1. Manuals
  2. Brands
  3. VMware Manuals
  4. Software
  5. VSHIELD APP 1.0 - API
  6. Programming manual

VMware VSHIELD APP 1.0 - API Programming Manual

Vshield api
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
vShield API Programming Guide
vShield Manager 4.1
vShield App 1.0
vShield Edge 1.0
vShield Endpoint 1.0
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000434-00

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the VSHIELD APP 1.0 - API and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for VMware VSHIELD APP 1.0 - API

Summary of Contents for VMware VSHIELD APP 1.0 - API

  • Page 1 Edge 1.0 vShield Endpoint 1.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-000434-00...
  • Page 2 VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

  • Page 3: Table Of Contents

    Contents About This Book 7 Overview of VMware vShield 9 vShield Components 9 vShield Manager 9 vShield App 9 vShield Edge 10 vShield Endpoint 10 Ports Required for vShield 10 An Introduction to REST API for vShield Users 10 How REST Works 10 Using REST 10 vShield API Conventions 11 RESTful Workflow Patterns 12 For More Information About REST 13 vShield Manager Management 15 Synchronize the vShield Manager with vCenter Server and DNS 15 Retrieving Tech Support Logs 16 Get the vShield Manager Technical Support Log File Path 16 Get the vShield Edge Technical Support Log File Path 16 ESX Host Preparation for vShield App, Endpoint, and Isolation 17 Install the Licenses for vShield Edge, vShield App, and vShield Endpoint 17...
  • Page 4 Delete a Tunnel for a VPN Site 43 Delete a Remote Site 43 Get the Current VPN Configuration on a vShield Edge 43 Get Timestamps of Last 10 VPN Configurations 44 Get a VPN Configuration by Timestamp 44 Revert to a VPN Configuration by Timestamp 44 Delete the VPN Configuration on a vShield Edge 44 Load Balancer 45 Get the Status of Load Balancer Service on a vShield Edge 45 Start or Stop the Load Balancer Service on a vShield Edge 46 Add a Listener for Load Balancing Service 46 Get the Current Load Balancer Configuration on a vShield Edge 47 Get the Configuration of a Specific Load Balancing Server 47 Get Timestamps of Last 10 Load Balancer Configurations 47 Get a Load Balancer Configuration by Timestamp 48 Revert to a Load Balancer Configuration by Timestamp 48 Delete the Load Balancer Configuration on a vShield Edge 48 Managing the MTU Threshold for a vShield Edge 48 View Traffic Statistics 49 VMware, Inc.
  • Page 5 Uninstall vShield Endpoint from the vShield Manager 66 Error Schema 66 Appendix: REST API Schemas 67 vShield Manager Schemas 67 vShield Manager to vCenter Server Synchronization Schema 67 DNS Service Schema 68 Virtual Machine Information Schema 68 Security Groups Schema 69 ESX Host Preparation and Uninstallation Schema 70 vShield App Schemas 71 vShield App Configuration Schema 71 vShield App Firewall Schema 72 Port Group Isolation Management Schema 73 Port Group Isolation Statistics Schema 74 vShield Edge Schemas 74 Base vShield Edge Configuration Schema 74 vShield Edge Installation Schema 74 vShield Edge Global Configuration Schema 75 vShield Edge CLI Login Credentials Schema 76 VMware, Inc.
  • Page 6 77 NAT Schema 79 DHCP Schema 81 VPN Schema 83 Load Balancer Schema 86 MTU Threshold Schema 87 Traffic Stats Schema 87 Syslog Schema 88 Error Message Schema 89 Index 91 VMware, Inc.

  • Page 7: About This Book

    About This Book This manual, the vShield API Programming Guide, describes how to install, configure, monitor, and maintain the  ® VMware  vShield™ system by using REST API requests. The information includes step‐by‐step configuration  instructions and examples. Intended Audience This manual is intended for anyone who wants to use REST API to install or use vShield in a VMware  vCenter™ environment. The information in this manual is written for experienced system administrators who  are familiar with virtual machine technology and virtual datacenter operations. This manual assumes  familiarity with vShield. VMware Technical Publications Glossary VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions  of terms as they are used in VMware technical documentation go to http://www.vmware.com/support/pubs. Document Feedback VMware welcomes your suggestions for improving our documentation. If you have comments, send your  feedback to docfeedback@vmware.com. vShield Documentation The following documents comprise the vShield documentation set:  vShield Administration Guide  vShield Quick Start Guide  vShield API Programming Guide, this guide Technical Support and Education Resources The following sections describe the technical support resources available to you. To access the current version  of this book and other books, go to http://www.vmware.com/support/pubs.
  • Page 8 API Programming Guide Support Offerings To find out how VMware support offerings can help meet your business needs, go to  http://www.vmware.com/support/services. VMware Professional Services VMware Education Services courses offer extensive hands‐on labs, case study examples, and course materials  designed to be used as on‐the‐job reference tools. Courses are available onsite, in the classroom, and live  online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides  offerings to help you assess, plan, build, and manage your virtual environment. To access information about  education classes, certification programs, and consulting services, go to http://www.vmware.com/services.  VMware, Inc.

  • Page 9: Overview Of Vmware Vshield

    Overview of VMware vShield ® VMware  vShield™ is a suite of network edge and application‐aware firewalls built for VMware vCenter™  Server integration. vShield inspects client‐server communications and inter‐virtual‐machine communication  to provide detailed traffic analytics and application‐aware firewall protection. vShield is a critical security  component for protecting virtualized datacenters from attacks and misuse helping you achieve your  compliance‐mandated goals. This guide assumes you have administrator access to the entire vShield system. If you are unable to access a  screen or perform a particular task, consult your vShield administrator. This chapter includes the following topics:  “vShield Components” on page 9  “Ports Required for vShield” on page 10  “An Introduction to REST API for vShield Users” on page 10 vShield Components vShield includes components and services essential for protecting virtual machines. vShield can be configured  through a web‐based user interface, a command line interface (CLI), and REST API. To run vShield, you need one vShield Manager virtual machine and at least one vShield Zones, vShield App,  or vShield Edge virtual machine. vShield Manager The vShield Manager is the centralized management component of vShield and is installed from OVA as a  virtual machine by using the vSphere Client. Using the vShield Manager user interface or vSphere Client  plug‐in, administrators can install, configure, and maintain vShield components.  The vShield Manager virtual machine can run on a different ESX host from your vShield App and vShield  Edge virtual machines.  The vShield Manager user interface leverages the VMware Infrastructure SDK to display a copy of the vSphere  Client inventory panel. For more on the using the vShield Manager user interface, see the vShield Administration Guide. vShield App A vShield App monitors all traffic into and out of an ESX host, and between virtual machines on the host. ...

  • Page 10: Vshield Edge

    Endpoint vShield Endpoint delivers an introspection‐based antivirus solution. vShield Endpoint uses the hypervisor to  scan guest virtual machines from the outside without a bulky agent. vShield Endpoint is efficient in avoiding  resource bottlenecks while optimizing memory use. Ports Required for vShield The vShield Manager requires ports 80/TCP and 443/TCP for REST API requests. An Introduction to REST API for vShield Users REST, an acronym for Representational State Transfer, is a term that has been widely employed to describe an  architectural style characteristic of programs that rely on the inherent properties of hypermedia to create and  modify the state of an object that is accessible at a URL. How REST Works Once a URL of such an object is known to a client, the client can use an HTTP GET request to discover the  properties of the object. These properties are typically communicated in a structured document with an HTTP  Content‐Type of XML or JSON, that provides a representation of the state of the object. In a RESTful workflow,  documents (representations of object state) are passed back and forth (transferred) between a client and a  service with the explicit assumption that neither party need know anything about an entity other than what is  presented in a single request or response. The URLs at which these documents are available are often “sticky,”  in that they persist beyond the lifetime of the request or response that includes them. The other content of the  documents is nominally valid until the expiration date noted in the HTTP Expires header. Using REST REST API uses HTTP requests (which are often executed by a script or other higher‐level language) as a way  of making what are essentially idempotent remote procedure calls that create, modify, or delete the objects  defined by the API. This REST API (and others) is defined by a collection of XML documents that represent  the objects on which the API operates. The operations themselves (HTTP requests) are generic to all HTTP  clients. VMware, Inc.

  • Page 11: Vshield Api Conventions

    Chapter 1 Overview of VMware vShield To write a RESTful client, you need to understand only the HTTP protocol and the semantics of standard  HTML markup. To use the vShield API effectively in such a client, you need to know three things:  the set of objects that the API supports, and what they represent (What is a vDC? How does it relate to an  Org?)  how the API represents these objects (What does the XML schema for the vShield Edge firewall rule set  look like? What do the individual elements and attributes represent?)  how the client refers to an object on which it wants to operate To answer these questions, you need to understand the vShield API resource schemas. These schemas define  a number of XML types, many of which are extended by other types. The XML elements defined in these  schemas, along with their attributes and composition rules (minimum and maximum number of elements or  attributes, for example, or the prescribed hierarchy with which elements can be nested) represent the data  structures of vShield objects. A client can “read” an object by making an HTTP GET request to the object’s  resource URL. A client can “write” (create or modify) an object with an HTTP PUT or POST request that  includes a new or changed XML body document for the object. And a client can usually delete an object with  an HTTP DELETE request. In this document, we present example requests and responses, and also provide reference information on the  XML schemas that define the request and response bodies. vShield API Conventions The vShield API adheres to the following conventions:  All vShield API requests must be sent through the vShield Manager. You must encrypt each HTTP request  into HTTPS before sending the request to the vShield Manager.  All vShield REST requests require authorization. You can use the following basic authorization: Authorization: Basic YWRtaW46ZGVmYXVsdA== YWRtaW46ZGVmYXVsdA== represents the Base 64 encoding of the vShield Manager default login  credentials (admin:default).

  • Page 12: Restful Workflow Patterns

    API Programming Guide RESTful Workflow Patterns All RESTful workflows fall into a pattern that includes only two fundamental operations:  Make an HTTP request (typically GET, PUT, POST, or DELETE). The target of this request is either a  well‐known URL (such as the vShield Manager) or a link obtained from the response to a previous  request. (For example, a GET request to an Org URL returns links to vDC objects contained by the Org.)  Examine the response, which can be an XML document or an HTTP response code. If the response is an  XML document, it may contain links or other information about the state of an object. If the response is  an HTTP response code, it indicates whether the request succeeded or failed, and may be accompanied  by a URL that points to a location from which additional information can be retrieved. These two operations can repeat, in this order, for as long as necessary. VMware, Inc.

  • Page 13: For More Information About Rest

    Chapter 1 Overview of VMware vShield For More Information About REST For a comprehensive discussion of REST from both the client and server perspectives, see:  Richardson, Leonard, and Sam Ruby. RESTful Web Services. North Mankato: OʹReilly Media, Inc., 2007. There are also many sources of information about REST on the Web, including:  http://www.infoq.com/articles/rest‐introduction  http://www.infoq.com/articles/subbu‐allamaraju‐rest  http://www.stucharlton.com/blog/archives/000141.html VMware, Inc.
  • Page 14 API Programming Guide VMware, Inc.

  • Page 15: Vshield Manager Management

    Synchronization with vCenter requires the vCenter URL and login credentials.  For the schema, see “vShield Manager to vCenter Server Synchronization Schema” on page 67. For the DNS schema, see “DNS Service Schema” on page 68. Example 2-1. Synchronizing the vShield Manager with vCenter Server and Identify DNS Services Request: POST <vshield_manager-uri>/api/1.0/global/config You can also synchronize the vShield Manager with the vCenter Server without specifying DNS. Example 2-2. Synchronizing the vShield Manager with vCenter Server without DNS Request: POST <vshield_manager-uri>/api/1.0/global/vcInfo VMware, Inc.

  • Page 16: Retrieving Tech Support Logs

    Example 2-3. Getting the Tech Support Log File Path for a vShield Manager Request: GET <vshield_manager-uri>/api/1.0/global/techSupportLogs Get the vShield Edge Technical Support Log File Path You can download the diagnostic log from a vShield Edge. You can then send the diagnostic log to technical  support for assistance in troubleshooting an issue. Example 2-4. Getting the Tech Support Log File Path for a vShield Edge Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/techSupportLogs VMware, Inc.

  • Page 17: Esx Host Preparation For Vshield App, Endpoint, And Isolation

    Install the Licenses for vShield Edge, vShield App, and vShield Endpoint You must install licenses for vShield Edge, vShield App, and vShield Endpoint before installing these  components. You can install these licenses by using the vSphere Client. From a vSphere Client host that is connected to a vCenter Server system, select Home > Licensing. For the report view, select Asset. Right‐click a vShield asset and select Change license key. Select Assign a new license key and click Enter Key. Enter the license key, enter an optional label for the key, and click OK. Click OK. Repeat these steps for each vShield component for which you have a license. Install vShield App, vShield Endpoint, and Port Group Isolation Services on an ESX Host To shorten the time to deployment, you can install vShield App, vShield Endpoint, and Port Group Isolation  services on an ESX host by using a single REST call. You can do this by including VszInstallParams,  PortgroupIsolationInstallParams, and EpsecInstallParams in the POST body. VMware, Inc.
  • Page 18 Host: 10.112.196.244 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 489 <VshieldConfiguration><VszInstallParams><DatastoreId>datastore-5035</DatastoreId><ManagementPortS witchId>network-4485</ManagementPortSwitchId><MgmtInterface><IpAddress>10.112.196. 245</IpAddress><NetworkMask>255.255.252.0</NetworkMask><DefaultGw>10.112.199.253</ DefaultGw></MgmtInterface></VszInstallParams><PortgroupIsolationInstallParams><Dat astoreId>datastore-5035</DatastoreId></PortgroupIsolationInstallParams><EpsecInsta llParams>true</EpsecInstallParams><InstallAction>install</InstallAction></VshieldC onfiguration> ESX host preparation requires the following elements:  DatastoreId: vCenter MOID of the datastore on which the vShield App and Port Group Isolation service  virtual machine files will be stored.  ManagementPortSwitchId: vCenter MOID of the port group that will host the management port of the  vShield App.  MgmtInterface  IpAddress: IP address to be assigned to the management port of the vShield App. This IP address  must be able to communicate with the vShield Manager.  NetworkMask: Subnet mask associated with the IP address assigned to the management interface of  the vShield App.  DefaultGw: IP address of the default gateway. VMware, Inc.

  • Page 19: Get The Installation Status Of Vshield Services On An Esx Host

    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 368 <VshieldConfiguration><VszInstallParams><DatastoreId>datastore-5131</DatastoreId><ManagementPortS witchId>network-5134</ManagementPortSwitchId><MgmtInterface><IpAddress>10.112.196. 245</IpAddress><NetworkMask>255.255.252.0</NetworkMask><DefaultGw>10.112.199.253</ DefaultGw></MgmtInterface></VszInstallParams><InstallAction>install</InstallAction ></VshieldConfiguration> Get the Installation Status of vShield Services on an ESX Host You can retrieve the installation or uninstallation status of vShield services on an ESX host to track progress as  complete or not initiated. If neither of these operations is in progress, the response includes the list of installed  services on the ESX host. Example 3-3. Getting vShield Service Installation Status on an ESX Host Request: GET <vshield_manager-uri>/api/1.0/vshield/<host-moid> VMware, Inc.

  • Page 20: Uninstalling Vshield Services From An Esx Host

    Example 3-4. Uninstalling All Three vShield Services from an ESX Host Request: DELETE <vshield_manager-uri>/api/1.0/vshield/<host-moid> To uninstall two services at the same time, separate the services to be uninstalled with hyphens. Example 3-5. Uninstalling More than One Service Request: DELETE <vshield_manager-uri>/api/1.0/vshield/<host-moid>/<hyphen-separated-service-names> Example: This request uninstalls a vShield App (zones) and Port Group Isolation (pgi). The vShield Endpoint service  is shortened to epsec. DELETE /api/1.0/zones/vshield/<host-moid>/vsz-pgi You can uninstall a single service by specifying the service name. Example 3-6. Uninstall a vShield App Only Request: DELETE <vshield_manager-uri>/api/1.0/vshield/<host-moid>/vsz VMware, Inc.

  • Page 21: Vnetwork Preparation And Vshield Edge Installation

    ESX Host” on page 17.    All vShield REST requests require authorization. You can use the following basic authorization: MPORTANT Authorization: Basic YWRtaW46ZGVmYXVsdA== YWRtaW46ZGVmYXVsdA== represents the Base 64 encoding of the vShield Manager default login credentials  (admin:default). This chapter includes the following topics:  “Enabling Port Group Isolation” on page 21  “Installing a vShield Edge” on page 23 Enabling Port Group Isolation Port Group Isolation creates a barrier between the virtual machines protected by a vShield Edge and the  external network. When you enable Port Group Isolation and install a vShield Edge on a vDS port group, you  isolate each secured vDS port group from the external network. When Port Group Isolation is enabled, traffic  is not allowed access to the virtual machines in the secured port group unless NAT rules or VLAN tags are  configured    Port Group Isolation is an optional feature that is not required for vShield Edge operation. Port Group  Isolation is available for vDS‐based vShield Edge installations only. To enable Port Group Isolation on a vDS Enable Port Group Isolation on each vDS. Install a vShield Edge on each vDS port group you plan to secure. Move the virtual machines to secured vDS port groups. VMware, Inc.

  • Page 22: Enable Port Group Isolation On A Vds

    Example 4-3. Disabling Port Group Isolation on a vDS Request: DELETE <vshield_manager-uri>/api/1.0/network/portgroupIsolation/dvs/<dvs-moid> Example: DELETE /api/1.0/portgroupIsolation/dvs/dvs-1069 HTTP/1.1 Content-type: application/xml; charset=UTF-8 Authorization: Basic YWRtaW46ZGVmYXVsdA== Cache-Control: no-cache Pragma: no-cache Host: 10.112.196.244 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive VMware, Inc.

  • Page 23: Installing A Vshield Edge

    </ExternalInterface> </InstallParams> </VShieldEdgeConfig> Rules: The installation schema requires the following values:  operationMode: Enter routing as the value.  resourcePoolId: Enter the MOID of the resource pool.  hostId: Enter the MOID of the ESX host to which the vShield Edge is to be cloned.  dataStoreId: Enter the MOID of the datastore to which the vShield Edge is to be cloned.  InternalInterface: Enter the MOID for the internal port group.  ExternalInterface: Enter the MOID for the external port group. Example: POST /api/1.0/network/network-244/vshieldedge HTTP/1.1 Content-Type: application/xml Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Content-Length: 620 VMware, Inc.

  • Page 24: Get The Install Parameters Of A Vshield Edge

    /api/1.0/network/network-244/vshieldedge HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.169:9998 Uninstall a vShield Edge    If you have enabled Port Group Isolation, you must migrate or power off the virtual machines on  AUTION the ESX host from which you want to uninstall a vShield Edge. Uninstalling Port Group Isolation places the  ESX host in maintenance mode. After uninstallation is complete, the ESX host reboots. If any of the virtual  machines that are running on the target ESX host cannot be migrated to another ESX host, these virtual  machines must be powered off or migrated manually before the uninstallation can continue. If the vShield  Manager is on the same ESX host, the vShield Manager must be migrated prior to uninstalling Port Group  Isolation. If you did not install and enable Port Group Isolation on an ESX host, you do not have to migrate virtual  machines to uninstall a vShield Edge. Example 4-6. Uninstalling a vShield Edge Request: DELETE <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/vshieldedge Example: DELETE /api/1.0/network/network-244/vshieldedge HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 VMware, Inc.

  • Page 25: Vshield Edge Management

    Authorization: Basic YWRtaW46ZGVmYXVsdA== YWRtaW46ZGVmYXVsdA== represents the Base 64 encoding of the vShield Manager default login credentials  (admin:default). This chapter includes the following topics:  “Force a vShield Edge to Synchronize with the vShield Manager” on page 26  “Manage CLI Credentials on a vShield Edge” on page 26  “Managing DHCP” on page 26  “Managing NAT” on page 29  “Configuring the vShield Edge Firewall” on page 35  “Configuring VPNs” on page 39  “Load Balancer” on page 45  “Managing the MTU Threshold for a vShield Edge” on page 48  “View Traffic Statistics” on page 49  “Debug vShield Edge Services Using Service Statistics” on page 49  “Managing the Connection to a Syslog Server” on page 50 VMware, Inc.

  • Page 26: Force A Vshield Edge To Synchronize With The Vshield Manager

    Example 5-2. Managing CLI Credentials on a vShield Edge Request: PUT <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/cli/credentials Example: PUT /api/1.0/network/network-244/cli/credentials HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.213 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><CLILoginCredentials><username>newuser</usern ame><password>newpasswd</password></CLILoginCredentials></VShieldEdgeConfig> Managing DHCP vShield Edge provides DHCP service to bind assigned IP addresses to MAC addresses. All virtual machines  protected by a vShield Edge can obtain IP addresses dynamically from the vShield Edge DHCP service. vShield Edge supports IP address pooling and one‐to‐one static IP address allocation based on the vCenter  managed object ID (vmid) and interface ID (interfaceId) of the requesting client. vShield Edge DHCP service adheres to the following rules:  Listens on the vShield Edge internal interface (InternalInterface) for DHCP discovery.  Uses the IP address of the internal interface on the vShield Edge as the default gateway address for all  clients, and the broadcast and subnetMask values of the internal interface for the container network. All DHCP settings configured by using REST requests appear under the vShield Edge > DHCP tab for the  appropriate vShield Edge in the vShield Manager user interface and vSphere Client plug‐in. For the DHCP schema, see “DHCP Schema” on page 81. VMware, Inc.

  • Page 27: Get The Dhcp Server Status

    PUT /api/1.0/network/network-244/dhcp/action/start HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.213 Post a DHCP Configuration You can add hosts and IP pools for DHCP service on a vShield Edge, The vShield Edge can allocate IP  addresses to protected virtual machines from configured IP pools. The vShield Manager processes the posted XML file as a complete configuration for the specific vShield Edge.  The current configuration is replaced with this new configuration. If you do not specify a value for the <leaseTime/> parameter, the default value of one day is used. A value of  infinite is supported. Example 5-5. Adding IP Pool Ranges to a vShield Edge Request: POST <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/dhcp/config Rules:  DHCPConfigParams and its elements are optional  leaseTime can be infinite or number of seconds. If not specified, the default lease time is 1 day.  Logging is disabled by default. To enable logging, add a <log /> element within <DHCPConfig />. VMware, Inc.

  • Page 28: Get The Configuration For All Dhcp Hosts And Pools

    Get Timestamps of Last 10 DHCP Configurations You can get a list of the last 10 DHCP configurations by timestamp. Example 5-7. Getting Last 10 DHCP Configurations Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/dhcp/snapshots Get a DHCP Configuration by Timestamp You can view the details of a past DHCP configuration by specifying the timestamp of the snapshot. Example 5-8. Getting a DHCP Configuration by Snapshot Timestamp Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ dhcp/snapshot/<snapshot-timestamp> VMware, Inc.

  • Page 29: Revert To A Dhcp Configuration By Timestamp

    Network Address Translation) and DNAT (Destination Network Address Translation) rules. All SNAT and DNAT rules configured by using REST requests appear under the vShield Edge > NAT tab for  the appropriate vShield Edge in the vShield Manager user interface and vSphere Client plug‐in. For the NAT schema, see “NAT Schema” on page 79. Managing SNAT Rules The vShield Edge uses SNAT to map internal addresses to allocated public addresses. If you use Port Group  Isolation, you must configure SNAT rules to allow traffic from the internal network to the external network. Get the SNAT Rule Set Example 5-11. Get the SNAT rule set on a vShield Edge Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/snat/rules Example: GET /api/1.0/network/network-244/snat/rules HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost VMware, Inc.

  • Page 30: Post An Snat Rule Set

    </externalIpAddress> <internalIpAddress> <ipAddress>IpOrAny</ipAddress> <IpRange> <rangeStart>ip_address</rangeStart> <rangeEnd>ip_address</rangeEnd> </IpRange> </internalIpAddress> </NATRule> </NATConfig> </VShieldEdgeConfig> Rules:  You can add multiple SNAT rules by entering multiple <NATRule></NATRule> sections in the body. <VShieldEdgeConfig> <NATConfig> <NATRule> <internalIpAddress><ipAddress>172.17.1.11</ipAddress></internalIpAddress> <externalIpAddress><ipAddress>10.112.196.94</ipAddress></externalIpAddress> </NATRule> <NATRule> <internalIpAddress><ipAddress>172.17.1.12</ipAddress></internalIpAddress> <externalIpAddress><ipAddress>10.112.196.94</ipAddress></externalIpAddress> </NATRule> </NATConfig> </VShieldEdgeConfig>  Logging is disabled by default. To enable logging, add a <log /> element within <NATRule />.  The externalIpAddress and internalIpAddress parameters can be entered in either of these  methods. <ipAddress>IpOrAny</ipAddress> <IpRange> <rangeStart>low_ip_address</rangeStart> <rangeEnd>high_ip_address</rangeEnd> </IpRange> VMware, Inc.

  • Page 31: Get Timestamps Of Last 10 Snat Rule Configurations For A Vshield Edge

    Get SNAT Configuration by Snapshot Timestamp Example 5-14. Get SNAT Configuration by Snapshot Timestamp Request GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ snat/snapshot/<snapshot-timestamp> Revert to an SNAT Configuration by Snapshot Timestamp Example 5-15. Revert to an SNAT Configuration by Snapshot Timestamp Request: PUT <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ snat/snapshot/<snapshot-timestamp> VMware, Inc.

  • Page 32: Delete All Snat Rules On A Vshield Edge

    Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost Post a DNAT Rule Set You can post a DNAT rule set for a vShield Edge. The vShield Manager processes the posted XML file as a complete rule set for the specific vShield Edge. The  current rule set is replaced with this new set of rules. Example 5-18. Post a DNAT Rule Set on a vShield Edge Request: POST <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/dnat/rules <VShieldEdgeConfig> <NATConfig> <NATRule> <protocol>tcp|udp|icmp|any</protocol> <internalIpAddress>see_below</internalIpAddress> <internalPort>see_below</internalPort> <externalIpAddress>see_below</externalIpAddress> <externalPort>see_below</externalPort> </NATRule> </NATConfig> </VShieldEdgeConfig> VMware, Inc.
  • Page 33 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.213 accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 content-length: 617 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><NATConfig><NATRule><protocol>tcp</protoc ol><internalIpAddress><ipAddress>172.16.1.11</ipAddress></internalIpAddress><i nternalPort><port>any</port></internalPort><externalIpAddress><ipAddress>10.11 2.196.217</ipAddress></externalIpAddress><externalPort><port>any</port></exter nalPort></NATRule><NATRule><protocol>icmp</protocol><icmpType>any</icmpType><i nternalIpAddress><ipAddress>172.16.1.11</ipAddress></internalIpAddress><extern alIpAddress><ipAddress>10.112.196.218</ipAddress></externalIpAddress></NATRule ></NATConfig></VShieldEdgeConfig>  DNAT Rule with IP Range content-length: 453 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><NATConfig><NATRule><protocol>tcp</protoc ol><internalIpAddress><IpRange><rangeStart>172.17.1.10</rangeStart><rangeEnd>1 72.17.1.15</rangeEnd></IpRange></internalIpAddress><internalPort><port>any</po rt></internalPort><externalIpAddress><ipAddress>10.112.196.219</ipAddress></ex ternalIpAddress><externalPort><port>any</port></externalPort></NATRule></NATCo nfig></VShieldEdgeConfig> VMware, Inc.

  • Page 34: Get Timestamps Of Last 10 Dnat Rule Configurations For A Vshield Edge

    Get DNAT Configuration by Snapshot Timestamp Example 5-20. Get DNAT Configuration by Snapshot Timestamp Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ dnat/snapshot/<snapshot-timestamp> Revert to an DNAT Configuration by Snapshot Timestamp Example 5-21. Revert to an DNAT Configuration by Snapshot Timestamp Request: PUT <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ dnat/snapshot/<snapshot-timestamp> VMware, Inc.

  • Page 35: Delete All Dnat Rules

    GET /api/1.0/network/network-244/firewall/rules HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.213 Post a Firewall Rule Set You add all firewall rules as a set for each vShield Edge. The vShield Manager processes the posted XML file  as a complete rule set for the specified vShield Edge. The new rule set replaces the entire previous rule set.    You must include rules from the current rule set in the new rule set to maintain those rules. Any  MPORTANT rules not included in the new rule set are deleted. Since you cannot delete the default rules, you must include  the default rules in every rule set. You can change the action of any of the default rules. Example 5-24. Post the Firewall Rule Set on a vShield Edge Request: POST <vShield_Manager-uri>/api/1.0/network/<portgroup-moid>/firewall/rules <VShieldEdgeConfig> <FirewallConfig> <FirewallRule> <protocol>tcp|udp|icmp|any</protocol> <sourceIpAddress>see_below</sourceIpAddress> <sourcePort>see_below</sourcePort> <destinationIpAddress>see_below</destinationIpAddress> VMware, Inc.
  • Page 36 <rangeEnd>high_port</rangeEnd> </PortRange> Example:  Allow any firewall rule set POST /api/1.0/network/network-244/firewall/rules HTTP/1.1 content-type: application/xml; charset=UTF-8 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.213 accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 content-length: 711 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><FirewallConfig><FirewallRule><protocol>a ny</protocol><sourceIpAddress><ipAddress>any</ipAddress></sourceIpAddress><sou rcePort><port>any</port></sourcePort><destinationIpAddress><ipAddress>any</ipA ddress></destinationIpAddress><destinationPort><port>any</port></destinationPo rt><direction>out</direction><action>allow</action></FirewallRule><FirewallRul e><protocol>icmp</protocol><icmpType>any</icmpType><sourceIpAddress><ipAddress >any</ipAddress></sourceIpAddress><destinationIpAddress><ipAddress>any</ipAddr ess></destinationIpAddress><direction>out</direction><action>allow</action></F irewallRule></FirewallConfig></VShieldEdgeConfig> VMware, Inc.

  • Page 37: Get The Status Of The Default Policy For A Vshield Edge

    Example 5-26. Change the Action of the Default Firewall Policy on a vShield Edge Request: PUT <vShield_Manager-uri>/api/1.0/network/<portgroup-moid>/ firewall/default/{allow|deny} Example: PUT /api/1.0/network/network-244/firewall/default/allow HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.213 Get Details of a Specific Firewall Rule You can view the details of a specific firewall rule applied on a vShield Edge. Example 5-27. Get a Firewall Rule Request: GET <vShield_Manager-uri>/api/1.0/network/<portgroup-moid>/ firewall/rules/<rule-id> VMware, Inc.

  • Page 38: Get Timestamps Of Last 10 Firewall Rule Sets For A Vshield Edge

    Example 5-30. Revert to an DNAT Configuration by Snapshot Timestamp Request: PUT <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ firewall/snapshot/<snapshot-timestamp> Delete All Firewall Rules on a vShield Edge If you delete all firewall rules on a vShield Edge agent, the agent enforces the default policy on all incoming  and outgoing traffic sessions. Example 5-31. Delete All Firewall Rules on a vShield Edge Request: DELETE <vShield_Manager-uri>/api/1.0/network/<portgroup-moid>/firewall/rules Example: DELETE /api/1.0/network/network-244/firewall/rules HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10.112.196.213 VMware, Inc.

  • Page 39: Configuring Vpns

    These subnets and the internal network behind a vShield Edge must have non‐overlapping address ranges.  You can deploy a vShield Edge agent behind a NAT device. In this deployment, the NAT device translates the  vShield Edge agent’s VPN address into a public accessible address facing the Internet; remote VPN routers use  this public address to access the vShield Edge.  Remote VPN routers can be located behind a NAT device as well. You must provide both the VPN native  address and the NAT public address to set up the tunnel. All VPN settings configured by using REST requests appear under the vShield Edge > VPN tab for the  appropriate vShield Edge in the vShield Manager user interface and vSphere Client plug‐in. For the VPN schema, see “VPN Schema” on page 83. Get the Status of VPN Service You can determine if the VPN service on a vShield Edge is running or stopped by requesting the service status. Example 5-32. Getting the Status of VPN Service Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/vpn/ipsec/service Example: GET /api/1.0/network/network-244/vpn/ipsec/service HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 VMware, Inc.

  • Page 40: Start Or Stop The Vpn Service On A Vshield Edge

    VPN service requires encryption. You must specify the <encryptionAlgorithm /> element as either  3des or aes.  The natedPublicIpAddress element under VPNServerConfig is optional.  The siteName and tunnelName can contain only alphanumeric characters. Example: POST /api/1.0/network/network-244/vpn/ipsec/config HTTP/1.1 Content-Type: application/xml Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Content-Length: 662 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><VPNConfig><IpsecVPNConfig><SiteToSiteIpsec>< VPNServerConfig><externalIpAddress>10.112.196.219</externalIpAddress></VPNServerCo nfig><VPNSite><Configuration><siteName>VSE1</siteName><remoteEndPointexternalIpAdd ress>10.112.196.99</remoteEndPointexternalIpAddress><sharedSecret>psk1</sharedSecr et><mtu>1500</mtu></Configuration><VPNTunnel><Configuration><tunnelName>tunnelVSE< /tunnelName><remoteSiteSubnet>172.15.1.0/24</remoteSiteSubnet><encryptionAlgorithm >3des</encryptionAlgorithm></Configuration></VPNTunnel></VPNSite></SiteToSiteIpsec ></IpsecVPNConfig></VPNConfig></VShieldEdgeConfig> VMware, Inc.

  • Page 41: Add A Remote Site

    Example 5-35. Adding a Remote VPN Site Request: POST <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/vpn/ipsec/sites Example POST /api/1.0/network/network-244/vpn/ipsec/sites Content-Type: application/xml Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Content-Length: 576 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><VPNConfig><IpsecVPNConfig><SiteToSiteIpsec>< VPNSite><Configuration><siteName>VSE2</siteName><remoteEndPointexternalIpAddress>1 0.112.196.218</remoteEndPointexternalIpAddress><sharedSecret>psk2</sharedSecret><m tu>1500</mtu></Configuration><VPNTunnel><Configuration><tunnelName>tunnelVSE1</tun nelName><remoteSiteSubnet>172.19.1.0/24</remoteSiteSubnet><encryptionAlgorithm>3de s</encryptionAlgorithm></Configuration></VPNTunnel></VPNSite></SiteToSiteIpsec></I psecVPNConfig></VPNConfig></VShieldEdgeConfig> VMware, Inc.

  • Page 42: Add Tunnels For A Vpn Site

    GET /api/1.0/network/dvportgroup-1004/vpn/ipsec/detailedconfig HTTP/1.1 Host: localhost:9998 authorization: Basic YWRtaW46ZGVmYXVsdA== Get the Detailed Configuration for a VPN Site You can retrieve a detailed VPN configuration for a site that contains the VPN server configuration, site  configuration, tunnel configuration, and the detailed configuration of all tunnels for the site. Example 5-38. Getting the Detailed Configuration for a VPN Site Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/vpn/ipsec/<site-name>/detailedconfig Example: GET /api/1.0/network/resgroup-v107/vpn/ipsec/site01/detailedconfig HTTP/1.1 Host: localhost:9998 authorization: Basic YWRtaW46ZGVmYXVsdA== VMware, Inc.

  • Page 43: Get The Detailed Tunnel Configuration

    Example 5-41. Deleting a Remote VPN Site Request: DELETE <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ vpn/ipsec/site/<site-name> Get the Current VPN Configuration on a vShield Edge You can retrieve the current VPN configuration on a vShield Edge to view settings such as tunnels and sites,  as well as entity naming and addressing. Example 5-42. Getting the Current VPN Configuration Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/vpn/ipsec/config Example: GET /api/1.0/network/network-244/vpn/ipsec/config HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 VMware, Inc.

  • Page 44: Get Timestamps Of Last 10 Vpn Configurations

    Example 5-45. Reverting to a VPN configuration by timestamp Request: PUT <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ vpn/snapshot/<snapshot-timestamp> Delete the VPN Configuration on a vShield Edge You can delete the current VPN configuration to clear VPN settings from the vShield Edge running  configuration. The vShield Edge saves the deleted configuration by marking it with a timestamp. Example 5-46. Deleting the VPN Configuration on a vShield Edge Request: DELETE <vShield_Manager-uri>/api/1.0/network/<portgroup-moid>/ vpn/ipsec/config Example: DELETE /api/1.0/network/network-244/vpn/ipsec/config HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 VMware, Inc.

  • Page 45: Load Balancer

    For the load balancer schema, see “Load Balancer Schema” on page 86. Get the Status of Load Balancer Service on a vShield Edge Example 5-47. Getting the Status of Load Balancer Service on a vShield Edge Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ loadbalancer/service Example: GET /api/1.0/network/network-244/loadbalancer/service HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 VMware, Inc.

  • Page 46: Start Or Stop The Load Balancer Service On A Vshield Edge

    Logging is disabled by default. To enable logging, add a <log /> element within <Listener />.  The backendServers internalIPList element is a comma separated IP list. Port 80 is used by default.  You can specify custom IP:Port values in the internalIPList. Example:  Basic load balancer configuration POST /api/1.0/network/network-244/loadbalancer HTTP/1.1 Content-Type: application/xml Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Content-Length: 490 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><LoadBalancerConfig><Listener><externalIP Address>10.112.196.95</externalIPAddress><BackEndServers><internalIPList>172.1 7.1.11,172.17.1.12</internalIPList></BackEndServers><algorithm>ip-hash</algori thm></Listener><Listener><externalIPAddress>10.112.196.96</externalIPAddress>< BackEndServers><internalIPList>172.17.1.11,172.17.1.12</internalIPList></BackE ndServers></Listener></LoadBalancerConfig></VShieldEdgeConfig> VMware, Inc.

  • Page 47: Get The Current Load Balancer Configuration On A Vshield Edge

    Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ loadbalancer/<loadbalancer-id> Example: GET /api/1.0/network/network-244/loadbalancer/3 HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:80 Get Timestamps of Last 10 Load Balancer Configurations You can retrieve a list of the last 10 Load Balancer configuration changes. You can use the returned timestamps  to review the details of past configurations in a separate request. Example 5-52. Getting the Last 10 Load Balancer Configurations by Timestamp Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ loadbalancer/snapshots VMware, Inc.

  • Page 48: Get A Load Balancer Configuration By Timestamp

    Example 5-55. Deleting the Load Balancer Configuration on a vShield Edge Request: DELETE <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/loadbalancer Example: DELETE /api/1.0/network/network-244/loadbalancer HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost:9998 Managing the MTU Threshold for a vShield Edge You can set a maximum transmission unit (MTU) threshold for traffic on the Internal and External interfaces  of a vShield Edge. For the MTU threshold schema, see “MTU Threshold Schema” on page 87. Example 5-56. Configuring the MTU Threshold for a vShield Edge Request: PUT <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/mtu VMware, Inc.

  • Page 49: View Traffic Statistics

    Example 5-58. Getting Traffic Statistics for a vShield Edge Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/trafficstats/all Example: GET /api/1.0/network/network-244/trafficstats/all HTTP/1.1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost Debug vShield Edge Services Using Service Statistics You can retrieve the path to the service statistics file of a vShield Edge and use the statistics to debug service  issues. Example 5-59. Debugging a vShield Edge by Using Service Statistics Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/serviceStats Response: XML with path of vShield Edge service statistics file which can be downloaded over http VMware, Inc.

  • Page 50: Managing The Connection To A Syslog Server

    Get the Current Syslog Server Configuration Example 5-61. Getting the Running Syslog Server Configuration Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/syslog/config Get Timestamps of Last 10 Syslog Server Configurations Example 5-62. Getting Last 10 Syslog Server Configurations by Timestamp Request: GET <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/syslog/snapshots VMware, Inc.

  • Page 51: Get A Syslog Server Configuration By Timestamp

    Revert to a Syslog Server Configuration by Timestamp Example 5-64. Reverting to a Syslog Server Configuration by Timestamp Request: PUT <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/ syslog/snapshot/<snapshot-timestamp> Delete the Current Syslog Server Configuration Example 5-65. Deleting a Syslog Server Configuration Request: DELETE <vshield_manager-uri>/api/1.0/network/<portgroup-moid>/syslog/config VMware, Inc.
  • Page 52 API Programming Guide VMware, Inc.

  • Page 53: Vshield App Management

    “Configuring Syslog Service for a vShield App” on page 62 Configuring Firewall Rules for a vCenter Container The primary function of a vShield App is to provide firewall protection on an ESX host by inspecting each  session and returning details to the vShield Manager. Traffic details include sources, destinations, direction of  sessions, applications, and ports being used. Traffic details can be used to create firewall allow or deny rules.  In the vShield Manager user interface or vSphere Client plug‐in, the App Firewall tab contains the firewall  rules enforced by vShield App instances. You can manage App Firewall rules at the datacenter, cluster, and  port group levels to provide a consistent set of rules across multiple vShield App instances under these  containers. As membership in these containers can change dynamically, App Firewall maintains the state of  existing sessions without requiring reconfiguration of firewall rules. In this way, App Firewall effectively has  a continuous footprint on each ESX host under the managed containers. When creating App Firewall rules, you can create general rules based on incoming or outgoing traffic at the  container level. For example, you can create a rule to deny any traffic from outside of a datacenter that targets a  destination within the datacenter. You can create a rule to deny any incoming traffic that is not tagged with a  VLAN ID. All firewall rules configured by using REST requests appear under the App Firewall tab for the appropriate  container in the vShield Manager user interface and vSphere Client plug‐in. For the complete firewall XML schema, see “vShield App Firewall Schema” on page 72. View All Firewall Rules for a Container You can view all of the firewall rules for a specific container—datacenter, cluster, or port group—and any child  containers by identifying the managed object ID (container-moid) of the container. For example, if you  request the rule set at the datacenter level, the response includes the rules for the clusters and port groups  within that datacenter. It is good practice to view the current firewall rule set before posting new or updated rules. VMware, Inc.

  • Page 54: Post An App Firewall Rule Set For A Container

    655 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <vshieldZonesFirewallConfiguration><ContainerAssociation><Container id="vShield"><InstanceId>datacenter-7</InstanceId></Container><Container id="ANY"><Name>ANY</Name></Container></ContainerAssociation><RuleSet><Rule><ID>0</ ID><Precedence>High</Precedence><Position>1</Position><Source ref="vShield" exclude="false"/><Destination ref="vShield" exclude="true"/><SourcePorts>ANY</SourcePorts><Application type="UNICAST">FTP</Application><DestinationPorts>21</DestinationPorts><Protocol>T CP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule><Rule><ID >58024</ID><Precedence>High</Precedence><Position>1</Position><Source ref="vShield" exclude="true"/><Destination ref="vShield" exclude="false"/><SourcePorts>ANY</SourcePorts><Application type="UNICAST">MS-DS</Application><DestinationPorts>445</DestinationPorts><Protoco l>TCP</Protocol><Action>DENY</Action><Log>false</Log><Notes></Notes></Rule><Rule>< ID>1001</ID><Precedence>Default</Precedence><Position>1</Position><Source ref="ANY" exclude="false"/><Destination ref="ANY" exclude="false"/><SourcePorts>68</SourcePorts><Application type="UNICAST">DHCP-Server</Application><DestinationPorts>67</DestinationPorts><Pr otocol>UDP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule>< Rule><ID>1002</ID><Precedence>Default</Precedence><Position>2</Position><Source ref="ANY" exclude="false"/><Destination ref="ANY" exclude="false"/><SourcePorts>67</SourcePorts><Application type="UNICAST">DHCP-Client</Application><DestinationPorts>68</DestinationPorts><Pr otocol>UDP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule>< Rule><ID>1003</ID><Precedence>Default</Precedence><Position>3</Position><Source VMware, Inc.
  • Page 55 ID><Precedence>High</Precedence><Position>1</Position><Source ref="vShield" exclude="true"/><Destination ref="No Vlan (0)" exclude="false"/><SourcePorts>ANY</SourcePorts><Application type="UNICAST">MS-RPC</Application><DestinationPorts>135</DestinationPorts><Protoc ol>TCP</Protocol><Action>DENY</Action><Log>false</Log><Notes></Notes></Rule><Rule> <ID>1001</ID><Precedence>Default</Precedence><Position>1</Position><Source ref="ANY" exclude="false"/><Destination ref="ANY" exclude="false"/><SourcePorts>68</SourcePorts><Application type="UNICAST">DHCP-Server</Application><DestinationPorts>67</DestinationPorts><Pr otocol>UDP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule>< Rule><ID>1002</ID><Precedence>Default</Precedence><Position>2</Position><Source ref="ANY" exclude="false"/><Destination ref="ANY" exclude="false"/><SourcePorts>67</SourcePorts><Application type="UNICAST">DHCP-Client</Application><DestinationPorts>68</DestinationPorts><Pr otocol>UDP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule>< Rule><ID>1003</ID><Precedence>Default</Precedence><Position>3</Position><Source ref="ANY" exclude="false"/><Destination ref="ANY" exclude="false"/><SourcePorts>ANY</SourcePorts><Application type="UNICAST">ANY</Application><DestinationPorts>ANY</DestinationPorts><Protocol> TCP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule><Rule><I D>1004</ID><Precedence>Default</Precedence><Position>4</Position><Source ref="ANY" exclude="false"/><Destination ref="ANY" exclude="false"/><SourcePorts>ANY</SourcePorts><Application type="UNICAST">ANY</Application><DestinationPorts>ANY</DestinationPorts><Protocol> UDP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule><Rule><I D>1005</ID><Precedence>Default</Precedence><Position>1</Position><Source ref="ANY" VMware, Inc.
  • Page 56 Example 6-5. Posting a Firewall Rule Set at the Port Group Level Example: POST /api/1.0/zones/portgroup-512/firewall/rules content-type: application/xml; charset=UTF-8 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 192.168.102.134 content-length: 655 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <vshieldZonesFirewallConfiguration><ContainerAssociation><Container id="zone-1"><InstanceId>udz-6</InstanceId></Container></ContainerAssociation><Rule Set><Rule><ID>0</ID><Precedence>High</Precedence><Position>2</Position><Source ref="zone-1" exclude="true"/><Destination ref="zone-1" exclude="false"/><SourcePorts>ANY</SourcePorts><Application type="UNICAST">FTP</Application><DestinationPorts>21</DestinationPorts><Protocol>T CP</Protocol><Action>ALLOW</Action><Log>false</Log><Notes></Notes></Rule><Rule><ID >58013</ID><Precedence>High</Precedence><Position>1</Position><Source ref="zone-1" exclude="true"/><Destination ref="zone-1" VMware, Inc.

  • Page 57: View A List Of Timestamps Identifying App Firewall Rule Set Changes

    Example: GET /api/1.0/zones/datacenter-4361/firewall/snapshot/1274872770000 HTTP/1.1 Host: localhost Authorization: Basic YWRtaW46ZGVmYXVsdA== Revert to a Previous Firewall Rule Set You can revert to a previous firewall rule set by specifying the appropriate container and timestamp. Example 6-8. Revert to a Previous Firewall Rule Set Request: PUT <vshield_manager-uri>/api/1.0/zones/<container-moid>/firewall/snapshot/<timestamp> Example: PUT /api/1.0/zones/datacenter-4361/firewall/snapshot/1274872770000 HTTP/1.1 Host: localhost Authorization: Basic YWRtaW46ZGVmYXVsdA== VMware, Inc.

  • Page 58: Delete All Firewall Rules Under A Container

    For the security groups schema, see “Security Groups Schema” on page 69. Add a Security Group Example 6-10. Adding a Security Group Request: POST <vshield_manager-uri>/api/1.0/global/securityGroups/<base-node-moid>/groups Example:   Adding a single security group POST /api/1.0/global/securityGroups/datacenter-7/groups/ HTTP/1.1 authorization: Basic YWRtaW46ZGVmYXVsdA== host: 10.112.196.127 Content-Type: application/xml Content-Length: 474 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VsmGlobalConfig><SecurityGroups><SecurityGroup><SecurityGroupBaseNode>datacen ter-7</SecurityGroupBaseNode><SecurityGroupName>Zone-3</SecurityGroupName><Sec urityGroupNodeList><Node><Id>502888cf-e08c-61dc-4523-a87e234d821a.000</Id></No de><Node><Id>502a183c-715e-5e37-f413-aea57de1e884.000</Id></Node></SecurityGro upNodeList></SecurityGroup></SecurityGroups></VsmGlobalConfig> VMware, Inc.

  • Page 59: Add A Virtual Machine To A Security Group

    You can add a virtual machine to a Security Group by specifying the node in which the Security Group resides.  You use the vNIC identifier to identify the virtual machine. To get the <NIC-ID> parameter, see “Get the  Properties from a Virtual Machine” on page 60. Example 6-12. Adding a Virtual Machine to a Security Group Request: POST <vshield_manager-uri>/api/1.0/global/securityGroups/<base-node-moid>/nodes/<nic-id> Example: POST /api/1.0/global/securityGroups/dvportgroup-343/nodes/ 502a7702-8936-be93-ec75-1f0d00abefdb.000 HTTP/1.1 authorization: Basic YWRtaW46ZGVmYXVsdA== host: 10.112.196.127 Content-Type: application/xml Content-Length: 207 <?xml version="1.0" encoding="UTF-8" standalone="yes"?><VsmGlobalConfig><SecurityGroups><SecurityGroupIdList><SecurityG roupId>udz-1</SecurityGroupId></SecurityGroupIdList></SecurityGroups></VsmGlobalCo nfig> VMware, Inc.

  • Page 60: Get The List Of All Security Groups Under A Base Node

    Example 6-15. Getting the IP Addresses of Virtual Machines in a Security Group Request: GET <vshield_manager-uri>/api/1.0/global/securityGroups/<base-node-moid>/ groups/<securityGroupId>/ipList Get the Properties from a Virtual Machine You can get the properties of a virtual machine so that you can use the NIC-ID to add the virtual machine to a  Security Group. See “Add a Virtual Machine to a Security Group” on page 59. See “Virtual Machine Information Schema” on page 68. Example 6-16. Getting the Properties of a Virtual Machine Request: GET <vshield_manager-uri>/api/1.0/global/vmInfo/<vm-moid> Example: GET /api/1.0/global/vmInfo/vm-570 HTTP/1.1 authorization: Basic YWRtaW46ZGVmYXVsdA== host: 10.112.196.127 VMware, Inc.

  • Page 61: Delete A Virtual Machine From A Security Group

    DELETE /api/1.0/global/securityGroups/datacenter-2/groups/secgroup-1 HTTP/1.1 authorization: Basic YWRtaW46ZGVmYXVsdA== host: 10.112.196.127 Delete All Security Groups under a Base Node You can delete all security groups under a base node. Firewall rules related to deleted security groups are also  deleted. Example 6-19. Deleting All Security Groups under a Base Node Request: DELETE <vshield_manager-uri>/api/1.0/global/securityGroups/<base-node-moid>/groups Example: DELETE /api/1.0/global/securityGroups/datacenter-2/groups/ HTTP/1.1 authorization: Basic YWRtaW46ZGVmYXVsdA== host: 10.112.196.127 VMware, Inc.

  • Page 62: Configuring Syslog Service For A Vshield App

    POST <vshield_manager-uri>/api/1.0/zones/syslogServers This request deletes the syslog server configuration across all vShield App instances connected to the vShield  Manager.  Example 6-22. Delete the Syslog Server Configuration across all vShield App Instances Request: DELETE <vshield_manager-uri>/api/1.0/zones/syslogServers This request deletes a single syslog server by IP address across all vShield App instances connected to the  vShield Manager.  Example 6-23. Delete a Single Syslog Server by IP Address from All vShield App Instances Request: DELETE <vshield_manager-uri>/api/1.0/zones/syslogServers/<ip_of_syslogServer> VMware, Inc.

  • Page 63: Vshield Endpoint Management

    Register an SVM with the vShield Endpoint Service on an ESX Host You can register and unregister a third‐party antivirus security virtual machine (SVM) with vShield Endpoint. In the POST request, vmId is the 0‐based index of the vNIC that the SVM uses to communicate with the vShield  Endpoint service. The vShield Manager connects the vNIC to the correct port group to enable communication  between the SVM and the vShield Endpoint service.  To register SVMs on multiple ESX hosts in a single REST call, include multiple <SvmRegister /> sections in  the request body. Example 7-1. Registering an SVM with vShield Endpoint Service Request: POST <vshieldmanager-uri>/api/1.0/endpointsecurity/svm <VShieldEndpointSecurity> <SvmRegister> <vmId>vmid_of_svm_vm</vmId> <ipAddress>ipaddress_of_svm_vnic</ipAddress> <port>port_for_communication</port> <vendorId>partner_identification_string</vendorId> </SvmRegister> </VShieldEndpointSecurity> Where:  vmId is the SVM managed object ID in vCenter.   ipAddress is the IP address of the SVM’s vNIC that is connected to the vmkernel port group.   port is the port on which the SVM listens to connection from the EPSec vmkernel module.  vendorId is the string that is used as an identifier of the partner who owns the SVM. VMware, Inc.

  • Page 64: Retrieve Svm-Specific Network Information

    HTTP 400 Bad Request : Internal error codes. Please refer the Error Schema for more details. 40002=Acquiring 1. data from VC failed for <> 40007=SVM with moid: <> not registered 40015=vmId is malformatted or of incorrect length : <> VMware, Inc.

  • Page 65: Retrieve Vshield Endpoint Service Status On An Esx Host

    HTTP 405 Method Not Allowed: If the vmId is missed in the URI. HTTP 400 Bad Request: Internal error codes. Please refer the Error Schema for more details. 40002=Acquiring data from VC failed for <> 40007=SVM with moid: <> not registered 40015=vmId is malformatted or of incorrect length : <> VMware, Inc.

  • Page 66: Uninstall Vshield Endpoint From The Vshield Manager

    Uninstall vShield Endpoint from the vShield Manager After the SVM is unregistered, you can uninstall the vShield Endpoint from the vShield Manager. See  “Uninstalling vShield Services from an ESX Host” on page 20. Error Schema <?xml version="1.0" encoding="UTF-8"?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="Errors"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" name="Error" type="ErrorType"/> </xs:sequence> </xs:complexType> </xs:element> <xs:complexType name="ErrorType"> <xs:sequence> <xs:element name="code" type="xs:unsignedInt"/> <xs:element name="description" type="xs:string"/> <xs:element minOccurs="0" name="index" type="xs:int"/> </xs:sequence> </xs:complexType> </xs:schema> VMware, Inc.

  • Page 67: Appendix: Rest Api Schemas

    Manager to vCenter Server Synchronization Schema This schema synchronizes the vShield Manager with the vCenter Server inventory by leveraging the vCenter  Server SDK. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="VsmGlobalConfig"> <xs:complexType> <xs:all> <xs:element minOccurs="0" name="VcInfo" type="VcInfoType" /> </xs:all> </xs:complexType> </xs:element> <xs:complexType name="VcInfoType"> <xs:sequence> <xs:element name="ipAddress"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:minLength value="1"/> </xs:restriction> </xs:simpleType> </xs:element> VMware, Inc.

  • Page 68: Dns Service Schema

    <xs:element minOccurs="0" name="TertiaryDNS" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:schema> Virtual Machine Information Schema <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="VsmGlobalConfig"> <xs:complexType> <xs:all> <xs:element minOccurs="0" name="VMInfo" type="VMInfoType" /> </xs:all> </xs:complexType> </xs:element> <xs:complexType name="VMInfoType"> <xs:sequence> <xs:element name="VNICS" type="VNICSType" /> </xs:sequence> </xs:complexType> VMware, Inc.

  • Page 69: Security Groups Schema

    <xs:element name="SecurityGroupNodeList" type="NodeList"/> <xs:element name="SecurityGroupIPList" type="IPList"/> </xs:sequence> </xs:complexType > <xs:complexType name="SecurityGroupIdList"> <xs:sequence> <xs:element name="SecurityGroupId" type="xs:string" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> <xs:complexType name="IPList"> <xs:sequence> <xs:element name="IP" type="xs:string" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> <xs:complexType name="NodeList"> <xs:sequence> <xs:element name="Node" type="SecurityGroupNode" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> VMware, Inc.

  • Page 70: Esx Host Preparation And Uninstallation Schema

    <!-- Install parameters --> <xs:complexType name="VszInstallParams"> <xs:sequence> <xs:element name="DatastoreId" type="Moid"/> <xs:element name="ManagementPortSwitchId" type="xs:string"/> <!-- contains the networkId of the mgmt portgroup --> <xs:element name="MgmtInterface" type="MgmtInterfaceType"/> </xs:sequence> </xs:complexType> <xs:complexType name="MgmtInterfaceType"> <xs:sequence> <xs:element name="IpAddress" type="IP"/> <xs:element name="NetworkMask" type="IP"/> <xs:element name="DefaultGw" type="IP"/> </xs:sequence> </xs:complexType> VMware, Inc.

  • Page 71: Vshield App Schemas

    <xs:element name="ZonesConfiguration"> <xs:complexType> <xs:all> <xs:element name="VszInstallParams" type="VszInstallParams" minOccurs="0"/> </xs:all> </xs:complexType> </xs:element> <!-- Install parameters --> <xs:complexType name="VszInstallParamsType"> <xs:sequence> <xs:element name="NodeId" type="xs:string"/> <xs:element name="DatacenterId" type="xs:string"/> <xs:element name="DatastoreId" type="xs:string"/> <xs:element name="NameForZones" type="xs:string"/> <xs:element name="VswitchForMgmt" type="xs:string"/> <xs:element name="MgmtInterface" type="InterfaceType"/> </xs:sequence> </xs:complexType> VMware, Inc.

  • Page 72: Vshield App Firewall Schema

    <xs:element name="DefaultGw" type="xs:NMTOKEN"/> <xs:element minOccurs="0" name="VlanTag" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:schema> vShield App Firewall Schema This schema configures the firewall rules enforced by a vShield App. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.vmware.com" xmlns:vmw="http://www.vmware.com"> <xs:element name="vshieldZonesFirewallConfiguration"> <xs:complexType> <xs:choice> <xs:sequence> <xs:element name="ContainerAssociation" type="vmw:ContainerAssociation"/> <xs:element name="RuleSet" type="vmw:RuleSet"/> </xs:sequence> <xs:element name ="SnapshotTimeStamps" type="TimeStamps"/> <xs:element name ="StatusMessage" type="xs:string" minOccurs="1"/>...

  • Page 73: Port Group Isolation Management Schema

    Port Group Isolation Management Schema The following schema details Port Group Isolation management via REST API. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="VShieldPortgroupIsolationConfig"> <xs:complexType> <xs:choice> <xs:element name="PortgroupIsolation" type="PortgroupIsolationType" /> </xs:choice> </xs:complexType> </xs:element> <xs:complexType name="PortgroupIsolationType"> <!-- PortGroup Isolation --> <xs:sequence> <xs:element name="resourcePoolId" type="xs:string" /> <xs:element name="dataStoreId" type="xs:string" /> </xs:sequence> </xs:complexType> </xs:schema> VMware, Inc.

  • Page 74: Port Group Isolation Statistics Schema

    <xs:element minOccurs="0" name="TechSupportLogsLocation" type="TechSupportLogsLocation"/> <xs:element minOccurs="0" name="SyslogServerConfig" type="SyslogServerConfig"/> </xs:all> </xs:complexType> </xs:element> </xs:schema> vShield Edge Installation Schema This schema installs a vShield Edge in a port group on an ESX host. You can install one vShield Edge per port  group with an attached NIC. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="VShieldEdgeConfig"> <xs:complexType> <xs:all minOccurs="0"> <xs:element name="InstallParams" type="InstallParams"/> </xs:all> </xs:complexType> </xs:element> <xs:complexType name="InstallParams"> <xs:sequence> VMware, Inc.

  • Page 75: Vshield Edge Global Configuration Schema

    <xs:simpleType name="Moid"> <xs:restriction base="xs:string"> <xs:pattern value="[a-zA-Z0-9\-]+"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="OpMode"> <xs:restriction base="xs:string"> <xs:pattern value="routing|bridging"/> </xs:restriction> </xs:simpleType> </xs:schema> vShield Edge Global Configuration Schema This schema represents the global configuration of a vShield Edge instance. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="VShieldEdgeConfig"> <xs:complexType> <xs:choice> <xs:element ref="GlobalConfig" /> </xs:choice> </xs:complexType> </xs:element> VMware, Inc.

  • Page 76: Vshield Edge Cli Login Credentials Schema

    Edge CLI Login Credentials Schema This schema manages the login credentials for the CLI on a vShield Edge. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="VShieldEdgeConfig"> <xs:complexType> <xs:all minOccurs="0"> <xs:element name="CLILoginCredentials" type="CLILoginCredentials"/> </xs:all> </xs:complexType> </xs:element> <xs:complexType name="CLILoginCredentials"> <xs:sequence> <xs:element name="username"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="33" /> <xs:pattern value="[a-z][a-z0-9_]*"/> </xs:restriction> </xs:simpleType> </xs:element> VMware, Inc.
  • Page 77 <xs:minLength value="1"/> <xs:pattern value="[^\s]+"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:complexType> </xs:schema> vShield Edge Firewall Schema This schema configures the firewall rules for a node. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.vmware.com" xmlns:vmw="http://www.vmware.com"> <xs:element name="VShieldEdgeConfig"> <xs:complexType> <xs:element name="FirewallConfig" type="FirewallConfig"/> </xs:complexType> </xs:element> <xs:complexType name="FirewallConfig"> <xs:choice> <xs:element name="defaultPolicy"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="allow|deny"/>...
  • Page 78 <xs:element name="rangeStart" type="PORT" /> <xs:element name="rangeEnd" type="PORT" /> </xs:sequence> </xs:complexType> <xs:complexType name="Snapshots"> <xs:sequence> <xs:element maxOccurs="unbounded" name="timestamp" type="xs:unsignedInt" /> </xs:sequence> </xs:complexType> <xs:simpleType name="IP"> <xs:restriction base="xs:string"> <xs:pattern value= "((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][ 0-9]|1[0-9][0-9]|[1-9]?[0-9])"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="IpOrAny"> <xs:restriction base="xs:string"> <xs:pattern value= "(((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4] [0-9]|1[0-9][0-9]|[1-9]?[0-9]))|(any)"/> </xs:restriction> </xs:simpleType> VMware, Inc.
  • Page 79 <xs:element maxOccurs="unbounded" name="NATRule" type="NATRule" /> <!-- Request/Response from Client --> <xs:element maxOccurs="unbounded" name="NATRuleStats" type="NATRuleStats" /> <!-- Response from REST server --> <xs:element name="Snapshots" type="Snapshots"/> <!-- Only in Response from Server --> </xs:choice> </xs:complexType> <xs:complexType name="NATRule"> <xs:sequence> <xs:element minOccurs="0" name="protocol" type="PROTOCOL"/> VMware, Inc.
  • Page 80 <xs:element name="PortRange" type="PortRange"/> </xs:choice> </xs:complexType> <xs:complexType name="PortRange"> <xs:sequence> <xs:element name="rangeStart" type="PORT" /> <xs:element name="rangeEnd" type="PORT" /> </xs:sequence> </xs:complexType> <xs:complexType name="Snapshots"> <xs:sequence> <xs:element maxOccurs="unbounded" name="timestamp" type="xs:unsignedInt" /> </xs:sequence> </xs:complexType> <xs:simpleType name="IP"> <xs:restriction base="xs:string"> <xs:pattern value= "((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][ 0-9]|1[0-9][0-9]|[1-9]?[0-9])"/> </xs:restriction> </xs:simpleType> VMware, Inc.
  • Page 81 <xs:element name="VShieldEdgeConfig"> <xs:complexType> <xs:element name="DHCPConfig" type="DHCPConfig"/> </xs:complexType> </xs:element> <xs:complexType name="DHCPConfig"> <xs:sequence> <xs:element minOccurs="0" maxOccurs="unbounded" name="DHCPBinding" type="DHCPBinding" /> <!-- Request/Response from Client --> <xs:element minOccurs="0" maxOccurs="unbounded" name="DHCPPool" type="DHCPPool" /> <!-- Request/Response from Client --> <xs:element minOccurs="0" name="log" type="xs:boolean" /> VMware, Inc.
  • Page 82 </xs:simpleType> </xs:element> <xs:element minOccurs="0" name="primaryNameServer" type="IP" /> <xs:element minOccurs="0" name="secondaryNameServer" type="IP" /> <xs:element minOccurs="0" name="leaseTime"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="(infinite|[0-9]{2,}|[1-9])"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="IpRange"> <xs:sequence> <xs:element name="rangeStart" type="IP" /> <xs:element name="rangeEnd" type="IP" /> </xs:sequence> </xs:complexType> VMware, Inc.
  • Page 83 <xs:element name="VPNServerConfig" type="VPNServerConfig"/> <!-- This might be absent when addSite api is called --> <xs:element maxOccurs="unbounded" name="VPNSite" type="VPNSite"/> </xs:choice> </xs:complexType> <xs:complexType name="VPNServerConfig"> <xs:sequence> <xs:element name="externalIpAddress" type="IP" /> <xs:element minOccurs="0" name="natedPublicIpAddress" type="IP" /> <xs:element minOccurs="0" name="log" type="xs:boolean" /> </xs:sequence> </xs:complexType> VMware, Inc.
  • Page 84 </xs:complexType> <xs:complexType name="VPNTunnelConfig"> <xs:sequence> <xs:element name="tunnelName"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="[a-zA-Z0-9]+"> <!-- tunnelName should contain only alphanumeric characters --> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="remoteSiteSubnet" type="CIDR" /> <xs:element name="encryptionAlgorithm"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:pattern value="aes|3des"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:complexType> VMware, Inc.
  • Page 85 <xs:element name="remoteEndPointAddress" type="xs:NMTOKEN" /> <!--right--> <xs:element name="remoteSiteSubnet" type="xs:string" /> <!--rightSubnet--> <xs:element minOccurs="0" name="vseVPNPublicAddress" type="xs:NMTOKEN" /> <!--leftid--> <xs:element name="vseVPNInternalAddress" type="xs:NMTOKEN" /> <!--left--> <xs:element name="vseVPNInternalSubnet" type="xs:string" /> <!--leftsubnet--> </xs:sequence> </xs:complexType> <xs:complexType name="Snapshots"> <xs:sequence> <xs:element maxOccurs="unbounded" name="timestamp" type="xs:unsignedInt" /> </xs:sequence> </xs:complexType> VMware, Inc.
  • Page 86 <xs:element minOccurs="0" name="log" type="xs:boolean" /> <xs:element minOccurs="0" name="id" type="xs:unsignedInt" /> <!-- only in Response from REST server --> </xs:sequence> </xs:complexType> <xs:complexType name="BackEndServers"> <xs:sequence> <xs:element ref="internalIPList" type="IPAndPort" /> <!-- comma separated list of backend server IPs --> </xs:sequence> </xs:complexType> VMware, Inc.
  • Page 87 <xs:element minOccurs="0" maxOccurs="1" name="internalInterfaceMTU" type="xs:unsignedInt"/> <!-- Request/Response --> <xs:element minOccurs="0" maxOccurs="1" name="externalInterfaceMTU" type="xs:unsignedInt"/> <!-- Request/Response --> </xs:sequence> </xs:complexType> </xs:schema> Traffic Stats Schema This schema configures the Traffic Stats collection service for a node. <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"> <xs:element name="VShieldEdgeConfig"> <xs:complexType> <xs:all minOccurs="0"> <xs:element name="TrafficStats" type="TrafficStats"/> </xs:all> </xs:complexType> </xs:element> VMware, Inc.
  • Page 88 <xs:element minOccurs="1" maxOccurs="2" name="ipAddress" type="IP" /> <xs:element name="Snapshots" type="Snapshots"/> <!-- Only in Response from Server --> </xs:choice> </xs:complexType> <xs:simpleType name="IP"> <xs:restriction base="xs:string"> <xs:pattern value= "((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][ 0-9]|1[0-9][0-9]|[1-9]?[0-9])"/> </xs:restriction> </xs:simpleType> <xs:complexType name="Snapshots"> <xs:sequence> <xs:element maxOccurs="unbounded" name="timestamp" type="xs:unsignedInt" /> </xs:sequence> </xs:complexType> </xs:schema> VMware, Inc.
  • Page 89 </xs:complexType> </xs:schema> If a REST API call results in an error, the HTTP reply contains the following information.  An XML error document as the response body  Content‐Type: application/xml  An appropriate 2xx, 4xx, or 5xx HTTP status code Table 8-1. Error Message Status Codes Code Description 200 OK  The request was valid and has been completed. Generally, this response is accompanied  by a body document (XML). 204 No Content  Same as 200 OK, but the response body is empty (No XML). 400 Bad Request  The request body contains an invalid representation or the representation of the entity is  missing information. The response is accompanied by Error Object (XML).  401 Unauthorized  An authorization header was expected. Request with invalid or no vShield Manager  Token. 403 Forbidden  The user does not have enough privileges to access the resource. 404 Not Found  The resource was not found. The response is accompanied by Error Object (XML).  500 Internal Server Error  Unexpected error with the server. The response is accompanied by Error Object (XML).  503 Service Unavailable  Cannot proceed with the request, because some of the services are unavailable. Example:  vShield Edge is Unreachable. The response is accompanied by Error Object (XML).  VMware, Inc.
  • Page 90 API Programming Guide VMware, Inc.

  • Page 91: Index

    57 last 10 configurations 57 post rule set 54 revert to configuration by timestamp 57 DNAT view rule set 53 about 32 delete configuration 35 get configuration by timestamp 34 get rule set 32 VMware, Inc.
  • Page 92 DHCP snapshot by timestamp 29 vShield Endpoint 20, 65 revert to DNAT snapshot by timestamp 34 uninstalling a vShield 19 revert to Load Balancer snapshot by unregistering a vShield Endpoint SVM 65 timestamp 48 revert to SNAT snapshot by timestamp 31 VMware, Inc.
  • Page 93 51 DHCP get configuration by timestamp 51 about 26 get current configuration 50 configuring 27 last 10 configurations 50 delete configuration 29 post a configuration 50 get all hosts and pools 28 revert to configuration by timestamp 51 VMware, Inc.
  • Page 94 SVM status 65 uninstall 20 uninstalling 65 unregistering an SVM 65 vShield Manager about 9 configure DNS 15 force sync with vShield Edge 26 sync with vCenter 15 tech support log 16 vShield Zones vShield 9 vShield Manager 9 VMware, Inc.

This manual is also suitable for:

Vshield manager 4.1 - apiVshield manager 4.1Vshield edge 1.0Vshield endpoint 1.0Vshield app 1.0 -

Table of Contents