Firewall ListSections MP API response incomplete with pagination
search cancel

Firewall ListSections MP API response incomplete with pagination

book

Article ID: 385075

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

ListSections i.e. GET /firewall/sections MP API does not include all firewall sections in a paginated response due to duplicate sequence numbers.
 
Example:
 
We use the GET /firewall/sections MP API to get the total firewall sections and compare them to the sum of actual number of firewall sections fetched in each page.
 
Step 1:
 
Request
 
GET /api/v1/firewall/sections?page_size=5
 
Note: Here page_size is an optional parameter and will have a default value of 1000, if not used as a part of the API invocation.
 
Response
{
  "results": [
    {
      "resource_type": "FirewallSection",
      "id": "50a145c9-827f-4962-8028-1ab9e22f147e",
      "display_name": "Default Malicious IP Block Rules",
      "description": "default.default-malicious-ip-block-rules",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "4410e124-7afb-4810-b39d-06c5b7562679",
      "display_name": "gsp3",
      "description": "default.gsp3",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "62ed268f-e8db-4c84-bedb-9a9bcbe96094",
      "display_name": "gsp2",
      "description": "default.gsp2",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "d8ea8a53-c624-4390-bbe1-4fa43265932c",
      "display_name": "gsp1",
      "description": "default.gsp1",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "f2c6872f-5372-456d-a73c-22321d4b677a",
      "display_name": "sp6",
      "description": "default.sp6",
      ...
    }
  ],
  "result_count": 13,
  "sort_by": "position",
  "cursor": "0036f2c6872f-5372-456d-a73c-22321d4b677aRmlyZXdhbGxTZWN0aW9u"
}

 
Step 2: 
 
Request
 
GET /api/v1/firewall/sections?page_size=5&cursor=0036f2c6872f-5372-456d-a73c-22321d4b677aRmlyZXdhbGxTZWN0aW9u
 
(Note the number of firewall sections for every invocation, repeat until last page)
 
Response
{
  "results": [
    {
      "resource_type": "FirewallSection",
      "id": "aa610130-88bf-46f8-a813-097dc8133203",
      "display_name": "sp5",
      "description": "default.sp5",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "5c9df16d-d934-4454-ad1a-1f01cfbf55be",
      "display_name": "sp4",
      "description": "default.sp4",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "c03f8955-cfc2-42e6-8366-a42ecc88112a",
      "display_name": "sp3",
      "description": "default.sp3",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "5e3eb1b5-d096-4e94-8a53-5505a2b32956",
      "display_name": "sp2",
      "description": "default.sp2",
      ...
    },
    {
      "resource_type": "FirewallSection",
      "id": "fef1dac8-df3e-42d0-ae69-34e4adf5ce1c",
      "display_name": "sp1",
      "description": "default.sp1",
      ...
    }
  ],
  "sort_by": "position",
  "cursor": "0036fef1dac8-df3e-42d0-ae69-34e4adf5ce1cRmlyZXdhbGxTZWN0aW9u"
}

Request
 
GET /api/v1/firewall/sections?page_size=5&cursor=0036fef1dac8-df3e-42d0-ae69-34e4adf5ce1cRmlyZXdhbGxTZWN0aW9u (Last Page)
 
Response
{
  "results": [
    {
      "resource_type": "FirewallSection",
      "id": "8bba3c1d-a37f-4485-9991-d92251e0b92e",
      "display_name": "Policy_Default_Infra-tier1-T1-Gateway-01",
      "description": "default.Policy_Default_Infra-tier1-T1-Gateway-01",
      ...
    }
  ],
  "sort_by": "position"
}

Step3:
Sum up the firewall section count from each page i.e. 5 + 5 + 1 = 11 and compare with result_count = 13. The issue is present if these counts mismatch.

Environment

NSX Manager with security policies having duplicate sequence numbers.

Cause

Firewall sections are enforced based on their priority, meaning sections with smaller priority numbers are placed higher in the rule table, while those with larger priority numbers are placed lower.

A scenario where this issue could occur is when the policy manager allows security policies to have duplicate sequence numbers, which correspond to the priority numbers assigned to the firewall sections. The ListSections MP API returns a paginated view of the ordered list of firewall sections. If a page ends with a firewall section that has a duplicate priority number, the next page may skip firewall sections with the same or duplicate priority values in the API response.

Another scenario involves having two or more logical routers created via MP APIs, which results in a system-generated default Layer 3 gateway section for each gateway with a fixed default priority value. The ListSections MP API supports fetching all Layer 3 firewall sections, including DFW and GFW enforcements. In this case, the default gateway sections (applied to different gateways) will have duplicate system-assigned priority values, leading to pagination issues.

Resolution

Firewall ListSections MP API is fixed in versions 4.2.1.2 and 9.0 onwards.

Since ListSections MP API is a deprecated API, it is recommended to use corresponding policy APIs to manage the security posture (e.g. GET /infra/domains/{domain-id}/security-policies to fetch ordered list of security policies).

Alternatively the below search API can be used in absence of the fix to fetch the list of firewall sections. 

GET /api/v1/search/query?sort_by=id&sort_ascending=true&query=resource_type:FirewallSection

Note: This API will not be guarantee ordering based on priority number.