for the section.	string	Readonly
lock_modified_time	Section locked/unlocked time Section locked/unlocked time in epoch milliseconds.	EpochMsTimestamp	Readonly
locked	Section Locked Section is locked/unlocked.	boolean	Readonly Default: "False"
priority	Section priority Priority of current section with respect to other sections. In case the field is empty, the list section api should be used to get section priority.	integer	Readonly
resource_type	Must be set to the value FirewallSectionRuleList	string
rule_count	Rule count Number of rules in this section.	integer	Readonly
rules	List of the firewall rules List of firewall rules in the section. Only homogenous rules are supported.	array of FirewallRule	Required Maximum items: 1000
section_type	Section Type Type of the rules which a section can contain. Only homogeneous sections are supported.	string	Required Enum: LAYER2, LAYER3, L3REDIRECT, IDS
stateful	Stateful nature of the distributed service rules in the section. Stateful or Stateless nature of distributed service section is enforced on all rules inside the section. Layer3 sections can be stateful or stateless. Layer2 sections can only be stateless.	boolean	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tcp_strict	TCP Strict If TCP strict is enabled on a section and a packet matches rule in it, the following check will be performed. If the packet does not belong to an existing session, the kernel will check to see if the SYN flag of the packet is set. If it is not, then it will drop the packet.	boolean	Default: "False"

NSX-T Data Center REST API

Update an Existing Section with Rules (Removed in 9.0)

Request:

FirewallInsertParameters (schema)

FirewallSectionRuleList (schema)

Example Request:

Successful Response:

FirewallSectionRuleList (schema)

Required Permissions:

Feature:

Additional Errors: