
vShield API Programming Guide
70 VMware, Inc.
<action>allow</action>
<logged>false</logged>
<notes></notes>
<destination/>
</layer2FirewallRule>
</firewallConfiguration>
</VshieldAppConfiguration>
Change Firewall Configuration
ToconfigurevShieldAppfirew allrules,
1Querythefirewallrulesforthecontextyouwanttoconfigure.Thecontextcanbeadatacenter,cluster,or
port‐group.
2ExtracttheXMLfromtheresponsebodyinstep1andmakethedesiredchangestoit.
3Extractthevalueofthegenerationnumberfrom
theEtagheaderoftheresponseinStep1,andadditas
theif‐matchheaderinthePOSTcall.
Forexample,thegenerationnumberintheGETresponseforthefirewallconfigurationofadatacenteris
1312802020950(fromExample 6‐4).Youmustnowspecifythefollowingheaderinthe
RequestBodyofa
POSTcommandforchangingthedatacenterfirewallconfiguration:
If-Match: "1312802020950"
4PassthemodifiedXMLfromstep2astheRequestBodyinaPOSTcall.
IMPORTANTYoumustspecifythecompleteconfigurationforacontextinthePOSTcall.
Revert to Default Firewall Configuration
Youcanrevertthefirewallconfigurationforthenodetoitsdefaultbydeletingallrulesthatwerecreatedfor
thespecifiedcontextID,includingdefaultrules.ForadatacenterorIPnamespace,afreshsetofdefaultrules
aresubstituted.
Example 6-10. Delete firewall configuration and revert to default
Example:
DELETE https://<vsm-ip>/api/2.0/app/firewall/<contextID>/config
Configuring Fail-Safe Mode for vShield App Firewall
Bydefault,failureorunavailabilityofthevShieldAppapplianceresultsintrafficbeingblocked(failclose).
Youcanchangethistoallowtraffic(failopen).
Configure Fail-Safe Mode for vShield App Firewall
Example 6-11. Configure fail-safe mode
Example:
PUT https://<vsm-ip>/api/2.1/app/failsafemode
Request Body
<VshieldAppConfiguration>
<failsafeConfiguration>
<failsafemode>FAIL_OPEN</failsafemode>
</failsafeConfiguration>
Komentáře k této Příručce