A customer was wanted to validate the impact of numerous firewall rules within NSX. The thought was how much impact on cores of the CPU host and distributed firewall throughput when NSX had 100, 500, and 1000 rule sets loaded. There would be a method that would have taken me a very long time to do – clicky clicky GUI. We have an API so why not use it. The script below generates XML in the format required for distributed firewall rule sets.

## Define the section in which you want to test the rules.

## i is substituted numeral.
for i in range(0,5):
    ## j is subsituted for numeral., 10.1.(i)1.(j)1
        for j in range(1,100):
            ## XML required for NSX to parse. Rule actions, enablement and values
            print ""\

The python script will print XML. It will create a section called POC-test-rules. It will loop and print 1-100 for j and repeat this for i 0 – 5. This will make over 600 rules for our test environment.

Overwatch:Desktop aburke$ python loopapi.py
allow10.1.0.1Ipv4Addresstrue allow10.1.0.2Ipv4Addresstrue


So there is some XML that can be uploaded into the firewall section by a REST post. But before we do that lets have some more authentic rules. Here is an adjusted script to do some dynamic ports.

print "
" for i in range(0,2): for j in range(50,100): for k in range(200,205): print ""\ "Test_Rule."+str(i)+"."+str(j)+""\ "allow"\ ""\ ""\ "DISTRIBUTED_FIREWALL"\ "DISTRIBUTED_FIREWALL"\ "DISTRIBUTED_FIREWALL"\ "true"\ ""\ ""\ ""\ ""\ "10.10."+str(i)+"."+str(j)+""\ "Ipv4Address"\ "true"\ ""\ ""\ ""\ ""\ "true"\ ""+str(k)+""\ "6"\ "TCP"\ ""\ ""\ "inout"\ "any"\ "" j+=1 i+=1 k+=1 print "

The output should look a bit more real world!

Overwatch:Desktop aburke$ python loopapi-ports.py


There is a nicer output with IP’s and ports.

I have demonstrated REST API POST via a browser here. Alternatively it is possible to use a subsequent script to push this information.

import httplib,urllib,base64,os,xml
#print body
#headerx={"Authorization":"Basic YWRtaW46bmljaXJhMTIz"}
header2={"Authorization":"Basic YWRtaW46bmljaXJhMTIz","content-type":"application/xml"}
print head
print status

Here I am pushing a file called fw.txt. This is the output from the previous script saved into a text document. (I have not got a file to save correctly yet from the first script.) A breakdown of this script is as follows. Conn.request will POST a connection defined by conn to It will post the contents of the file to the L3 dFW segment. The body is defined to open fw.txt. Fw.txt is found in the directory of /Users/aburke/Desktop. header2 indicates the connection type, content type and defines that it should be parsed as XML. The two print commands will print the result of the actions – 400, 404, 500. HTML response codes which you can read more on here.

So here is a practical use of Python and the NSX API. What have you been doing to be more efficient lately?

5 thoughts on “Bulk creation of NSX rules with Python

  1. We’re working on version-controlling rules, so that they can be applied per-environment but still maintain before and after state so that 5 duplicate environments will typically use one ruleset, but we can test a policy agianst one before rolling it onto the rest.

    1. Ah nice. That is cool.

      There is a revision history that you can see (up to 100) of the last firewall changes. That might be able to help you with this?

      Search revision history for diff on a Section?

  2. I’m not understanding the format of your firewall rules there. Per the NSX API guide, rules are supposed to be in XML (pg. 271).

    However, if a spliced together string will work, I’m all about it!

    1. The point of this script was to generate bulk dummy rules into an output that is XML. The XML file is then uploaded / injected via the API. Crass, crude and probably a bad way to do it. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *