NSX-T API used to update Distributed Firewall (DFW) rules fails with "httpStatus" : "NOT_FOUND"
Article ID: 303342
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- You recently upgraded from NSX-T 3.1.x to 3.2.x.
- You are using Manager (not Policy) API call's to update existing DFW firewall rules.
- First retrieve the rule for updating:
GET api/v1/firewall/sections/<section-ID>/rules/<rule-ID>
- Then edit the values and apply changes using:
PUT api/v1/firewall/sections/<section-ID>/rules/<rule-ID>
- The PUT API call results in the following error:
"httpStatus" : "NOT_FOUND",
"error_code" : 600,
"module_name" : "common-services",
"error_message" : "The requested object : FirewallRule/<rule-ID> could not be found. Object identifiers are case sensitive."
"error_code" : 600,
"module_name" : "common-services",
"error_message" : "The requested object : FirewallRule/<rule-ID> could not be found. Object identifiers are case sensitive."
- The API call works when creating a new rule and only fails when editing existing rules.
- The following log entries are seen in the NSX-T manager /avr/log/proton/nsxapi.log:
2023-01-23T09:32:27.199Z INFO http-nio-127.0.0.1-7440-exec-43 NsxBaseRestController 28648 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Error in API /nsxapi/api/v1/firewall/sections/<section-ID>/rules/<rule-ID> caused by exception com.vmware.nsx.management.common.exceptions.ObjectNotFoundException: {"moduleName":"common-services","errorCode":600,"errorMessage":"The requested object : FirewallRule/<rule-ID> could not be found. Object identifiers are case sensitive."}
2023-01-23T09:32:27.199Z INFO http-nio-127.0.0.1-7440-exec-43 NsxBaseRestController 28648 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'admin' ModuleName:'common-services' Operation:'PUT@/api/v1/firewall/sections/<section-ID>/rules/<rule-ID>' Operation status: 'failure' Error: The requested object : FirewallRule/<rule-ID> could not be found. Object identifiers are case sensitive.
- In the log /var/log/proxy/localhost_access_log, we see the failed API calls:
2023-01-23T09:32:27.200Z <IP> - "PUT /api/v1/firewall/sections/<section-ID>/rules/<rule-ID> HTTP/1.1" 404 257 30 30
Environment
VMware NSX-T Data Center
Cause
There is an issue with the create rule logic, whereby a required value is not added when updating a current rule, which results in the error.
Resolution
This is a known issue impacting NSX-T data center.
Workaround:
You can use the following API call:
For example, here we are pointing to a file called update-firewall-rule.json which has the updated content:
Add the content in the API tool data section you are using.
Workaround:
You can use the following API call:
POST POST /api/v1/firewall/sections/<section-id>?action=update_with_rules
Please note, as these are PUT/POST commands, they will have content, if you are using curl you can use the -d option to add the content or point to a file with the content.For example, here we are pointing to a file called update-firewall-rule.json which has the updated content:
curl -X POST -H 'Content-Type: application/json' -sN -k -u admin:<password> https://<nsx-t-manager-ip>/api/v1/firewall/sections/<section-id>?action=update_with_rules -d @update-firewall-rule.jsonOr
Add the content in the API tool data section you are using.
Feedback
Yes
No
Powered by
