Configures globalConfig and firewallRules for the edge gateway firewall.

Note

VMware recommends you issue a GET request to retrieve the edge gateway firewall configuration, modify the configuration, then submit the changes by sending a PUT request.

Prerequisites
1

Log in to vCloud Air as an administrator. See Log in to vCloud Air for information.

2

Create a login session with vCloud Director. See Create a Session for a Virtual Data Center in a Service for information.

3

Using the vCloud API, query vCloud Director for the ID of the edge gateway that you requires edge gateway firewall configuration. See Querying the vCloud API for information.

Procedure
1

Request the current firewall configuration for the edge gateway. See List Edge Gateway Firewall Configuration.

2

Examine the response and update the required elements.

For a description of each element of the edge gateway firewall schema, see Schema for Edge Gateway Firewall Configuration.

3

Submit the updated configuration using the following request header and request body:

PUT https://vchs.vmware.com/hybridity/api/gateways/gatewayId/firewall/config

In the request header, include the OATH token and the Accept header that you obtained when creating a login session: 

Accept: application/json
Content-Type: application/json
X-Vcloud-Authorization: "vcloud-auth-token"

In the request body, include the schema elements you retrieved and updated from the GET request.

The server returns status 204 NO CONTENT in the response header. The server does not return a response body.

Example: Requests and Responses to Configure Edge Gateway Firewall

Request Header – Get the Edge Gateway Firewall Configuration 

GET https://vchs.vmware.com/hybridity/api/gateways/gw-5/firewall/config
Accept: application/json
Content-Type: application/json
X-Vcloud-Authorization: "d6eFLOqQYfuEn2MJTp7BQ2ISEO+ZYaEgTcqBy8wZQ6js="

Request body not required.

Response Body – Get the Edge Gateway Firewall Configuration 

{
"featureType": "firewall_4.0",
"version": 5,
"enabled": true,
"globalConfig": {
    "tcpPickOngoingConnections": false,
    "tcpAllowOutOfWindowPackets": false,
    "tcpSendResetForClosedVsePorts": true,
    "dropInvalidTraffic": true,
    "logInvalidTraffic": false,
    "tcpTimeoutOpen": 30,
    "tcpTimeoutEstablished": 3600,
    "tcpTimeoutClose": 30,
    "udpTimeout": 60,
    "icmpTimeout": 10,
    "icmp6Timeout": 10,
    "ipGenericTimeout": 120
},
"defaultPolicy": {
    "action": "deny",
    "loggingEnabled": false
},
"firewallRules": {
    "firewallRules": [ {
            "ruleId": 131074,
            "ruleTag": 131074,
            "name": "firewall",
            "ruleType": "internal_high",
            "enabled": true,
            "loggingEnabled": false,
            "description": "firewall",
            "action": "accept",
            "source": {
                "exclude": false,
                "ipAddress": [],
                "groupingObjectId": [],
                "vnicGroupId": [
                    "vse"
                ]
            }
        }, {
            "ruleId": 131075,
            "ruleTag": 131075,
            "name": "Allow ssh",
            "ruleType": "user",
            "enabled": true,
            "loggingEnabled": false,
            "description": "",
            "matchTranslated": false,
            "action": "accept",
            "destination": {
                "exclude": false,
                "ipAddress": [
                    "192.168.10.1"
                ],
                "groupingObjectId": [],
                "vnicGroupId": []
            }
        }, {
            "ruleId": 131073,
            "ruleTag": 131073,
            "name": "default rule for ingress traffic",
            "ruleType": "default_policy",
            "enabled": true,
            "loggingEnabled": false,
            "description": "default rule for ingress traffic",
            "action": "deny"
        }
    ]
  }
}

Request Header – Change the Default Timeouts 

PUT https://vchs.vmware.com/hybridity/api/gateways/gw-5/firewall/config
Accept: application/json
Content-Type: application/json
X-Vcloud-Authorization: "d6eFLOqQYfuEn2MJTp7BQ2ISEO+ZYaEgTcqBy8wZQ6js="

Request Body – Change the Default Timeouts 

{
"featureType": "firewall_4.0",
"version": 5,
"enabled": true,
"globalConfig": {
    "tcpPickOngoingConnections": false,
    "tcpAllowOutOfWindowPackets": false,
    "tcpSendResetForClosedVsePorts": true,
    "dropInvalidTraffic": true,
    "logInvalidTraffic": false,
    "tcpTimeoutOpen": 60,
    "tcpTimeoutEstablished": 7200,
    "tcpTimeoutClose": 60,
    "udpTimeout": 120,
    "icmpTimeout": 20,
    "icmp6Timeout": 20,
    "ipGenericTimeout": 240
},
"defaultPolicy": {
    "action": "deny",
    "loggingEnabled": false
},
"firewallRules": {
    "firewallRules": [ {
            "ruleId": 131074,
            "ruleTag": 131074,
            "name": "firewall",
            "ruleType": "internal_high",
            "enabled": true,
            "loggingEnabled": false,
            "description": "firewall",
            "action": "accept",
            "source": {
                "exclude": false,
                "ipAddress": [],
                "groupingObjectId": [],
                "vnicGroupId": [
                    "vse"
                ]
            }
        }, {
            "ruleId": 131075,
            "ruleTag": 131075,
            "name": "Allow ssh",
            "ruleType": "user",
            "enabled": true,
            "loggingEnabled": false,
            "description": "",
            "matchTranslated": false,
            "action": "accept",
            "destination": {
                "exclude": false,
                "ipAddress": [
                    "192.168.10.1"
                ],
                "groupingObjectId": [],
                "vnicGroupId": []
            }
        }, {
            "ruleId": 131073,
            "ruleTag": 131073,
            "name": "default rule for ingress traffic",
            "ruleType": "default_policy",
            "enabled": true,
            "loggingEnabled": false,
            "description": "default rule for ingress traffic",
            "action": "deny"
        }
    ]
  }
}