NSX-T Gateway Firewall POST API with operation 'insert_bottom' to insert a policy at the bottom is not working as expected
Article ID: 322539
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- The position of a policy is being revised on the Gateway Firewall using the following POST API with an empty body:
<NSXManager>/policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>?action=revise&operation=insert_bottom
- The expected behavior, is that policy referenced by 'gateway-policy-id' will be placed at the bottom. However, the result is that the policy is placed on the top.
- NSX-T prior to 3.2.0.
- The following error is returned when the API is called:
"Once a category has been assigned to a Security Policy, it cannot be modified"
- In the /var/log/policy.log the following message will be reported:
2021-08-24T10:50:44.140Z INFO http-nio-127.0.0.1-6440-exec-20 PolicyEdgeFirewallFacadeImpl - POLICY [nsx@6876 comp="nsx-manager" level="INFO" reqId="c58a0ee2-5667-4f29-8862-5fa66c8049fb" subcomp="policy" use
rname="admin"] Revising gateway policy for domain default with operation insert_bottom and anchor null
2021-08-24T10:50:44.144Z ERROR http-nio-127.0.0.1-6440-exec-20 AbstractCommunicationMapServiceImpl - POLICY [nsx@6876 comp="nsx-manager" errorCode="MP500097" level="ERROR" reqId="c58a0ee2-5667-4f29-8862-5fa66
c8049fb" subcomp="policy" username="admin"] Category of CommunicationMap cannot be updated from LOCAL_GATEWAY_RULES to APPLICATION
2021-08-24T10:50:44.145Z INFO http-nio-127.0.0.1-6440-exec-20 NsxBaseRestController - - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] Error in API /policy/api/v1/infra/domains/default/gateway-p
olicies/Insert-Test2?action=revise&operation=insert_bottom caused by exception com.vmware.nsx.management.policy.policyframework.exceptions.InvalidParameterException: {"moduleName":"Policy","errorCode":500097
,"errorMessage":"Once a category has been assigned to a Security Policy, it cannot be modified"}
rname="admin"] Revising gateway policy for domain default with operation insert_bottom and anchor null
2021-08-24T10:50:44.144Z ERROR http-nio-127.0.0.1-6440-exec-20 AbstractCommunicationMapServiceImpl - POLICY [nsx@6876 comp="nsx-manager" errorCode="MP500097" level="ERROR" reqId="c58a0ee2-5667-4f29-8862-5fa66
c8049fb" subcomp="policy" username="admin"] Category of CommunicationMap cannot be updated from LOCAL_GATEWAY_RULES to APPLICATION
2021-08-24T10:50:44.145Z INFO http-nio-127.0.0.1-6440-exec-20 NsxBaseRestController - - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] Error in API /policy/api/v1/infra/domains/default/gateway-p
olicies/Insert-Test2?action=revise&operation=insert_bottom caused by exception com.vmware.nsx.management.policy.policyframework.exceptions.InvalidParameterException: {"moduleName":"Policy","errorCode":500097
,"errorMessage":"Once a category has been assigned to a Security Policy, it cannot be modified"}
- The equivalent POST API call on the DFW can be made against the DFW (not Gateway) policies with an empty body and works as expected:
<NSXManager>/policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>?action=revise&operation=insert_bottom
Environment
VMware NSX-T Data Center
Cause
The above GW Firewall POST API is being called with an empty body, but the API definition specifies that you need to provide the body of the policy object in JSON format as part of the request.
The behavior of this API can appear confusing, as it is inconsistent with the same API command on the DFW which can take an empty body.
The behavior of this API can appear confusing, as it is inconsistent with the same API command on the DFW which can take an empty body.
Resolution
For versions prior to NSX-T 3.2.0 as per the API definition the Edge firewall API requires the body in json format. Provide the body when making the API request and it will work as expected.
Change have been made in NSX-T 3.2.0, to make the behavior of the POST API call consistent with its DFW equivalent, so the API call in the Gateway Firewall can be made with an empty body and will work as expected.
Change have been made in NSX-T 3.2.0, to make the behavior of the POST API call consistent with its DFW equivalent, so the API call in the Gateway Firewall can be made with an empty body and will work as expected.
Feedback
Yes
No
Powered by
