saltext.vmware.modules.vmc_distributed_firewall_rules#
Salt execution module for VMC distributed firewall rules Provides methods to Create, Read, Update and Delete distributed firewall rules.
- saltext.vmware.modules.vmc_distributed_firewall_rules.list_(hostname, refresh_key, authorization_host, org_id, sddc_id, domain_id, security_policy_id, verify_ssl=True, cert=None, cursor=None, page_size=None, sort_by=None, sort_ascending=None)[source]#
Retrieves distributed firewall rules for Given SDDC
CLI Example:
salt vm_minion vmc_distributed_firewall_rules.list hostname=nsxt-manager.local domain_id=cgw ...
- hostname
The host name of NSX-T manager
- refresh_key
API Token of the user which is used to get the Access Token required for VMC operations
- authorization_host
Hostname of the VMC cloud console
- org_id
The Id of organization to which the SDDC belongs to
- sddc_id
The Id of SDDC for which the distributed firewall rules should be retrieved
- domain_id
The domain_id for which the distributed firewall rules should be retrieved. Possible values: mgw, cgw
- security_policy_id
Security policy id for which rule should be retrieved
- verify_ssl
(Optional) Option to enable/disable SSL verification. Enabled by default. If set to False, the certificate validation is skipped.
- cert
(Optional) Path to the SSL certificate file to connect to NSX-T manager. The certificate can be retrieved from browser.
- cursor
(Optional) Opaque cursor to be used for getting next page of records (supplied by current result page)
- page_size
(Optional) Maximum number of results to return in this page. Default page size is 1000.
- sort_by
(Optional) Field by which records are sorted
- sort_ascending
(Optional) Boolean value to sort result in ascending order. Enabled by default.
- saltext.vmware.modules.vmc_distributed_firewall_rules.get_by_id(hostname, refresh_key, authorization_host, org_id, sddc_id, domain_id, security_policy_id, rule_id, verify_ssl=True, cert=None)[source]#
Retrieves given distributed firewall rule from the given SDDC
CLI Example:
salt vm_minion vmc_distributed_firewall_rules.get_by_id hostname=nsxt-manager.local domain_id=cgw ...
- hostname
The host name of NSX-T manager
- refresh_key
API Token of the user which is used to get the Access Token required for VMC operations
- authorization_host
Hostname of the VMC cloud console
- org_id
The Id of organization to which the SDDC belongs to
- sddc_id
The Id of SDDC for which the distributed firewall rule should be retrieved
- domain_id
The domain_id for which the distributed firewall rule should be retrieved. Possible values: mgw, cgw
- security_policy_id
Security policy id for which rule should be retrieved
- rule_id
The distribute firewall rule id, any static unique string identifying the rule. Also same as the display_name by default.
- verify_ssl
(Optional) Option to enable/disable SSL verification. Enabled by default. If set to False, the certificate validation is skipped.
- cert
(Optional) Path to the SSL certificate file to connect to NSX-T manager. The certificate can be retrieved from browser.
- saltext.vmware.modules.vmc_distributed_firewall_rules.delete(hostname, refresh_key, authorization_host, org_id, sddc_id, domain_id, security_policy_id, rule_id, verify_ssl=True, cert=None)[source]#
Deletes given distributed firewall rule from the given SDDC
CLI Example:
salt vm_minion vmc_distributed_firewall_rules.delete hostname=nsxt-manager.local domain_id=cgw ...
- hostname
The host name of NSX-T manager
- refresh_key
API Token of the user which is used to get the Access Token required for VMC operations
- authorization_host
Hostname of the VMC cloud console
- org_id
The Id of organization to which the SDDC belongs to
- sddc_id
The Id of SDDC from which the distributed firewall rule should be deleted
- domain_id
The domain_id for which the distributed firewall rule should be deleted. Possible values: mgw, cgw
- security_policy_id
Security policy id for which rule should be deleted
- rule_id
The distribute firewall rule id, any static unique string identifying the rule. Also same as the display_name by default.
- verify_ssl
(Optional) Option to enable/disable SSL verification. Enabled by default. If set to False, the certificate validation is skipped.
- cert
(Optional) Path to the SSL certificate file to connect to NSX-T manager. The certificate can be retrieved from browser.
- saltext.vmware.modules.vmc_distributed_firewall_rules.create(hostname, refresh_key, authorization_host, org_id, sddc_id, domain_id, security_policy_id, rule_id, verify_ssl=True, cert=None, source_groups=None, destination_groups=None, services=None, scope=None, action=None, sequence_number=None, disabled=None, logged=None, description=None, direction=None, notes=None, tag=None, tags='USER_DEFINED_NONE')[source]#
Creates Distributed firewall rule for the given SDDC
CLI Example:
salt vm_minion vmc_distributed_firewall_rules.create hostname=nsxt-manager.local domain_id=cgw ...
- hostname
The host name of NSX-T manager
- refresh_key
API Token of the user which is used to get the Access Token required for VMC operations
- authorization_host
Hostname of the VMC cloud console
- org_id
The Id of organization to which the SDDC belongs to
- sddc_id
The Id of SDDC for which the Distributed firewall rule should be added
- domain_id
The domain_id for which the Distributed firewall rule should be added. Possible values: default, cgw
- security_policy_id
Security policy id for which rule should be added
- rule_id
Id of the distribute firewall rule to be added to given SDDC
- verify_ssl
(Optional) Option to enable/disable SSL verification. Enabled by default. If set to False, the certificate validation is skipped.
- cert
(Optional) Path to the SSL certificate file to connect to NSX-T manager. The certificate can be retrieved from browser.
- source_groups
(Optional) List of Source group paths. We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. If this value is not passed, then [“ANY”] will be used by default.
- destination_groups
(Optional) List of Destination group paths. We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. If this value is not passed, then [“ANY”] will be used by default.
- services
(Optional) Names of services. In order to specify all services, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values. If this value is not passed, then [“ANY”] will be used by default.
- scope
(Optional) The list of policy paths where the rule is applied LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs.
- action
(Optional) The action to be applied to all the services. Possible Values for are: ALLOW, DROP, REJECT
- sequence_number
(Optional) Sequence number of the Rule. This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain. If no sequence number is specified by the user, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, then one has to specify unique sequence numbers.
- Disabled
(Optional) Flag to disable the rule. Default is false.
- logged
(Optional) Enable logging flag. Flag to enable packet logging. Default is disabled.
- description
(Optional) Description of this resource
- direction
(Optional) Define direction of traffic Possible Values for are: IN, OUT, IN_OUT Default: “IN_OUT”
- notes
(Optional) Text for additional notes on changes.
- tag
(Optional) Tag applied on the rule. User level field which will be printed in CLI and packet logs.
- tags
(Optional) Opaque identifiers meaningful to the user.
{ "tag": <tag>, "scope": <scope> }
Example Values:
{ "description": " comm entry", "sequence_number": 1, "source_groups": [ "ANY" ], "logged": false, "destination_groups": [ "ANY" ], "scope": [ "ANY" ], "action": "DROP", "services": [ "ANY" ], "direction": "IN_OUT", "tag": "", "notes": "" }
Notes
For domain_id cgw Rule must have valid values for source, and destination: either source or destination should have valid groups
Please refer the Distributed firewall rules to get insight of input parameters
- saltext.vmware.modules.vmc_distributed_firewall_rules.update(hostname, refresh_key, authorization_host, org_id, sddc_id, domain_id, security_policy_id, rule_id, verify_ssl=True, cert=None, source_groups=None, destination_groups=None, services=None, scope=None, action=None, sequence_number=None, display_name=None, disabled=None, logged=None, description=None, direction=None, notes=None, tag=None, tags='USER_DEFINED_NONE')[source]#
Updates Distributed firewall rule for the given SDDC
CLI Example:
salt vm_minion vmc_distributed_firewall_rules.update hostname=nsxt-manager.local domain_id=cgw ...
- hostname
The host name of NSX-T manager
- refresh_key
API Token of the user which is used to get the Access Token required for VMC operations
- authorization_host
Hostname of the VMC cloud console
- org_id
The Id of organization to which the SDDC belongs to
- sddc_id
The Id of SDDC for which the Distributed firewall rule belongs to
- domain_id
The domain_id for which the Distributed firewall rule belongs to. Possible values: default, cgw
- rule_id
Id of the distributed firewall rule to be updated for given SDDC
- verify_ssl
(Optional) Option to enable/disable SSL verification. Enabled by default. If set to False, the certificate validation is skipped.
- cert
(Optional) Path to the SSL certificate file to connect to NSX-T manager. The certificate can be retrieved from browser.
- source_groups
(Optional) List of Source group paths. We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. If this value is not passed, then [“ANY”] will be used by default.
- destination_groups
(Optional) List of Destination group paths. We need paths as duplicate names may exist for groups under different domains. Along with paths we support IP Address of type IPv4 and IPv6. IP Address can be in one of the format(CIDR, IP Address, Range of IP Address). In order to specify all groups, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the group array. Error will be thrown if ANY is used in conjunction with other values. If this value is not passed, then [“ANY”] will be used by default.
- services
(Optional) Names of services. In order to specify all services, use the constant “ANY”. This is case insensitive. If “ANY” is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values. If this value is not passed, then [“ANY”] will be used by default.
- scope
(Optional) The list of policy paths where the rule is applied LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs.
- action
(Optional) The action to be applied to all the services. Possible Values for are: ALLOW, DROP, REJECT
- display_name
- Identifier to use when displaying entity in logs or GUI
Defaults to ID if not set
- sequence_number
(Optional) Sequence number of the Rule. This field is used to resolve conflicts between multiple Rules under Security or Gateway Policy for a Domain. If no sequence number is specified by the user, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic. If a specific order of rules is desired, then one has to specify unique sequence numbers.
- Disabled
(Optional) Flag to disable the rule. Default is false.
- logged
(Optional) Enable logging flag. Flag to enable packet logging. Default is disabled.
- description
(Optional) Description of this resource
- direction
(Optional) Define direction of traffic Possible Values for are: IN, OUT, IN_OUT Default: “IN_OUT”
- notes
(Optional) Text for additional notes on changes.
- tag
(Optional) Tag applied on the rule. User level field which will be printed in CLI and packet logs.
- tags
(Optional) Opaque identifiers meaningful to the user.
{ "tag": <tag>, "scope": <scope> }
Example values:
{ "description": "comm entry", "display_name": "", "sequence_number": 1, "source_groups": [ "ANY" ], "logged": false, "destination_groups": [ "ANY" ], "scope": [ "ANY" ], "action": "DROP", "services": [ "ANY" ], "direction": "IN_OUT", "tag": "", "notes": "" }
Please refer the Update Distributed firewall rules to get insight of input parameters