VMware vShield 5.5 User guide

Category
System management software
Type
User guide
vShield API Programming
Guide
vShield 5.5
vShield App 5.5
vShield Edge 5.5
vShield Endpoint 5.5
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000869-03
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
vShield API Programming Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3
Contents
AboutThisBook 11
1 OverviewofVMwarevShield 13
vShieldComponents 13
vShieldManager 13
vShieldApp 13
vShieldEdge 14
vShieldEndpoint 14
vShieldDataSecurity 14
CompatibilityBetweenDifferentRESTAPIVersions 14
RESTAPIVersion2.0invShield5.0 14
Multitenancy 15
AnIntroductiontoRESTAPIforvShieldUsers 15
HowRESTWorks 15
UsingthevShieldRESTAPI 16
PortsRequiredforvShieldRESTAPI 16
AbouttheRESTAPI 16
RESTfulWorkflowPatterns 17
ForMore
InformationAboutREST 17
2 vShieldManagerManagement 19
SynchronizingvShieldManagerwithvCenterServer,SSO,andDNS 19
QueryingvShieldManagerGlobalConfiguration 21
ResettingtheLocalAccountPassword 21
AddSecurityProfile 21
GetSecurityProfile 22
GetPasswordHintQuestions 22
ResetPassword 22
MonitoringvShieldManagerreachability 23
WorkingwithvShieldManagerSyslogServerConfiguration 23
ConfigurevShieldManagerSyslogServer 23
GetvShieldManagerSyslogServerConfiguration 23
DeletevShieldManager
SyslogServerConfiguration 23
QueryingvShieldManagerLogs 24
GetvShieldManagerSystemEvents 24
GetvShieldManagerAuditLogs 24
QueryingvShieldManagerTechSupportLog 24
UserManagement 24
GetInformationAboutaUser 25
CreateaLocalUseronvShieldManager 25
UpdateaLocalUserAccount 26
EnableorDisableaUserAccount 26
DeleteaUserAccount 26
RoleManagement 28
GetRolefor
aUser 28
GetRoleforavShieldManagerRoles 28
AddRoleandResourcesforaUser 29
ChangeUserRole 29
vShield API Programming Guide
4 VMware, Inc.
GetListofPossibleRoles 30
GetListofScopingObjects 30
DeleteUserRole 31
CreatingIPsetandMACsetContainers 31
ListIPsetsCreatedonaScope 31
CreateanIPsetonaScope 31
GetDetailsofanIPset 32
ModifyanExistingIPset 32
DeleteanIPset 32
ListMACsetsCreatedonaScope 33
CreateaMACsetonaScope 33
GetDetails
ofaMACset 33
ModifyanExistingMACset 34
DeleteaMACset 34
SecurityGroupScopeandMembers 34
ListSecurityGroupsCreatedonaScope 34
CreateSecurityGrouponaScope 35
GetMembersforaScope 35
GetSecurityGroupDetails 35
ModifyaSecurityGroup 36
DeleteaSecurityGroup 37
AddMembertoSecurityGroup 37
DeleteMemberfromSecurityGroup 37
TransportSet
forServices 37
WorkingwithServiceGroups 37
ListServiceGroupsonaScope 37
AddServiceGrouptoaScope 38
GetDetailsofaServiceGroup 40
ModifyServiceGroupDetails 40
DeleteServiceGroupfromScope 41
WorkingwithServices 41
ListServicesonaScope 41
AddServicetoaScope 41
GetDetailsofaService 43
ModifyServiceDetails 43
DeleteService
fromScope 43
WorkingwiththeMembersofaService 44
QueryServiceMembers 44
AddaMembertotheService 45
DeleteaMemberfromtheService 45
QueryingObjectIDs 45
QueryDatacenterMOID 45
QueryDatacenterID 45
QueryHostID 46
QueryPortgroupID 46
3 ESXHostPreparationforvShieldApp,vShieldEndpoint,andvShieldDataSecurity 47
InstallingLicensesforvShieldEdge,vShieldApp,andvShieldEndpoint 47
InstallingvShieldAppandvShieldEndpointServicesonanESXHost 47
InstallingvShieldDataSecurity 49
UpgradingvShieldDataSecurity 49
GettingtheInstallationStatusofvShieldServicesonanESXHost 50
UninstallingvShieldServicesfromanESXHost 50
UninstallingvShieldDataSecurity 50
VMware, Inc. 5
Contents
4 vShieldEdgeInstallationandUpgrade 51
InstallingavShieldEdge 51
RunningQueriesonallvShieldEdges 53
UpgradingvShieldEdge 55
DeletingavShieldEdge 55
5 vShieldEdgeManagement 57
RunningQueriesonaSpecificvShieldEdge 58
QueryvShieldEdgeDetails 58
QueryvShieldEdgeSummary 62
QueryingvShieldEdgeStatus 64
WorkingwithAppliances 66
QueryApplianceConfiguration 66
ModifyApplianceConfiguration 67
ChangeApplianceSize 67
ManageanAppliance 67
QueryAppliance 68
ModifyAppliance 68
DeleteAppliance 69
WorkingwithInterfaces 69
AddInterfaces 69
RetrieveInterfacesforavShieldEdge 70
DeleteInterfaces 71
ManageavShieldInterface 71
RetrieveInterface
withSpecificIndex 71
DeleteInterfaceConfiguration 71
ModifyanInterface 71
QueryInterfaceStatistics 72
QueryStatisticsforallInterfaces 72
QueryStatisticsforUplinkInterfaces 73
QueryStatisticsforInternalInterfaces 73
QueryDashboardStatistics 74
ConfiguringEdgeServices 74
ConfigureFirewall 75
AddFirewallConfiguration 75
QueryFirewallConfiguration 76
DeleteFirewallConfiguration 77
AppendFirewallRules78
AddaFirewallRuleAboveaSpecificRule 78
QuerySpecific
Rule 79
ModifyFirewallRule 79
DeleteaFirewallRule 80
ManageDefaultFirewallPolicy 80
QueryFirewallStatistics81
QueryFirewallStatisticsForaRule 81
ConfigureNAT 81
RetrieveNATRulesforavShieldEdge 82
DeleteallNATRules 83
AddaNATRuleaboveaSpecificRule 83
AppendNATRules84
ChangeaNATRule 84
DeleteaRule 84
ConfigureRouting 85
vShield API Programming Guide
6 VMware, Inc.
ConfigureStaticandDefaultRoutes 85
QueryStaticandDefaultRoutes 85
DeleteStaticandDefaultRoutes 86
ChangeStaticRoutes 86
AppendStaticRoutes 86
DeleteStaticRoutes 87
ConfigureDefaultRoutesforvShieldEdge 87
DeleteDefaultRoutes 87
ConfigureDNSServers 87
ConfigureDNS 87
RetrieveDNSConfiguration 88
DeleteDNSConfiguration 88
RetrieveDNSStatistics 89
ConfigureDHCP 89
QueryDHCPConfiguration 91
DeleteDHCPConfiguration 91
RetrieveDHCPLeaseInformation 92
AppendIPPooltoDHCPConfiguration 92
AppendStaticBindingtoDHCPConfiguration 92
DeleteDHCPPool 93
DeleteDHCPStaticBinding 93
ConfigureCertificates 93
WorkingwithCertificates 93
WorkingwithCertificateSigningRequests(CSRs) 94
WorkingwithCertificateRevocationList(CRL) 95
ConfigureIPSECVPN 96
RetrieveIPSecConfiguration 97
RetrieveIPSecStatistics 98
QueryTunnelTrafficStatistics 99
DeleteIPSecConfiguration 100
ManagingSSLVPN 100
EnableorDisable
SSLVPN 100
QuerySSLVPNDetails 100
ManageServerSettings100
ConfigurePrivateNetworks 101
ConfigureWebResource103
ConfigureUsers 105
ConfigureIPPool107
ConfigureNetworkExtensionClientParameters110
ConfigureNetworkExtensionClientInstallationPackage 110
ConfigurePortalLayouts 114
ConfigureAuthenticationParameters116
ConfigureSSLVPNAdvancedConfiguration 118
WorkingwithActiveClients119
ManageLogonandLogoffscripts
120
ReconfigureSSLVPN122
QuerySSLVPNConfiguration125
DeleteSSLVPNConfiguration 128
QuerySSLVPNStatistics 128
ConfigureLoadBalancer 129
QueryLoadBalancerConfiguration 131
QueryStatistics 132
DeleteLoadBalancerConfiguration 133
VMware, Inc. 7
Contents
ManageallBackendPools 133
ManageallVirtualServers 136
RetrieveLoadBalancerStatistics 138
EnableLayer4ModeforLoadBalancer 140
ConfigureHighAvailability(HA) 140
RetrieveHighAvailabilityConfiguration 141
DeleteHighAvailabilityConfiguration 141
ForceSyncingvShieldEdge 141
ConfiguringAdvancedOptionsforvShieldEdge 141
ChangeAESNISettingforavShieldEdge 141
ChangeFIPSSettingforavShieldEdge 142
Change
LoggingLevelforvShieldAppliance 142
ManageAutoConfigurationSettings 142
ModifyAutoConfigurationSettings 142
QueryAutoConfigurationSettings 142
ChangeTCPLooseSetting 143
ReplacingtheConfigurationofavShieldEdge 143
RedeployingvShieldEdgeAppliances 147
ManagingCLICredentialsandAccess 147
ChangeCLICredentials 147
ChangeCLIRemoteAccess 147
DebuggingandSupport 148
QueryTechnicalSupportLog 148
QueryvShieldEdgeServiceStatistics 148
6 WorkingwithVXLANVirtualWires 153
PreparingforVXLANVirtualWires 153
ConfiguringSwitches 154
PrepareSwitch 154
EditTeamingPolicy 154
QueryConfiguredSwitches 154
QueryConfiguredSwitchesonDatacenter 155
QuerySpecificSwitch 155
DeleteSwitch 156
WorkingwithClusterSwitchMappings 156
MapaClustertoaSwitch 156
QueryallClusterMappings 156
QueryMappingsbySwitch 157
QuerySpecificCluster 157
DeleteClusterSwtichMapping 158
WorkingwithEAMAgencies 158
InstallEAMAgency 158
Synchronize
AgencyState 159
ReplaceAgencyScope 159
QueryAgencybyCluster 159
QueryAgencyStatus 159
QueryAgencyIDforCluster 159
DeleteAgency 160
UninstallAgencyStatus 160
WorkingwithSegmentIDs 160
AddanewSegmentIDRange 160
QueryallSegmentIDRanges 161
QueryaSpecificSegmentIDRange 161
UpdateaSegmentIDRange 161
DeleteaSegmentIDRange 162
vShield API Programming Guide
8 VMware, Inc.
WorkingwithMulticastAddressRanges 162
AddanewMulticastAddressRange 162
QueryallMulticastAddressRanges 162
GetaSpecificMulticastAddressRange 163
UpdateaMulticastAddressRange 163
DeleteaMulticastAddressRange 163
WorkingwithNetworkScopes 163
CreateaNetworkScope 163
EditaNetworkScope 164
UpdateAttributesonaNetworkScope 164
QueryexistingNetworkScopes 164
Querya
SpecificNetworkScope 165
DeleteaNetworkScope 166
WorkingwithVirtualizedNetworks 166
CreateaVXLANVirtualWire 166
QueryallVXLANVirtualWiresonaNetworkScope 166
QueryallVXLANVirtualWiresonallNetworkScopes 167
QueryaSpecificVXLANVirtualWire 167
DeleteaVXLANVirtualWire 168
ManagingtheVXLANVirtualWireUDPPort 168
GetUDPPort 168
Update
UDPPort 168
QueryingAllocatedResources 168
TestingMulticastGroupConnectivity169
TestMulticastGroupConnectivityinaNetworkScope 169
TestMulticastGroupConnectivityinaVXLANVirtualWire 169
PerformingPingTest 170
7 vShieldAppManagement 171
ModifyingtheStateofaDatacenter 171
RetrieveDatacenterState 171
ModifyDatacenterState 172
ConfiguringFirewallRulesforvCenter 172
ConfiguringthevShieldAppFirewall 172
QueryFirewallConfiguration 172
AddaFirewallRule 178
ModifyaFirewallRule 180
DeleteaFirewallRule 182
ReverttoDefaultFirewallConfiguration 183
ConfiguringFailSafeModeforvShieldAppFirewall 183
ConfigureFailSafeModeforvShield
AppFirewall 183
QueryFailSafeModeConfigurationforvShieldAppFirewall 184
WorkingwithSpoofGuard 184
GetSpoofGuardSettingsatContextLevel 184
ReplaceSpoofGuardSettings 184
GetSpoofGuardIPSettings185
ChangeSpoofGuardIPSettings185
WorkingwithNamespaces 186
AddNamespaceinaDatacenter 186
GetNamespaceDetails 186
DeleteaNamespace 186
ShowNamespacesinaDatacenter 186
GettingFlowStatisticDetails 187
Get
FlowStatistics 187
GetFlowMetaData 189
VMware, Inc. 9
Contents
ExcludingVirtualMachinesfromvShieldAppProtection 190
AddaVirtualMachinetotheExclusionList 190
GetVirtualMachineExclusionList 190
DeleteaVirtualMachinefromExclusionList 191
ConfiguringSyslogServiceforavShieldApp 191
SynchronizingvShieldApp 192
QueryingvShieldAppTechnicalSupportLog 192
QueryingvShieldAppStatus 192
UpgradingvShieldApp 193
8 vShieldEndpointManagement 195
OverviewofSolutionRegistration 195
RegisteringaSolutionwithvShieldEndpointService 195
RegisteraVendor 196
RegisteraSolution 196
AltitudeofaSolution 196
IPAddressandPortforaSolution 196
ActivateaSolution 197
QueryingRegistrationStatusofvShieldEndpoint 197
GetVendorRegistration 197
GetSolutionRegistration 197
GetIPAddressofaSolution 198
GetActivationStatusofaSolution 198
QueryingActivated
SecurityVirtualMachinesforaSolution 198
QueryActivatedSecurityVirtualMachines 198
QueryActivationInformation 199
UnregisteringaSolutionwithvShieldEndpoint 199
UnregisteraVendor 199
UnregisteraSolution 199
UnsetIPAddress 199
DeactivateaSolution 200
StatusCodesandErrorSchema 200
ReturnStatusCodes 200
ErrorSchema 200
9 vShieldDataSecurityConfiguration 203
vShieldDataSecurityUserRoles 203
DefiningaDataSecurityPolicy 204
QueryRegulations 204
EnableaRegulation 204
QueryClassificationValue 205
ConfigureaCustomizedRegexasaClassificationValue 205
ViewtheListofExcludableAreas 205
ExcludeAreasfromPolicyInspection 206
SpecifySecurityGroupstobeScanned 207
QuerySecurityGroupsBeingScanned 207
ConfigureFileFilters 208
SavingandPublishingPolicies 209
QuerySaved
Policy 209
QueryPublishedPolicy 210
PublishtheUpdatedPolicy 210
DataSecurityScanning 210
Start,Pause,Resume,orStopaScanOperation 211
QueryStatusforaScanOperation 211
QueryingScanResults 211
vShield API Programming Guide
10 VMware, Inc.
GetListofVirtualMachinesBeingScanned 211
GetNumberofVirtualMachinesBeingScanned 212
GetSummaryInformationabouttheLastFiveScans 213
GetInformationforVirtualMachinesScannedDuringPreviousScan 213
RetrieveInformationAboutPreviousScanResults 213
GetXMLRepresentationofPolicyUsedforPreviousScan 213
QueryingViolationDetails 215
GetListofViolationCounts 215
Get
ListofViolatingFiles 216
GetListofViolatingFilesinCSVFormat 217
GetViolationsinEntireInventory 217
218
Appendix 219
vShieldManagerGlobalConfigurationSchema 219
ESXHostPreparationandUninstallationSchema 224
vShieldAppSchemas 225
vShieldAppConfigurationSchema 225
vShieldAppFirewallSchema 225
vShieldAppSpoofGuardSchema 228
vShieldAppNamespaceSchema 230
ErrorMessageSchema 231
VMware, Inc. 11
Thismanual,thevShieldAPIProgrammingGuide,describeshowtoinstall,configure,monitor,andmaintainthe
VMware
®
vShield™systembyusingRESTAPIrequests.Theinformationincludesstepbystepconfiguration
instructionsandexamples.
Intended Audience
ThismanualisintendedforanyonewhowantstouseRESTAPItoinstallorusevShieldinaVMwarevSphere
environment.Theinformationinthismanualiswrittenforexperiencedsystemadministratorswhoare
familiarwithvirtualmachinetechnology,virtualizeddatacenteroperations,andRESTAPIs.Thismanualalso
assumesfamiliarity
withvShield.
VMware Technical Publications Glossary
VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbacktodocfeedback@vmware.com.
vShield Documentation
ThefollowingdocumentscomprisethevShielddocumentationset:
vShieldAdministrationGuide
vShieldQuickStartGuide
vShieldAPIProgrammingGuide,thisguide
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.
About This Book
vShield API Programming Guide
12 VMware, Inc.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,
build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc. 13
1
VMwarevShield™isasuiteofnetworkedgeandapplicationawarefirewallsbuiltforVMwarevCenterServer
integration.vShieldinspectsclientservercommunicationsandintervirtualmachinecommunicationsto
providedetailedtrafficanalyticsandapplicationawarefirewallprotection.Itisacriticalsecuritycomponent
toprotectvirtualizeddatacentersfromattacksand
misuse,andhelpsachievecompliancemandatedgoals.
Thischapterincludesthefollowingtopics:
“vShieldComponents”onpage 13
“CompatibilityBetweenDifferentRESTAPIVersionsonpage 14
“PortsRequiredforvShieldRESTAPI”onpage 16
“A n IntroductiontoRESTAPIforvShieldUsers”onpage 15
ThisguideassumesyouhaveadministratoraccesstotheentirevShieldsystem.Ifyouareunabletoaccessa
screenorperformaparticulartask,consultyourvShieldadministrator.
vShield Components
vShieldincludescomponentsandservicesessentialforprotectingvirtualmachinesinavirtualizeddatacenter.
vShieldcanbeconfiguredwithaWebbaseduserinterface,acommandlineinterface(CLI),oraRESTAPI.
TorunvShield,youneedonevShieldManagervirtualapplianceandatleastonevShieldApporvShield
Edge
virtualappliance.ThevShieldManagervirtualappliancecanrunonadifferentESXhostthanthevShieldApp
andvShieldEdgevirtualappliances.
vShield Manager
vShieldManageristhecentralizedmanagementcomponentofvShield.Youinstallitasavirtualapplianceby
deployinganOVAfromthevSphereClient.UsingvShieldManagersuserinterfaceorvSphereClientplugin,
youcaninstall,configure,andmaintainvShieldappliances.ThevShieldManageruserinterfaceleveragesthe
vSphereWeb
ServicesSDKtodisplaytabswithinthevSphereClientinventorypanel.Fordetailsaboutthe
userinterface,seethevShieldAdministrationGuide.
vShield App
AvShieldAppvirtualappliancemonitorsalltrafficintoandoutofanESXhost,andbetweenvirtualmachines
onthehost.vShieldAppprovidesapplicationawaretrafficanalysisandstatefulfirewallprotection,andit
regulatestrafficbasedonasetofrules,similartoanaccesscontrollist(ACL).
As
trafficpassesthroughavShieldApp,eachsessionheaderisinspectedtocatalogthedata.ThevShieldApp
createsaprofileforeachvirtualmachinedetailingtheoperatingsystem,applications,andportsusedfor
networkcommunication.Basedonthisinformation,thevShieldAppallowsephemeralportusebypermitting
dynamicprotocols
suchasFTPorRPCtopassthrough,whilemaintaininglockdownonports1024andhigher.
YoucannotprotecttheESXServiceConsole,ESXidirectconsoleuserinterface(DCUI),ortheVMkernelwith
vShieldAppbecausethesecomponentsarenotvirtualmachines.
Overview of VMware vShield
1
vShield API Programming Guide
14 VMware, Inc.
vShield Edge
vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolateavirtualizednetwork,orvirtual
machinesinaportgroup,vDSportgroup,orCiscoNexus1000Vportgroup.YouinstallavShieldEdgeata
datacenterlevelandcanadduptoteninternaloruplinkinterfaces.ThevShield
Edgeconnectsisolated,stub
networkstoshared(uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,and
LoadBalancing.CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenant
CloudenvironmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).
vShield Endpoint
vShieldEndpointoffloadsantivirusandantimalwareagentprocessingtoadedicatedsecurevirtualappliance
deliveredbyVMwarepartners.Sincethesecurevirtualappliance(unlikeaguestvirtualmachine)doesnʹtgo
offline,itcancontinuouslyupdateantivirussignaturestherebygivinguninterruptedprotectiontothevirtual
machinesonthehost.Also,
newvirtualmachines(orexistingvirtualmachinesthatwentoffline)are
immediatelyprotectedwiththemostcurrentantivirussignatureswhentheycomeonline.
vShield Data Security
vShieldDataSecurityprovidesvisibilityintosensitivedatastoredwithinyourorganizationʹsvirtualizedand
cloudenvironments.BasedontheviolationsreportedbyvShieldDataSecurity,youcanensurethatsensitive
dataisadequatelyprotectedandassesscompliancewithregulationsaroundtheworld.
Compatibility Between Different REST API Versions
EachreleaseofthevShieldRESTAPIrepresentsanewversionoftheRESTAPIcodewithnewandchanged
features.IfyouarerunningapreviousversionofvShieldcomponentsoftware,youmightnotbeabletouse
allofthefeaturesofthelatestreleaseofthevShieldREST
API.
REST API Version 2.0 in vShield 5.0
Release5.0ofvShieldintroducesversion2.0oftheRESTAPI.ManyURLschangedfromversion1.0to2.0.
YoucandeterminetheAPIversionofavShieldcomponent(suchasEdgeorApp)withthefollowingexample
RESTcalls.IntheGETrequestsyntax,<vsm-ip>representstheIPaddressor
hostnameofvShieldManager.
Example 1-1. Determine the API version of the vShield Manager or vShield Endpoint
GET https://<vsm-ip>/api/versions
<versions>
<version value="2.1">
<module name="VshieldAppGlobal" baseUri="/api/2.1/app" version="2.1"/>
<module name="Flow" baseUri="/api/2.1/app/flow" version="2.1"/>
</version>
<version value="2.0">
<module name="Dlp" baseUri="/api/2.0/dlp" version="2.0"/>
<module name="Endpoint" baseUri="/api/2.0/endpointsecurity" version="2.0"/>
<module name="MACSet" baseUri="/api/2.0/services/macset" version="2.0"/>
<module name="SystemEvent" baseUri="/api/2.0/systemevent" version="2.0"/>
<module name="AuditLog" baseUri="/api/2.0/auditlog" version="2.0"/>
<module name="UserMgmt" baseUri="/api/2.0/services/usermgmt" version="2.0"/>
<module name="Application" baseUri="/api/2.0/services/application" version="2.0"/>
<module name="IPSet" baseUri="/api/2.0/services/ipset" version="2.0"/>
<module name="SyslogServer" baseUri="/api/2.0/services/syslog/config" version="2.0"/>
<module name="SecurityGroup" baseUri="/api/2.0/services/securitygroup" version="2.0"/>
NOTEvShieldAppandvApparenotthesamething.AvAppisagroupingofvirtualmachinesinvSphere,
forexampleamanagementapplianceandadatabaseapplianceworkingtogether.
CAUTIONTheRESTAPIsdescribedinthisdocumentcanchangeovertime.Atthispoint,vShielddoesnot
guaranteeforwardcompatibility.
VMware, Inc. 15
Chapter 1 Overview of VMware vShield
</version>
</versions>
Example 1-2. Determine the API version of a vShield App
GET https://<vsm-ip>/api/versions/app/<datacenter-id>
<versions>
<version version="2.0">
<module version="2.0" baseUri="/api/2.0/app" id="datacenter-21" name="app"/>
</version>
</versions>
Example 1-3. Determine the API version of a vShield Edge
GET https://<vsm-ip>/api/versions/edge/dvportgroup-63
<versions>
<version version="2.0">
<module version="2.0" baseUri="/api/2.0/networks" id="dvportgroup-63" name="edge"/>
</version>
</versions>
TheAPIversionforvShieldAppisgovernedbythestateofthedatacenterinrelationtoavShieldcomponent.
IfthedatacenterstateisinbackwardCompatiblemode,thenitsupportsonlyversion1.0RESTcalls.Ifthe
datacenterstateisinregularmode,thenitsupportsonly2.0RESTcalls.
TheseAPIversionsaremutually
exclusiveonlyoneRESTAPIversionissupportedatatime.
Table 11listscompatibilitybetweendifferentversionsoftheRESTAPI,vShieldManager,andthevShield
virtualappliances:vShieldApp,vShieldEndpoint,andvShieldEdge.
Multitenancy
InvShield5.0,thevShieldAppfirewallconfigurationsupportsmultitenancy.AsingleIPaddresscanshowup
inmultipleplacesinthenetwork(differentIPaddressnamespaces)associatedwithdifferentvirtualmachines.
Only2.0RESTAPIssupportmultitenancy.Inbackwardcompatibilitymode,vShield5.0supportstheoldAPIs
anddoesnot
enforceruleswithawarenessofmultitenancy.
Ifyouhavewrittenprogramsusing1.0RESTAPIs,youshouldreconsiderwhethertheirdesignworksas
intendedinthemultitenancyscenario.Ifnot,changeyourprogramstousetheAPI2.0calls.
An Introduction to REST API for vShield Users
REST,anacronymforRepresentationalStateTransfer,isatermthathasbeenwidelyemployedtodescribean
architecturalstylecharacteristicofprogramsthatrelyontheinherentpropertiesofhypermediatocreateand
modifythestateofanobjectthatisaccessibleataURL.
How REST Works
OnceaURLofsuchanobjectisknowntoaclient,theclientcanuseanHTTPGETrequesttodiscoverthe
propertiesoftheobject.ThesepropertiesaretypicallycommunicatedinastructureddocumentwithanHTTP
ContentTypeofXMLorJSON,thatprovidesarepresentationofthe
stateoftheobject.InaRESTfulworkflow,
documents(representationsofobjectstate)arepassedbackandforth(transferred)betweenaclientanda
Table 1-1. REST API Compatibility Matrix
REST API Version vShield Manager Version vShield Appliance Version Supported?
3.0 5.1 4.1 No
3.0 5.1 5.0 No
3.0 5.1 5.1 Yes
2.0 5.1 5.0 Yes
2.0 5.1 5.1 No
vShield API Programming Guide
16 VMware, Inc.
servicewiththeexplicitassumptionthatneitherpartyneedknowanythingaboutanentityotherthanwhatis
presentedinasinglerequestorresponse.TheURLsatwhichthesedocumentsareavailableareoften“sticky,”
inthattheypersistbeyondthelifetimeoftherequestorresponsethatincludesthem.
Theothercontentofthe
documentsisnominallyvaliduntiltheexpirationdatenotedintheHTTPExpiresheader.
Using the vShield REST API
YouhaveseveralchoicesforprogrammingthevShieldRESTAPI:usingFirefox,Chrome,orcurl.Tomake
XMLresponsesmorelegible,youcancopyandpastethemintoxmlcopyeditororpspad.
To use the REST API in Firefox
1 LocatetheRESTClientMozillaaddon,andaddittoFirefox.
2ClickTools>RESTClienttostartthe
addon.
3ClickLoginandenterthevShieldlogincredentials,whichthenappearencodedintheRequestHeader.
4 SelectamethodsuchasGET,POST,orPUT,andtypetheURLofaRESTAPI.Youmightbeaskedtoaccept
orignorethelackofSSLcertificate.ClickSend.
ResponseHeader,
ResponseBody,andRenderedHTMLappearinthebottomwindow.
To use the REST API in Chrome
1SearchtheWebtofindtheSimpleRESTClient,andaddittoChrome.
2Clickitsglobelikeicontostartitinatab.
3TheSimpleRESTClientprovidesnocertificatecheckinginterface,souseanotherChrometabtoaccept
orignorethelackofSSLcertificate.
4TypetheURLofaRESTAPI,andselectamethodsuchasGET,POST,orPUT.
5IntheHeadersfield,typethebasicauthorizationline,asintheImportantnoteabove.ClickSend.
Status,Headers,andDataappearintheResponsewindow.
To use the REST API in curl
1Install
curlifnotalreadyinstalled.
2InfrontoftheRESTURL,the‐koptionavoidscertificatechecking,andthe‐uoptionspecifiescredentials.
curl -k -u admin:default https://<vsm-ip>/api/2.0/services/usermgmt/user/admin
Ports Required for vShield REST API
ThevShieldManagerrequiresport443/TCPforRESTAPIrequests.
About the REST API
RESTAPIsuseHTTPrequests(oftensentbyscriptorhighlevellanguage)asawayofmakingidempotent
remoteprocedurecallsthatcreate,modify,ordeleteobjectsdefinedbytheAPI.ARESTAPIisdefinedbya
collectionofXMLdocumentsthatrepresenttheobjectsonwhichtheAPI
operates.TheHTTPoperations
themselvesaregenerictoallHTTPclients.TowriteaRESTfulclient,youshouldunderstandHTTPprotocol
andthesemanticsofstandardHTMLmarkup.ForvShieldRESTAPI,youmustknowthreethings:
ThesetofobjectsthattheAPIsupports,andwhattheyrepresent.Forexample,whatarevDCandOrg?
I
MPORTANTAllvShieldRESTrequestsrequireauthorization.ThedefaultvShieldManagerlogincredentials
areuseradminpassworddefault.Unlessyouchangedthese,youcanusethefollowingbasicauthorization,
whereYWRtaW46ZGVmYXVsdA==istheBase64encodingofthedefaultcredentialsadmin:default.
Authorization: Basic YWRtaW46ZGVmYXVsdA==
VMware, Inc. 17
Chapter 1 Overview of VMware vShield
HowtheAPIrepresentstheseobjects.Forinstance,whatistheXMLschemaforthevShieldEdgefirewall
ruleset?Whatdotheindividualelementsandattributesrepresent?
Howtheclientreferstoanobjectonwhichitwantstooperate.Forexample,whatisamanagedobjectID?
Toanswerthesequestions,youlookatvShieldAPIresourceschemas.TheseschemasdefineanumberofXML
types,manyofwhichareextendedbyothertypes.TheXMLelements
definedintheseschemas,alongwith
theirattributesandcompositionrules(minimumandmaximumnumberofelementsorattributes,orthe
prescribedhierarchywithwhichelementscanbenested)representthedatastructuresofvShieldobjects.A
clientcan“read”anobjectbymakinganHTTPGETrequesttotheobject’s
resourceURL.Aclientcan“write”
(createormodify)anobjectwithanHTTPPUTorPOSTrequestthatincludesaneworchangedXMLbody
documentfortheobject.UsuallyaclientcandeleteanobjectwithanHTTPDELETErequest.
Thisdocumentpresentsexamplerequestsandresponses,andprovides
referenceinformationontheXML
schemasthatdefinetherequestandresponsebodies.
RESTful Workflow Patterns
AllRESTfulworkflowsfallintoapatternthatincludesonlytwofundamentaloperations,whichyourepeatin
thisorderforaslongasnecessary.
MakeanHTTPrequest(GET,PUT,POST,orDELETE).Thetargetofthisrequestiseitherawellknown
URL(suchasvShieldManager)oralinkobtainedfromtheresponsetoapreviousrequest.Forexample,
aGETrequesttoanOrgURLreturnslinkstovDCobjectscontainedby
theOrg.
Examinetheresponse,whichcanbeanXMLdocumentoranHTTPresponsecode.Iftheresponseisan
XMLdocument,itmaycontainlinksorotherinformationaboutthestateofanobject.Iftheresponseis
anHTTPresponsecode,itindicateswhethertherequestsucceededorfailed,and
maybeaccompanied
byaURLthatpointstoalocationfromwhichadditionalinformationcanberetrieved.
For More Information About REST
ForacomprehensivediscussionofRESTfrombothclientandserverperspectives,seeRESTfulWebServicesby
LeonardRichardsonandSamRuby,published2007byOʹReillyMedia.
TherearealsomanysourcesofinformationaboutRESTontheWeb,including:
http://www.infoq.com/articles/restintroduction
http://www.infoq.com/articles/subbuallamarajurest
http://www.stucharlton.com/blog/archives/000141.html
vShield API Programming Guide
18 VMware, Inc.
VMware, Inc. 19
2
ThevShieldManagerrequirescommunicationwithyourvCenterServerandservicessuchasDNSandNTP
toprovidedetailsonyourVMwareInfrastructureinventory.
Thechapterincludesthefollowingtopics:
“SynchronizingvShieldManagerwithvCenterServer, SSO,andDNS”onpage 19
“QueryingvShieldManagerGlobalConfiguration”onpage 21
“ResettingtheLocalAccountPasswordonpage 21
“MonitoringvShieldManagerreachability”onpage 23
“WorkingwithvShieldManagerSyslogServerConfiguration”onpage 23
“QueryingvShieldManagerLogs”onpage 24
“QueryingvShieldManagerTechSupportLog”onpage 24
“UserManagement”onpage 24
“RoleManagement”onpage 28
“CreatingIPsetandMACsetContainers”onpage 31
“SecurityGroupScopeandMembers”onpage 34
“TransportSetforServices”onpage 37
“QueryingObjectIDs”onpage 45
Synchronizing vShield Manager with vCenter Server, SSO, and DNS
YoucansynchronizethevShieldManagerwiththevCenterServer,addDNSserverstothevShieldManager
forIPaddressandhostnameresolution,configuretime,andzoneandaddanNTPserver.Synchronizingwith
vCenterServerenablesthevShieldManageruserinterfacetodisplayyourVMwareInfrastructureinventory,
andrequiresits
IPaddress(orURL)andadministratorlogincredentials.ForthevcInfoschema,andthednsInfo
schema,see“vShieldManagerGlobalConfigurationSchema”onpage 219.
Example 2-1. Synchronize the vShield Manager with vCenter server and SSO and identify DNS services
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
vShield Manager Management
2
IMPORTANTAllvShieldRESTrequestsrequireauthorization.See“UsingthevShieldRESTAPI”onpage 16
fordetailsaboutbasicauthorization.
vShield API Programming Guide
20 VMware, Inc.
<ssoInfo>
<lookupServiceUrl>https://<SSO IP or Host name>:7444/lookupservice/sdk</lookupServiceUrl>
<ssoAdminUserName>admin@System-Domain</ssoAdminUserName>
<ssoAdminPassword></ssoAdminPassword>
</ssoInfo>
<vcInfo>
<ipAddress>VC_IP</ipAddress>
<userName>admin</userName>
<password></password>
</vcInfo>
<dnsInfo>
<primaryDns>10.112.192.1</primaryDns>
<secondaryDns>10.112.192.2</secondaryDns>
</dnsInfo>
</vsmGlobalConfig>
SpecifyingDNSinformationisoptional.YoucansynchronizevShieldManagerwithjustvCenterServer.
Example 2-2. Synchronize the vShield Manager with vCenter server and SSO
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<ssoInfo>
<lookupServiceUrl>https://<SSO IP or Host name>:7444/lookupservice/sdk</lookupServiceUrl>
<ssoAdminUserName>admin@System-Domain</ssoAdminUserName>
<ssoAdminPassword></ssoAdminPassword>
</ssoInfo>
<vcInfo>
<ipAddress>VC_IP</ipAddress>
<userName>admin</userName>
<password></password>
</vcInfo>
</vsmGlobalConfig>
Example 2-3. Synchronize the vShield Manager with vCenter Server
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<vcInfo>
<ipAddress>10.112.196.22</ipAddress>
<userName>administrator</userName>
<password>123</password>
</vcInfo>
</vsmGlobalConfig>
Example 2-4. Configure NTP server
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<
timeInfo>
<ntpServer>10.112.196.2</ntpServer>
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240

VMware vShield 5.5 User guide

Category
System management software
Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI