The NSX API endpoint PATCH "https://${NSX_HOST}/policy/api/v1/infra/segments/${SEGMENT_ID}/segment-security-profile-binding-maps/${SECURE_ID}" is accepting invalid values in request payload
search cancel

The NSX API endpoint PATCH "https://${NSX_HOST}/policy/api/v1/infra/segments/${SEGMENT_ID}/segment-security-profile-binding-maps/${SECURE_ID}" is accepting invalid values in request payload

book

Article ID: 375540

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

NSX-T API endpoint PATCH "https://${NSX_HOST}/policy/api/v1/infra/segments/${SEGMENT_ID}/segment-security-profile-binding-maps/${SECURE_ID}" is accepting invalid values in the request payload which is causing the segments to become unmodifiable in GUI.
 
Example:
 
API abnormal execution (invalid request parameter)

If you include `//` and extra backslash like `//infra/segment-security-profiles/${SEGMENT_SECURITY_ID}`, the request is successful and allowing the Segment to set with default value not the desired one.
 
API Endpoint: PATCH: "https://${NSX_HOST}/policy/api/v1/infra/segments/${SEGMENT_ID}/segment-security-profile-binding-maps/${SECURE_ID}"
 
Payload:
 
{
    "resource_type": "SegmentSecurityProfileBindingMap",
    "segment_security_profile_path": "//infra/segment-security-profiles/${SEGMENT_SECURITY_ID}",     # We have added a additional/special char (/) at the end of the segment profile path value.
    "spoofguard_profile_path": "/infra/spoofguard-profiles/${SPOOFGUARD_ID}"
}
 

Environment

VMware NSX 4.1, 4.2

Cause

API request payload is missing the validation for segment_security_profile_path parameter when updating the binding maps.

Resolution

This is a known issue, and our engineering team is working on a fix by adding validation for the segment_security_profile_path path parameter.

Meantime, you can apply one of workarounds:

Workaround 1:

1. Do a call GET "https://${NSX_HOST}/policy/api/v1/infra/segments/${SEGMENT_ID}/segment-security-profile-binding-maps/${SECURE_ID}" to the segment binding map, which has the double special characters.
2. Do an Update call PATCH: "https://${NSX_HOST}/policy/api/v1/infra/segments/${SEGMENT_ID}/segment-security-profile-binding-maps/${SECURE_ID}" by removing the profile path, which has the double special characters.
3. Do the Update call  PATCH: "https://${NSX_HOST}/policy/api/v1/infra/segments/${SEGMENT_ID}/segment-security-profile-binding-maps/${SECURE_ID}"again, this time putting back the profile as well as removing the extra special characters.

Steps:

1. GET API Request:

 

2. PATCH API request (removing the profile path):

3.  PATCH API request (putting back the profile as well as removing the extra special characters):

Workaround 2:

Delete the Infra segment security profile binding map using DELETE API endpoint here: and re-create.

Additional Information

PATCH API reference is here

Delete API reference is here