Sample Exchange

 View Only

Python Script to import Distributed Firewall Rules recommended by vRNI to NSX-T on-prem or VMC on AWS SDDC 

Apr 14, 2020 08:20 PM

vRealize Network Insight Guide to importing recommended DFW rules to NSX-T or VMC SDDC using Python Script.

4/27/21 - NOTE** Updated to handle paginated results for services and security groups.   Updated to populate security groups with IP Memberships.

 

Pre-requisites:

  • Python 3.7 or above
  • Requests, json, argparse, sys, requests, glob, os, xml.dom, xml.etree.Elementtree, getpass python libraries installed
  • Connectivity to the internet from where script will be executed
  • Connectivity to VMC SDDC over HTTPS (443)
  • Connectivity to NSX-T Manager or VIP over HTTPS (443)

 

Follow steps below:

Step: Download script by clicking Download button on this page

IF VMC:

Step: Copy VMC Refresh token

Login to https://console.cloud.vmware.com/

Click My Account -> API Tokens tab -> Generate Token or Regenerate an existing token

Token must have NSX Cloud Admin service role under VMC on AWS service.

Copy token

 

Step: Collect SDDC ID and VMC Organizational ID

Login to https://console.cloud.vmware.com/

Select VMware Cloud on AWS under My Services -> Click desired SDDC -> Click Support

Copy Org ID  and SDDC ID

 

IF NSX-T:

Step: Copy NSX-T Manager or VIP URL ( https://manager.fqdn/ )

Note: Must use full url including Https:// and trailing /  

 

 

Step: Export application rules

  • Log into vRNI
  • Search for Plan security of application NAME (changing NAME to the application name you would like to secure)
  • Select the three dots at the top right of the security donut diagram -> click Export to XML
  • Unzip the .zip file
  • Take note of the directory or folder location of the NSX data center folder you will be importing rules for as well as the "exported-members.csv" file location. 

 

Step:

  • Run script vRNI_DFW_Rule_to_VMC_or_NSXT_Import.py
    • Use --help for details on available arguments ( [--help] [--orgid ORGID] [--rulefolder RULEFOLDER] [--sddcid SDDCID] [--refreshtoken REFRESHTOKEN] [--verbose] [--appname APPNAME] [--enablerules] [--nsxtusesr] [--nsxturl] )

 

 

***NOTE***  To populate security groups with IP memberships (vRNI Version 6.2 and up only) select 'yes' when prompted.   Each time theh script is ran and this option is selected, the security groups in question will be overwritten with the IPs in the file you select.    If populating security groups with this script, firewall rules will apply to 'DFW' instead of security groups due issue where groups consisting of only IP addresses, MAC addresses, or Active Directory groups not being able to be used in the "Applied to" text box. 

 

Contributors: 

Trey Tyler <Ttyler@vmware.com>

Kevin Forbes <Kforbes@vmware.com>

 


#VMwareCloudonAWS
#Apache2.0
#NetworkInsight
#vRNIC
#VMC
#VMwareCloudonAWS
#nsx-t
#vRNI
#NSX-TDataCenter
#Python
#vRealizeNetworkInsight

Statistics
0 Favorited
1 Views
1 Files
0 Shares
1 Downloads
Attachment(s)
py file
snippet.py   27 KB   1 version
Uploaded - Apr 09, 2024

Tags and Keywords

Related Entries and Links

No Related Resource entered.