vCloud

 View Only
  • 1.  vShield Edge Rules & Clone

    Posted Jul 24, 2014 09:42 PM

    Hi

    We have a number of vShield edge devices  some are using global objects some are tied to the edge devices themselves. Is there away to export the rules form one edge device to another within the same vShield manager or another vShield manager?

    We have a number of edge devices that require the same rules and objects i.e. test / development environments.

    The extract below seems to indicate this can be done https://www.vmware.com/support/vshield/doc/faq_vshield_41.html

    Can vShield Edge firewall rules be exported to another vShield Edge? Yes, vShield Edge firewall rules can be replicated to another vShield Edge instance. All of the configuration information is stored by the vShield Manager, which would be used to backup and restore these configurations. REST APIs can also be used to save and restore configurations.

    I have also tried the API for vShield but the IPSET's and services seem to be tried to global root or an edge device; if you export the rules from one to another the ID's don't match up in the extracted firewall rule base!!

    Using vShield Manager 5.1

    Thanks



  • 2.  RE: vShield Edge Rules & Clone

    Posted Jul 29, 2014 02:02 PM

    Hello,

    Using vShield Manager I have been able to export the rules for my edges and reimport them using vShield Manager. Does this work? I have never tried with the API.

    Best regards,
    Edward L. Haletky
    VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

    Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

    Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast



  • 3.  RE: vShield Edge Rules & Clone

    Posted Jul 29, 2014 05:52 PM

    Hi Edward

    How did you do this using the vShield Manager?

    Did you export the rules from i.e. EDGE-1 into EDGE-5 for example or did you import back into the same edge device number?

    Thanks



  • 4.  RE: vShield Edge Rules & Clone

    Posted Jul 29, 2014 06:11 PM

    Hello Packetmole,

    You know it has been a while but I am pretty sure it was back into the same Edge. Currently I keep a backup of all my edge rules using Settings & Reports -> Backups (tab). In general my rules are not complex so I have not done much else with them. And what I thought was there in the UI seems to be gone now... I should have looked first on 5.5. The only way then is via the API and Alan wrote a powershell set of tools for this.  I think we need to parse the rules and use the API to add them back in one at a time instead of en-masse.

    Looks like I have some scripting to work on....

    Best regards,
    Edward L. Haletky
    VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

    Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

    Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast



  • 5.  RE: vShield Edge Rules & Clone

    Posted Jul 29, 2014 06:31 PM

    Hi Edward

    I agree the backup option lets you backup ALL of the edge device configs; however you can't restore individual edge devices. So what's the point of this we may ask?

    From what I understand it's to restore the vShield Manager (should this go bang) then you deploy a new vShield Manager (ova) and import the backup. Without this you can't recover/push policy's to the edge devices as the manager stores all the configuration files.

    I have been able to export the firewall rules using the API from one vShield Edge to another; however you can only do this if you use global objects and services.  The ip-sets and application-id's are tied to a scope i.e. the edge device but the ID numbers are global across ALL edge devices on that manager.

    for example if you create an ip set on edge-1 (you get ip-set34567 ) allocated behind the scenes. If you create another on edge-5 you get ipset-34568 (but these also have a scope defined and the import will fail as the rules you are trying to import form edge-1 to edge-5 reference ip-sets in edge-1.

    Global ID's never change so you can import and export between edge devices on the same vShield manager.



  • 6.  RE: vShield Edge Rules & Clone

    Posted Jul 29, 2014 06:43 PM

    Hello Packetmole,

    It looks like you can create ipsets on a scope. You just need the moref of the scope. So if an Edge is a scope you can create an ipset on that moref, then query it and reference it inside your rules.

    GET https://<vsm-ip>/api/2.0/services/ipset/<scope-moref>

    That is about the closest we will get it looks like. Another option is to create the ipset globally, query back the list, get the ID and update all the rules with the ID.


    Best regards,

    Edward Haletky