NSX-T API used to update Distributed Firewall (DFW) rules fails with "httpStatus" : "NOT_FOUND"
search cancel

NSX-T API used to update Distributed Firewall (DFW) rules fails with "httpStatus" : "NOT_FOUND"

book

Article ID: 303342

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • You recently upgraded from NSX-T 3.1.x to 3.2.x.
  • You are using Manager (not Policy) API call's to update existing DFW firewall rules.
  • First retrieve the rule for updating:
GET api/v1/firewall/sections/<section-ID>/rules/<rule-ID>
  • Then edit the values and apply changes using:
PUT api/v1/firewall/sections/<section-ID>/rules/<rule-ID>
  • The PUT API call results in the following error:
"httpStatus" : "NOT_FOUND",
"error_code" : 600,
"module_name" : "common-services",
"error_message" : "The requested object : FirewallRule/<rule-ID> could not be found. Object identifiers are case sensitive."
  • The API call works when creating a new rule and only fails when editing existing rules.
  • The following log entries are seen in the NSX-T manager /var/log/proton/nsxapi.log:
2023-01-23T09:32:27.199Z INFO http-nio-127.0.0.1-7440-exec-43 NsxBaseRestController 28648 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Error in API /nsxapi/api/v1/firewall/sections/<section-ID>/rules/<rule-ID> caused by exception com.vmware.nsx.management.common.exceptions.ObjectNotFoundException: {"moduleName":"common-services","errorCode":600,"errorMessage":"The requested object : FirewallRule/<rule-ID> could not be found. Object identifiers are case sensitive."}
2023-01-23T09:32:27.199Z INFO http-nio-127.0.0.1-7440-exec-43 NsxBaseRestController 28648 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'admin' ModuleName:'common-services' Operation:'PUT@/api/v1/firewall/sections/<section-ID>/rules/<rule-ID>' Operation status: 'failure' Error: The requested object : FirewallRule/<rule-ID> could not be found. Object identifiers are case sensitive.
  • In the log /var/log/proxy/localhost_access_log, we see the failed API calls:
2023-01-23T09:32:27.200Z <IP> - "PUT /api/v1/firewall/sections/<section-ID>/rules/<rule-ID> HTTP/1.1" 404 257 30 30

Environment

VMware NSX-T Data Center 3.x

Cause

There is an issue with the create rule logic, whereby a required value is not added when updating a current rule, which results in the error.

Resolution

This issue is resolved in VMware NSX-T Data Center 3.2.3.0.

Workaround:
You can use the following API call:

POST POST /api/v1/firewall/sections/<section-id>?action=update_with_rules

Please note, as these are PUT/POST commands, they will have content, if you are using curl you can use the -d option to add the content or point to a file with the content.
For example, here we are pointing to a file called update-firewall-rule.json which has the updated content:

curl -X POST -H 'Content-Type: application/json' -sN -k -u admin:<password> https://<nsx-t-manager-ip>/api/v1/firewall/sections/<section-id>?action=update_with_rules -d @update-firewall-rule.json

Or
Add the content in the API tool data section you are using.

Powered by Wolken Software