Purge all the firewall rules – Part 2

In my previous post I used an API call from a REST client that allowed me to purge all the rules within the Distributed Firewall function of NSX. I have also made this into a python script.

The snake script

Here is the script. This can be used at your own discretion. I am an awful coder. Feedback is welcomed. It is also found on my GitHub here.

## The big purge button for NSX for vSphere 6.1.x - purge-v01.py - 
## s: purge
## v: 0.1
## a: Anthony Burke
## e: [email protected]
## t: @pandom_
## w: networkinferno.net
## This purge script is designed to perform an emergency wipe of all rulesets applied to the global table of the distributed firewall.
## This can be used in the case vCenter access is blocked through a default deny all, excess rules in lab environments or to reset NSX pilots.
## NOTES - This needs an interactive prompt to ensure there is a chance to save yourself.
## History Log - v01 - Creation and initial commentary.

## Import libraries
import base64
import urllib2
import httplib
import xml.etree.ElementTree as ET
## Define NSX Manager IP address. Used by +nsx_ip+ as a variable.
## Define NSX Manager API port tcp/443
nsx_port = 443
## Credentials. I know this is not secure. Interactive maybe in future
username = "admin"
password = "VMware1!"
## Leveraging the library defined initially we pass the username and password through to create an authenticated session with NSX Manager.
creds= base64.urlsafe_b64encode(username + ':' + password)
## Headers we are using are Content-Type == application/XML. Authorization = basic password plus creds variable (which is actually defined as username + password!)
headers = {'Content-Type' : 'application/xml','Authorization' : 'Basic ' + creds }
## Create a variable of purge_firewall
def purge_firewall():
## Body == NONE due to this being a REST DELETE command.
    body = None
## Drawing on the httplib we use a HTTPS connection to the nsx_ip variable on the nsx_port variable
    conn = httplib.HTTPSConnection(nsx_ip, nsx_port)
## The actual secret sauce. Places the DELETE plus API call.hanks to Andrew Babakian for noting my URI mixup.
    conn.request('DELETE','https://'+nsx_ip+'/api/4.0/firewall/globalroot-0/config', None, headers)
    response = conn.getresponse()
## if Response not equal to 204 then spit out bad response. Otherwise happy days.
    if response.status != 204:
        print "error status code",  str(response.status) + " Firewall purge unsuccessful"
        print "Status code", str(response.status) + " Firewall purge successful"
## Main funciton that calls purge_firewall into action. 
def main():
    print "The deed has been."

In action

Here are some basic rulesets that I have created pre-purge.

Screen Shot 2015-04-16 at 10.51.51 pm

Time to execute the script. Don’t look too closely from where I am doing it. I did create the script in VI (+1 internet points).

Screen Shot 2015-04-16 at 10.34.11 pm

Woo! It seems it is successful. Time to look at the GUI to find out.

Screen Shot 2015-04-16 at 10.55.13 pm

Python purge

So what does all this mean? Well now I have a python script that allows the purging or reset of an environment. I am going to add an interactive prompt or maybe a question generator  to ensure a level of safety. This is a dangerous command as it can wipe out your security policies very fast. Luckily NSX does store a save on each commit.

I would like to thank Andrew Babakian (NSBU SE in Sydney. Rockstar!) for aiding me with some syntax and structure issues I had. I didn’t realise the URI was not passed in the rest DELETE command. I also did not specify how the libraries I imported would be used. Lessons learned by this grasshopper.

4 thoughts on “Purge all the firewall rules – Part 2”

  1. Just wanted to ask.. is all of the gibberish in line 6 required for something specific? Maybe you can do a small part 3 where you pass on some of the learning abut the Library usage? 🙂

    I will definitely be referencing this python share as a foundation for some writing on my end. Sincere thanks for sharing this Anthony!

  2. Took me a second to realise in the comment on line 38 that you weren’t referring to a variable “hanks” in class “call” 😉

Leave a Reply

Your email address will not be published. Required fields are marked *