Purge all the firewall rules – Part 2

In my previous post I used an API call from a REST client that allowed me to purge all the rules within the Distributed Firewall function of NSX. I have also made this into a python script.

The snake script

Here is the script. This can be used at your own discretion. I am an awful coder. Feedback is welcomed. It is also found on my GitHub here.

## The big purge button for NSX for vSphere 6.1.x - purge-v01.py - 
## s: purge
## v: 0.1
## a: Anthony Burke
## e: [email protected]
## t: @pandom_
## w: networkinferno.net
## This purge script is designed to perform an emergency wipe of all rulesets applied to the global table of the distributed firewall.
## This can be used in the case vCenter access is blocked through a default deny all, excess rules in lab environments or to reset NSX pilots.
## NOTES - This needs an interactive prompt to ensure there is a chance to save yourself.
## History Log - v01 - Creation and initial commentary.

## Import libraries
import base64
import urllib2
import httplib
import xml.etree.ElementTree as ET
## Define NSX Manager IP address. Used by +nsx_ip+ as a variable.
## Define NSX Manager API port tcp/443
nsx_port = 443
## Credentials. I know this is not secure. Interactive maybe in future
username = "admin"
password = "VMware1!"
## Leveraging the library defined initially we pass the username and password through to create an authenticated session with NSX Manager.
creds= base64.urlsafe_b64encode(username + ':' + password)
## Headers we are using are Content-Type == application/XML. Authorization = basic password plus creds variable (which is actually defined as username + password!)
headers = {'Content-Type' : 'application/xml','Authorization' : 'Basic ' + creds }
## Create a variable of purge_firewall
def purge_firewall():
## Body == NONE due to this being a REST DELETE command.
    body = None
## Drawing on the httplib we use a HTTPS connection to the nsx_ip variable on the nsx_port variable
    conn = httplib.HTTPSConnection(nsx_ip, nsx_port)
## The actual secret sauce. Places the DELETE plus API call.hanks to Andrew Babakian for noting my URI mixup.
    conn.request('DELETE','https://'+nsx_ip+'/api/4.0/firewall/globalroot-0/config', None, headers)
    response = conn.getresponse()
## if Response not equal to 204 then spit out bad response. Otherwise happy days.
    if response.status != 204:
        print "error status code",  str(response.status) + " Firewall purge unsuccessful"
        print "Status code", str(response.status) + " Firewall purge successful"
## Main funciton that calls purge_firewall into action. 
def main():
    print "The deed has been."

In action

Here are some basic rulesets that I have created pre-purge.

Screen Shot 2015-04-16 at 10.51.51 pm

Time to execute the script. Don’t look too closely from where I am doing it. I did create the script in VI (+1 internet points).

Screen Shot 2015-04-16 at 10.34.11 pm

Woo! It seems it is successful. Time to look at the GUI to find out.

Screen Shot 2015-04-16 at 10.55.13 pm

Python purge

So what does all this mean? Well now I have a python script that allows the purging or reset of an environment. I am going to add an interactive prompt or maybe a question generator  to ensure a level of safety. This is a dangerous command as it can wipe out your security policies very fast. Luckily NSX does store a save on each commit.

I would like to thank Andrew Babakian (NSBU SE in Sydney. Rockstar!) for aiding me with some syntax and structure issues I had. I didn’t realise the URI was not passed in the rest DELETE command. I also did not specify how the libraries I imported would be used. Lessons learned by this grasshopper.

SPARK: VIRL is launched!

Cisco VIRL

Cisco VIRL has been officially release. Cisco VIRL is Ciso’s network topology platform that allows the study, testing, simulation and validation of enterprise and service provider topologies in a lab environment. Built on KVM using OpenStack, this platform enables network administrators to build powerful topologies that allow test, validation and architecture exploration of new technologies. It also allows old dogs like me to study against it for my CCIE certification.

As per the VIRL site, virl-dev-innovate.cisco.com‘s words

  • Build highly accurate models of existing or planned networks.
  • Design, configure, and operate networks using authentic versions of Cisco’s network operating systems – IOSv, IOS-XRv, NX-OSv, and CSR1000v.
  • Integrate 3rd-party virtual machines, appliances, and servers.
  • Connect real and virtual networks into high-fidelity, high-scale development and test environments.
  • Design and test anywhere – VIRL is portable!

There are two ways to purchase VIRL. Both are annual subscriptions which in my opinion are a fair and reasonable price. One is 199.99 USD per annum. This is the non-commercial personal use. The other is academic pricing. Both have a gift-card format which allow parents or educators to share the love! Quite a simple shopping cart feature for such a powerful reward. Regarding price – I have two mindsets about this.

Firstly, 200 dollars per annum is great when you’re in full study mode. I’ve spent more on rack rentals in a year. It is great to be able to pay for something and it just works. I can think of the countless hours spent wasted troubleshooting scenarios only to find out it was a hung process in dynamips or GNS3 didn’t do something or I had the wrong revision of a code for my physical device.

Secondly, I think the price has the sticker shock element to it. This might be to an internal struggle to not allow it to ship for free and recouping costs to the fact they wanted a litmus test. The fact that VIRL was touted as free has made this per annum model harder to swallow. I see it in alignment with all other training and service styled solutions. INE’s All access pass, Cisco Learning Network subscription all have you pay a per annum fee and you get updates. I don’t see why you wouldn’t get updates with this.

NX-OS excites me as you can test and validate code. I’ve used VIRL in its many forms over the last few months and I’ve integrated into my physical network, VMware’s corporate WAN and my Singapore cloud for additional testing capability. It’s a flexible platform and I think I’ve logged more CCIE hours against this than GNS3. I know there has been less time wasted troubleshooting the GNS3 platform than my environment with VIRL – I always never knew if it was CPU exhaustion to GNS3 or PEBKAC when I built CCIE labs in GNS3. Having a new born child, an hour of study is really 55 minutes of study thats certification focused and not stuffing around with setting up GNS!

http://virl.cisco.com – VIRL50 coupon will get you 50 dollars off at checkout on the annual personal edition!

If you need documentation or support you can find it all here – http://virl-dev-innovate.cisco.com/documents.html

Disclaimer I received a 100% discount coupon for my first years annual subscription for VIRL. This was through feedback from the BETA in which I was a participant. My standard disclaimer applies to this post, like all others. I have also paid for an Academic copy too.