VMware VSHIELD APP 1.0 - API Manual do Utilizador descarregar pdf (Página 54)

vShield API Programming Guide

54 VMware, Inc.

TheXMLresponserepresentstheDatacenterStateobject,containinganenumerationofdatacenterstatus.The

statecouldberegular,upgrading,migrating,backwardCompatible,orbackwardCompatibleReadyForSwitch.

Modify Datacenter State

YoucanchangethestateofadatacenteronlyifitisinthebackwardCompatibleReadyForSwitchstate.

Example 6-2. Change datacenter state to migrating

Example:

POST https://<vsm-ip>/api/2.0/app/firewall/datacenter-2/state

Configuring Firewall Rules for vCenter

TheprimaryfunctionofavShieldAppistoprovidefirewallprotectiononanESXhostbyinspectingeach

sessionandreturningdetailstothevShieldManager.Trafficdetailsincludesources,destinations,directionof

sessions,applications,andportsbeingused.Trafficdetailscanbeusedtocreatefirewallallowordeny

rules.

InthevShieldManageruserinterfaceorvSphereClientplug‐in,theAppFirewalltabcontainsthefirewall

rulesenforcedbyvShieldAppinstances.YoucanmanageAppFirewallrulesatthedatacenter,cluster,and

portgrouplevelstoprovideaconsistentsetofrulesacrossmultiplevShieldApp

instances.Asmembership

inthesecontainerscanchangedynamically,AppFirewallmaintainsthestateofexistingsessionswithout

requiringreconfigurationoffirewallrules.Inthisway,AppFirewalleffectivelyhasacontinuousfootprinton

eachESXhostunderthemanagedcontainers.

WhencreatingAppFirewallrules,youcancreategeneralrules

basedonincomingoroutgoingtrafficatthe

containerlev el.Forexample,youcancreatearuletodenyanytrafficfromout si de ofadatacenterthattargetsa

destinationwithinthedatacenter.Youcancreatearuletodenyanyincomingtrafficthatisnottaggedwitha

VLANID.

Allfirew allrulesconfiguredbyusingRESTrequestsappearundertheAppFirewalltabfortheapprop ria te 

containerinthevShieldManageruserinterfaceandvSphereClientplug‐in.

ForthecompletefirewallXMLschema,see“vShieldAppFirewallSchema”onpage 82.

Configuring the vShield App Firewall

Firewallprecedenceishierarchicalateachlevel.Atthedatacenterlevel,choicesareDEFAULT,HIGH,orLOW.

AttheclusteranddvPortgrouplevel,firewallprecedenceisoftensettoNONE.

EachvShieldAppenforcesthefirewallrulesintop‐to‐bottomordering.AvShieldAppcheckseachtraffic

sessionagainstthe

topruleinthefirewalltablebeforemovingdownthesubsequentrulesinthetable.Thefirst

ruleinthetablethatmatchesthetrafficparametersisenforced.SeethevShieldAdministrationGuideformore

informationaboutthehierarchyofvShieldAppfirewallrules.

Query the Firewall Configuration

Youcanretrievethefirewallconfigurationassociatedwithadatacenter,cluster,ordvPortGroup.Thetemplate

fortheAPIisasfollows:

GET https://<vsm-ip>/api/2.0/app/firewall/<context>/config?list=<L>&precedence<P>&rulesType<R>&configId=<C>

where

 <context>isthecontextIDofadatacenter,cluster,ordvPortGroup.

 <L>isthelistingtype,oneofthefollowing:

 statusforbriefcurrentstate

 configforfirewallconfiguration(thedefault)

 historyforconfigurationhistory

1 2 ... 49 50 51 52 53 54 55 56 57 58 59 ... 103 104

Comentários a estes Manuais

Sem comentários

VMware VSHIELD APP 1.0 - API Manual do Utilizador Página 54

Comentários a estes Manuais

Manuais e produtos relacionados com Redes VMware VSHIELD APP 1.0 - API