Python Script to import Distributed Firewall Rules recommended by vRNI to NSX-T on-prem or VMC on AWS SDDC

vRealize Network Insight Guide to importing recommended DFW rules to NSX-T or VMC SDDC using Python Script.

4/27/21 - NOTE** Updated to handle paginated results for services and security groups.   Updated to populate security groups with IP Memberships.

 

Pre-requisites:

  • Python 3.7 or above
  • Requests, json, argparse, sys, requests, glob, os, xml.dom, xml.etree.Elementtree, getpass python libraries installed
  • Connectivity to the internet from where script will be executed
  • Connectivity to VMC SDDC over HTTPS (443)
  • Connectivity to NSX-T Manager or VIP over HTTPS (443)

 

Follow steps below:

Step: Download script by clicking Download button on this page

IF VMC:

Step: Copy VMC Refresh token

Login to https://console.cloud.vmware.com/

Click My Account -> API Tokens tab -> Generate Token or Regenerate an existing token

Token must have NSX Cloud Admin service role under VMC on AWS service.

Copy token

 

Step: Collect SDDC ID and VMC Organizational ID

Login to https://console.cloud.vmware.com/

Select VMware Cloud on AWS under My Services -> Click desired SDDC -> Click Support

Copy Org ID  and SDDC ID

 

IF NSX-T:

Step: Copy NSX-T Manager or VIP URL ( https://manager.fqdn/ )

Note: Must use full url including Https:// and trailing /  

 

 

Step: Export application rules

  • Log into vRNI
  • Search for Plan security of application NAME (changing NAME to the application name you would like to secure)
  • Select the three dots at the top right of the security donut diagram -> click Export to XML
  • Unzip the .zip file
  • Take not of the directory or folder location of the data center folder you will be importing rules for

 

Step:

  • Run script vRNI_DFW_Rule_to_VMC_or_NSXT_Import.py
    • Use --help for details on available arguments ( [--help] [--orgid ORGID] [--rulefolder RULEFOLDER] [--sddcid SDDCID] [--refreshtoken REFRESHTOKEN] [--verbose] [--appname APPNAME] [--enablerules] [--nsxtusesr] [--nsxturl] )

 

 

***NOTE***  To populate security groups with IP memberships (vRNI Version 6.2 and up only) select 'yes' when prompted.   Each time theh script is ran and this option is selected, the security groups in question will be overwritten with the IPs in the file you select.  

 

 

Contributors: 

Trey Tyler <Ttyler@vmware.com>

Kevin Forbes <Kforbes@vmware.com>

 


Sign in to be able to add comments.

Comments 0