User manual VMWARE VSHIELD EDGE 1.0 API PROGRAMMING GUIDE

[. . . ] vShield API Programming Guide vShield Manager 4. 1 vShield App 1. 0 vShield Edge 1. 0 vShield Endpoint 1. 0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www. vmware. com/support/pubs. EN-000434-00 vShield API Programming Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www. vmware. com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware. com Copyright © 2010 VMware, Inc. VMware products are covered by one or more patents listed at http://www. vmware. com/go/patents. [. . . ] Post an SNAT Rule Set on a vShield Edge Request: POST <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/snat/rules <VShieldEdgeConfig> <NATConfig> <NATRule> <externalIpAddress> <ipAddress>IpOrAny</ipAddress> or <IpRange> <rangeStart>ip_address</rangeStart> <rangeEnd>ip_address</rangeEnd> </IpRange> </externalIpAddress> <internalIpAddress> <ipAddress>IpOrAny</ipAddress> or <IpRange> <rangeStart>ip_address</rangeStart> <rangeEnd>ip_address</rangeEnd> </IpRange> </internalIpAddress> </NATRule> </NATConfig> </VShieldEdgeConfig> Rules: You can add multiple SNAT rules by entering multiple <NATRule></NATRule> sections in the body. <VShieldEdgeConfig> <NATConfig> <NATRule> <internalIpAddress><ipAddress>172. 17. 1. 11</ipAddress></internalIpAddress> <externalIpAddress><ipAddress>10. 112. 196. 94</ipAddress></externalIpAddress> </NATRule> <NATRule> <internalIpAddress><ipAddress>172. 17. 1. 12</ipAddress></internalIpAddress> <externalIpAddress><ipAddress>10. 112. 196. 94</ipAddress></externalIpAddress> </NATRule> </NATConfig> </VShieldEdgeConfig> Logging is disabled by default. To enable logging, add a <log /> element within <NATRule />. The externalIpAddress and internalIpAddress parameters can be entered in either of these methods. <ipAddress>IpOrAny</ipAddress> or <IpRange> <rangeStart>low_ip_address</rangeStart> <rangeEnd>high_ip_address</rangeEnd> </IpRange> 30 VMware, Inc. Chapter 5 vShield Edge Management SNAT does not support port and protocol parameters. Example: Multiple SNAT Rules POST /api/1. 0/network/network-244/snat/rules HTTP/1. 1 content-type: application/xml; charset=UTF-8 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10. 112. 196. 213 accept: text/html, image/gif, image/jpeg, *; q=. 2, */*; q=. 2 content-length: 310 <?xml version="1. 0" encoding="UTF-8" standalone="yes"?> <VShieldEdgeConfig><NATConfig><NATRule><internalIpAddress><ipAddress>172. 17. 1. 11</ipAddress></internalIpAddress><externalIpAddress><ipAddress>10. 112. 196. 219 </ipAddress></externalIpAddress></NATRule></NATConfig></VShieldEdgeConfig> SNAT Rule with IP Range content-length: 563 <?xml version="1. 0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><NATConfig><NATRule><internalIpAddress><I pRange><rangeStart>172. 17. 1. 40</rangeStart><rangeEnd>172. 17. 1. 45</rangeEnd></I pRange></internalIpAddress><externalIpAddress><IpRange><rangeStart>10. 112. 196. 218</rangeStart><rangeEnd>10. 112. 196. 219</rangeEnd></IpRange></externalIpAddre ss></NATRule><NATRule><internalIpAddress><ipAddress>172. 17. 1. 54</ipAddress></i nternalIpAddress><externalIpAddress><ipAddress>10. 112. 196. 217</ipAddress></ext ernalIpAddress></NATRule></NATConfig></VShieldEdgeConfig> Get Timestamps of Last 10 SNAT Rule Configurations for a vShield Edge Example 5-13. Get Last 10 SNAT Rule Set Snapshots Request: GET <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/snat/snapshots Get SNAT Configuration by Snapshot Timestamp Example 5-14. Get SNAT Configuration by Snapshot Timestamp Request GET <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/ snat/snapshot/<snapshot-timestamp> Revert to an SNAT Configuration by Snapshot Timestamp Example 5-15. Revert to an SNAT Configuration by Snapshot Timestamp Request: PUT <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/ snat/snapshot/<snapshot-timestamp> VMware, Inc. 31 vShield API Programming Guide Delete All SNAT Rules on a vShield Edge Example 5-16. Delete All SNAT Rules on a vShield Edge Request: DELETE <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/snat/rules Example: DELETE /api/1. 0/network/network-244/snat/rules HTTP/1. 1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host:sdfsdf Managing DNAT Rules DNAT maps public addresses to internal addresses. If you use Port Group Isolation, you must configure DNAT rules to allow traffic from the external network to the internal network. The vShield Edge supports two forms of DNAT: Traffic targeting a public address is forwarded to an internal host with the given internal IP address. Traffic targeting a specific port of a public address is forwarded to an internal host with the given internal IP address on the specified port. Get the DNAT Rule Set Example 5-17. Get the DNAT Rule Set on a vShield Edge Request: GET <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/dnat/rules Example: GET /api/1. 0/network/network-244/dnat/rules HTTP/1. 1 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: localhost Post a DNAT Rule Set You can post a DNAT rule set for a vShield Edge. The vShield Manager processes the posted XML file as a complete rule set for the specific vShield Edge. Post a DNAT Rule Set on a vShield Edge Request: POST <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/dnat/rules <VShieldEdgeConfig> <NATConfig> <NATRule> <protocol>tcp|udp|icmp|any</protocol> <internalIpAddress>see_below</internalIpAddress> <internalPort>see_below</internalPort> <externalIpAddress>see_below</externalIpAddress> <externalPort>see_below</externalPort> </NATRule> </NATConfig> </VShieldEdgeConfig> 32 VMware, Inc. Chapter 5 vShield Edge Management Rules: You can add multiple DNAT rules by entering multiple <NATRule></NATRule> sections in the body. For <protocol /> options tcp and udp, you must specify internalPort and externalPort elements. For options icmp and any, the internalPort and externalPort elements are not expected. You must add <icmpType /> if you configure icmp as the protocol. To enable logging, add a <log /> element within <NATRule />. The externalIpAddress and internalIpAddress parameters can be entered in either of these formats. <ipAddress>IpOrAny</ipAddress> or <IpRange> <rangeStart>low_ip_address</rangeStart> <rangeEnd>high_ip_address</rangeEnd> </IpRange> The externalPort and internalPort parameters can be entered in either of these formats. <port>PortOrAny</port> or <PortRange> <rangeStart>low_port</rangeStart> <rangeEnd>high_port</rangeEnd> </PortRange> Example: Multiple DNAT Rules POST /api/1. 0/network/network-244/dnat/rules HTTP/1. 1 content-type: application/xml; charset=UTF-8 Authorization: Basic YWRtaW46ZGVmYXVsdA== Host: 10. 112. 196. 213 accept: text/html, image/gif, image/jpeg, *; q=. 2, */*; q=. 2 content-length: 617 <?xml version="1. 0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><NATConfig><NATRule><protocol>tcp</protoc ol><internalIpAddress><ipAddress>172. 16. 1. 11</ipAddress></internalIpAddress><i nternalPort><port>any</port></internalPort><externalIpAddress><ipAddress>10. 11 2. 196. 217</ipAddress></externalIpAddress><externalPort><port>any</port></exter nalPort></NATRule><NATRule><protocol>icmp</protocol><icmpType>any</icmpType><i nternalIpAddress><ipAddress>172. 16. 1. 11</ipAddress></internalIpAddress><extern alIpAddress><ipAddress>10. 112. 196. 218</ipAddress></externalIpAddress></NATRule ></NATConfig></VShieldEdgeConfig> DNAT Rule with IP Range content-length: 453 <?xml version="1. 0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><NATConfig><NATRule><protocol>tcp</protoc ol><internalIpAddress><IpRange><rangeStart>172. 17. 1. 10</rangeStart><rangeEnd>1 72. 17. 1. 15</rangeEnd></IpRange></internalIpAddress><internalPort><port>any</po rt></internalPort><externalIpAddress><ipAddress>10. 112. 196. 219</ipAddress></ex ternalIpAddress><externalPort><port>any</port></externalPort></NATRule></NATCo nfig></VShieldEdgeConfig> VMware, Inc. 33 vShield API Programming Guide DNAT Rule with Port Range content-length: 518 <?xml version="1. 0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><NATConfig><NATRule><protocol>tcp</protoc ol><internalIpAddress><ipAddress>172. 17. 1. 11</ipAddress></internalIpAddress><i nternalPort><PortRange><rangeStart>15</rangeStart><rangeEnd>19</rangeEnd></Por tRange></internalPort><externalIpAddress><ipAddress>10. 112. 196. 219</ipAddress> </externalIpAddress><externalPort><PortRange><rangeStart>9915</rangeStart><ran geEnd>9919</rangeEnd></PortRange></externalPort></NATRule></NATConfig></VShiel dEdgeConfig> DNAT Rule with IP and Port Range content-length: 627 <?xml version="1. 0" encoding="UTF-8" standalone="yes"?><VShieldEdgeConfig><NATConfig><NATRule><protocol>tcp</protoc ol><internalIpAddress><IpRange><rangeStart>172. 17. 1. 15</rangeStart><rangeEnd>1 72. 17. 1. 19</rangeEnd></IpRange></internalIpAddress><internalPort><PortRange><r angeStart>15</rangeStart><rangeEnd>19</rangeEnd></PortRange></internalPort><ex ternalIpAddress><IpRange><rangeStart>10. 112. 196. 215</rangeStart><rangeEnd>10. 1 12. 196. 219</rangeEnd></IpRange></externalIpAddress><externalPort><PortRange><r angeStart>9915</rangeStart><rangeEnd>9919</rangeEnd></PortRange></externalPort ></NATRule></NATConfig></VShieldEdgeConfig> Get Timestamps of Last 10 DNAT Rule Configurations for a vShield Edge Example 5-19. Get Last 10 DNAT Rule Set Snapshots Request: GET <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/dnat/snapshots Get DNAT Configuration by Snapshot Timestamp Example 5-20. Get DNAT Configuration by Snapshot Timestamp Request: GET <vshield_manager-uri>/api/1. 0/network/<portgroup-moid>/ dnat/snapshot/<snapshot-timestamp> Revert to an DNAT Configuration by Snapshot Timestamp Example 5-21. [. . . ] To register SVMs on multiple ESX hosts in a single REST call, include multiple <SvmRegister /> sections in the request body. Registering an SVM with vShield Endpoint Service Request: POST <vshieldmanager-uri>/api/1. 0/endpointsecurity/svm <VShieldEndpointSecurity> <SvmRegister> <vmId>vmid_of_svm_vm</vmId> <ipAddress>ipaddress_of_svm_vnic</ipAddress> <port>port_for_communication</port> <vendorId>partner_identification_string</vendorId> </SvmRegister> </VShieldEndpointSecurity> Where: vmId is the SVM managed object ID in vCenter. ipAddress is the IP address of the SVM's vNIC that is connected to the vmkernel port group. port is the port on which the SVM listens to connection from the EPSec vmkernel module. [. . . ]