NSX Distributed Firewall can enforce firewall functionality directly at a Virtual Machine's vNIC, and supports a micro‐segmentation security model where East‐West traffic can be inspected at near line rate processing.

API-URL is a URL of the form https://vcloud.example.com/network.

id is a vCloud Director unique identifier in the form of a UUID, as defined by RFC 4122.

# is a small integer used in an NSX object identifier.

Summary of NSX Distributed Firewall Requests

Operation

Request

Request Body

Response

Enable distributed firewall service for organization VDC with identifier id.

POST API-URL/firewall/vdc/id

None

204 No Content

Retrieve global distributed firewall configuration

GET API-URL/firewall/globalroot-0/config

None

firewallConfiguration

Delete global distributed firewall configuration

DELETE API-URL/firewall/globalroot-0/config

None

204 No Content

Retrieve distributed firewall configuration for organization VDC with identifier id.

GET API-URL/firewall/globalroot-0/config?vdc=id

None

firewallConfiguration

Retrieve distributed firewall configuration for all organization VDCs in the organization with identifier org-id.

GET API-URL/firewall/globalroot-0/config?org=org-id

None

firewallConfiguration

Retrieve distributed firewall configuration at layer 2 for organization VDC with identifier id.

GET API-URL/firewall/globalroot-0/config/layer2sections/id

None

section

Retrieve distributed firewall configuration at layer 3 for organization VDC with identifier id.

GET API-URL/firewall/globalroot-0/config/layer3sections/id

None

section

Retrieve distributed firewall rule with identifier rule-# at layer 2 for organization VDC with identifier id.

GET API-URL/firewall/globalroot-0/config/layer2sections/id/rules/rule-#

None

rule

Retrieve distributed firewall rule with identifier rule-# at layer 3 for organization VDC with identifier id.

GET API-URL/firewall/globalroot-0/config/layer3sections/id/rules/rule-#

None

rule

Update distributed firewall configuration at layer 2 for organization VDC with identifier id.

PUT API-URL/firewall/globalroot-0/config/layer2sections/id

section

204 No Content

Update distributed firewall configuration at layer 3 for organization VDC with identifier id.

PUT API-URL/firewall/globalroot-0/config/layer3sections/id

section

204 No Content

Update distributed firewall rule with identifier rule-# at layer 2 for organization VDC with identifier id.

PUT API-URL/firewall/globalroot-0/config/layer2sections/id/rules/rule-#

rule

204 No Content

Update distributed firewall rule with identifier rule-# at layer 3 for organization VDC with identifier id.

PUT API-URL/firewall/globalroot-0/config/layer3sections/id/rules/rule-#

rule

204 No Content

Append a new rule to distributed firewall rules at layer 2 for organization VDC with identifier id.

POST API-URL/firewall/globalroot-0/config/layer2sections/id/rules/rule-#

rule

201 Created

Append a new rule to distributed firewall rules at layer 3 for organization VDC with identifier id.

POST API-URL/firewall/globalroot-0/config/layer3sections/id/rules/rule-#

rule

201 Created

Delete distributed firewall rule with identifier rule-# at layer 2 for organization VDC with identifier id.

DELETE API-URL/firewall/globalroot-0/config/layer2sections/id/rules/rule-#

None

204 No Content

Delete distributed firewall rule with identifier rule-# at layer 3 for organization VDC with identifier id.

DELETE API-URL/firewall/globalroot-0/config/layer3sections/id/rules/rule-#

None

204 No Content

Delete distributed firewall from organization VDC with identifier id.

DELETE API-URL/firewall/id

None

204 No Content

Authorization

Three rights control access to distributed firewall configuration:

ORG_VDC_DISTRIBUTED_FIREWALL_ENABLE

ORG_VDC_DISTRIBUTED_FIREWALL_CONFIGURE

ORG_VDC_DISTRIBUTED_FIREWALL_VIEW

An organization administrator role has ORG_VDC_DISTRIBUTED_FIREWALL_VIEW and ORG_VDC_DISTRIBUTED_FIREWALL_CONFIGURE rights by default. Only the system administrator has ORG_VDC_DISTRIBUTED_FIREWALL_ENABLE right by default.

Example: Add a Distributed Firewall Rules

The vCloud Director API for NSX makes use of etag headers in responses. Requests that modify an object returned in a response must include the etag value from that response in an if-match header. For example, this request to retrieve a section of a firewall rule returns the requested section and includes an etag in the response header.

Request: 

GET https://10.17.124.244/network/firewall/globalroot-0/config/layer3sections/c02d1603-af97-4310-80b9-4f3beaa456c4

Response: 

Content-Type:application/xml
Date:...
ETag:1487090590214
Expires: ...

<?xml version="1.0" encoding="UTF-8"?>
<sections>
   <section
      id="1048"
      name="vdc-01(c02d1603-af97-4310-80b9-4f3beaa456c4)"
      generationNumber="1474037046864"
      timestamp="1474037046864">
      <rule
         id="1020"
         disabled="false"
         logged="false">
         <name>testrule3</name>
         <action>allow</action>
         <appliedToList>
            <appliedTo>
               <name>vdc-01(c02d1603-af97-4310-80b9-4f3beaa456c4)
               </name>
               <value>securitygroup-28</value>
               <type>SecurityGroup</type>
               <isValid>true</isValid>
            </appliedTo>
         </appliedToList>
         <sectionId>1048</sectionId>
         <direction>inout</direction>
         <packetType>any</packetType>
      </rule>
   </section>
</sections>

A subsequent request to modify the section by adding a rule must include the etag as the value of an if-match request header.

Request: 

POST https://10.17.124.244/network/firewall/globalroot-0/config/layer3sections/c02d1603-af97-4310-80b9-4f3beaa456c4/rules
...
if-match:1487090590214
...
<?xml version="1.0" encoding="UTF-8"?>
<rule
   disabled="false"
   logged="false">
   <name>testrule3</name>
   <action>allow</action>
   <appliedToList>
      <appliedTo>
         <name>testrule3</name>
         <value>securitygroup-28</value>
         <type>SecurityGroup</type>
         <isValid>true</isValid>
      </appliedTo>
   </appliedToList>
   <direction>inout</direction>
   <packetType>any</packetType>
</rule>