Release and Configuration Notes
First Published: 09/13/2019
This document contains system requirements, supported features and bugs for ReSTNSX v3.1
The ReSTNSX appliance no longer ships with a 45 day Evaluation License. Users must email email@example.com to receive a limited, temporary license. In evaluations mode, the following limitations are enforced:
- A limit of two data sources (NSX Managers) can be configured
- Tenants count limited to 2
- No additional users or external auth may be provisioned
- vRNI flows are limited to 15
- ASA import to dFW publish is disabled
- Maximum of 10 workflow items can be published to NSX Manager
- For Operations -> dFW, a limit of 20 rule changes / 4 section changes total is enforced when importing NSX rules from CSV or published to NSX Manager. dFW Mover is limited to 1 Section / 15 rules per instantiation.
- For Operations -> N&S, Mover is limited to 15 objects per instantiation.
In evaluation mode, the default login information is as follows:
Support matrix and system requirements for ReSTNSX.
|ReSTNSX||2.8, 3.x||8 vCPU||16GB||50GB|
|NSX Manager (-v)||6.3, 6.4||-||-||-|
|NSX Manager (-T)||2.3, 2.4|
For REST API access, HTTPS (TCP Port 443) must be allowed through any transient firewalls for the ReSTNSX Appliance to access vCenter and NSX Manager
- Chrome 66+ for the best user experience
- Firefox 52+ (Limited Interop Testing)
- Added support for automatically synchronizing IP Sets between multiple NSX Managers (NSX-v)
- JSON formatting for API results that includes syntax and section highlighting and the ability to expand/collapse sections
- CSV imports
- Updated loading indicator for showing status of transfer of data from the back-end database to user interface has been implemented. This was implemented to provide a user insight into the processing status of large scale data sets
- Basic CSV error handling that will notify the user of unexpected characters or improperly formatted CSV files\
- NSX-T workflows now support verbose logging of API actions being performed. This is per API and shows the user the action being taken along with the resultant object ID being created or updated.
- Conversion of vCenter tags to NSX-T tags is now supported. Similar to NSX-v, the vCenter inventory will be scanned for VMs with tags assigned and provide the user the option to migrate the tag to NSX-T Virtual Machine tag and scope attribute. This feature is located under Operations -> Networking and Security -> Tags -> Global Drop-down -> Import VM Tags
- Security Groups: Users can now preview what the effective members of a security group would be before committing the change to NSX. This capability exists for new or existing security groups.
- Integrated Troubleshooting
- View Logical Switch and DLR statistics without having to SSH/CLI or navigate to other parts of the application. Real-time stats are collected and presented on the same configuration screen for the given Logical Switch or DLR.
- Unified Rule Editor
- dFW and ESG FW now support adding and editing rules via a single modal pop-up. This approach reduces the clicks by enabling the editing of rule source, destination and services on one screen from three.
- Global Reports Dashboard showing an overview of the entire NSX environment (every active data source). From this dashboard, users can drill further down into specific NSX Manager data sources to view corresponding reports.
- System Reports now include the capability to compare NSX Managers to other NSX Managers for any given time period. Prior to release 3.1, difference reports could only be generated for the same NSX Manager - meaning comparing itself to a previous collected configuration
- Email settings (destinations) are now configurable at the data source level. Prior to release 3.1, the email destinations were global where every data source report was sent to the same destination
- Each data source report now supports the option to immediately email the report vs waiting for the next pre-configured scheduled time
- Granular RBAC. This feature was available in 3.0 as a tech preview and is now formally released as part of 3.1. Within ReSTNX, we provide a setup of pre-defined groups for restricting access down to the object level. For example, administrators are able to configure a local (or AD group) with permissions that would enable a user the ability to view and edit IP Sets but not delete or copy them to another NSX Manager. The base groups have pre-defined authorizations for each object type based upon typical roles within an organization. These are static groups where the permissions cannot be edits.
In addition to the base groups, Administrators can define custom groups with custom permissions. This capability is native to ReSTNSX and does not require any 3rd party integrations.
- Enhancements to user auditing have also been introduced with per user and per group auditing. This data is available on-screen or via CSV export for compliance checks. The below screen shot represents the current effective memberships for all users
The NSX-T Multi-Tenant user experience continues to be updated to match the style and ease-of-use of the rest of the application. Just like NSX-v multi-tenant, users in this space can only view, edit or delete their objects. For NSX-T, a tenant object permission is defined by their tag and scope.
Administrators can view and manage all tenants from a single, -v and T converged dashboard
Enterprise license support. Beginning with ReSTNSX 2.2, customers will have the option of a Standard or Enterprise license. Standard licenses enable all the core features of the platform whereas Enterprise provides advanced functionality such as NSX Mover and Multi-Tenant Administration without requiring separate feature licenses for each capability. To learn more about the different ReSTNSX licensing options, please visit the licensing page.
Note: NSX Mover is available in the current release as a tech preview for non-Enterprise licensed customers. Future releases will require Enterprise licensing to enable this feature
ReSTNSX provides an easy way to query both NSX and vCenter objects quickly and easily. On every page within the application, users can slide out the Query tab to perform inventory searches. Within that same window, users are able to export the data to CSV, Excel, PDF and the system clipboard for use in ReSTNSX workflows.
- VM queries against NSX 6.4 Managers will show the corresponding IP address(es) for any given VM
- With a single click, all searches in query will run and the resulting CSV data will be zipped and downloaded to the user's desktop
- All CSV exports are now ReSTNSX workflow compatible. Users can export data from Query and use them in workflows with little editing of the data
Query Support for NSX-T Objects
- IP Pools
- IP Sets
- Layer 3 Sections
- Logical Switches
- Service Groups
- Tier 0 Routers
- Tier 1 Routers
Query Support for NSX-v Objects
- IP Pools
- IP Sets
- Layer 3 Sections
- Load Balancers
- Logical Switches
- Logical Routers
- Security Groups
- Security Tags
- Service Groups
- Transport Zones
Query Support for vCenter Objects
- Virtual Machines. Note: VM list is the inventory as reported by NSX Manager
Central CLI (NSX-v)
ReSTNSX's Central CLI provides web-based (HTTPS) API-driven access to the NSX Manager CLI without the need for SSH or leaving the web UI for troubleshooting NSX.
- Easy buttons allowing users to click an icon to run pre-defined CLI commands such as "show logical-switch list all" without typing one character.
- Enhanced command output with Intelligent Hyperlinks that allows easy buttons to run additional nested commands that are context aware.
- For any CLI command, users can save the commands for future use with a single click.
- Color picker for saving text, hyperlink and background color. These settings are saved per user.
API Scout (NSX-v, NSX-T)
API Scout provides in-application access to the NSX Manager and vCenter APIs without having to use an external client. Based upon the active data source, users can perform GET, PUT, POST functions without the complexity of auth/session cookies or having to leave the UI for API access. Additionally, common API calls for each data source type are provided for easy access.
Personal favorites can also be stored. The URI is stored in the user profile along with personalized, searchable URI history
Security Planner (NSX-v, NSX-T)
ReSTNSX's Security Planner integrates into VMware's vRealize Network Insight (vRNI) platform for easy firewall rule creation in NSX Manager. With this integration, Security Planner will connect to vRNI via API methods to collect IP flow information based upon vCenter cluster and time range (up to 30 days prior to the current date). Upon collecting the data, flows are automatically de-duplicated with additional options for the user to optimize the flows. In the initial release of Security Planner, flows with like IP destinations are automatically combined.
Users can publish the same analyzed flows against NSX-v and NSX-T. Additionally, users are able to apply flow filters to exclude specific IP sources, destinations or TCP/UDP ports to narrow the flow collection.
Once the flows are collected, the processed flows are displayed for further editing:
- Drag/drop rules to combine together
- Multi-select of rules to combine together
- Single or multi-select of rules to transform IP Source and/or destination to IPSets
- When connected to NSX Managers of version 6.4 or greater, users may choose to resolve the raw IPs to VM-IDs to be used in the rule set
These rules are now ready to publish to NSX Manager. Select individual or all rules to be published. Upon doing so, a new Section in dFW will be created at the top of the rule set. In this section, all vRNI flows that were selected are present.
Note: Upon publish, all rules in this new section are disabled by default. To enable the rules, click the global select box and "Enable Selected" from the global drop-down menu.
ReSTNSX Operations provides real-time, instant creation, modification and deletion of NSX objects. In comparison to work-flows with bulk object creation and roll-back, Operations is designed for performing the typical Day 2 tasks and common management functions. Operations is divided up into NSX System for managing the NSX Manager settings and Networking/Security Objects; Networking for logical switching, DLR and ESG management; Security for dFW and eFW; and Load Balancing.
Real-time operations for NSX Manager settings
- Network settings, including IP, DNS, NTP and Syslog
- Security modes (FIPS) and Cipher selection
- Service status and status toggle for vPostgres, RabbitMQ, Universal Synch, Management, SSH and Lookup URL
- Backup settings, including FTP server, scheduling and items to be excluded
Real-time operations for dFW
Create, Edit, Delete, Import and Export (via CSV and point-click) dFW rules.
Support for firewall generation and object generation numbers to see if the firewall rule has been successfully published to the hosts and clusters. If they are out of synch, the host or cluster will be marked orange with the user's ability to force a re-synch of the rules and objects.
Support for dFW mover to copy sections, rules and dependent objects between NSX Managers.
dFW Mover copies L3 Rules and Sections from a source NSX manager to one or more NSX Managers. Below are application notes related to behavior between the source and destination sections
Sections and Rules: Matched by Name
If matched, the section on the target manager will be replaced with the same rule names
Else, the new section will be created to the top of the dFW section list
Objects referenced in the rule: Matched by Name
If the source object matches the destination object name, Mover will use the existing destination object.
Supported objects include:
Edge Service Gateways
Else, the user has the option to create the dependant object on the target.
Supported objects include:
Import and Export (via CSV) is another option for copying rules between NSX managers. When exporting rule sets from dFW Operations into a ReSTNSX compatible template, you can use the file for importing into other NSX Managers via two methods
- dFW Operations. Once a user exports the current rule set from the main menu (Global Actions -> Export Rules (CSV)), the file can be stored for use against other NSX Managers by selecting a new data source and importing by clicking Global Actions -> Import Rules (CSV). The user is then presented an option to Merge or Replace the rules on import.
- dFW Workflow. Using the same export for Global Actions -> Export Rules (CSV), users can navigate to Predefined Calls -> Security -> dFW and import the ruleset into a workflow for publishing against NSX.
Note: For CSV export, rule names with commas is not supported as it will create conflicts in the comma-based CSV import/export.
dFW Exclusion Management
VM exclusion lists just got easier with a table-based view to easily add / remove VMs from the dFW exclusion list. With this new feature, users can easily filter based upon VM name and select / multi-select adding or removing from the exclusion list.
VM Troubleshooter / Analyzer
Real-time visibility into VM Security Status
Within dFW, users can now select an individual VM to analyze its security posture - including which Security Groups and dFW Sections / Rules it belongs to; the current status of dFW rules and objects on the host where it resides and the ability to download a copy of the installed dvFilter information. Additionally, a visualization of the same security posture data in a relationship diagram is provided.
Networking and Security Objects - N&S - (NSX-v, NSX-T)
Real-time operations for N&S objects
Create, Edit and Delete N&S objects instantly through ReSTNSX. The following objects are supported in this release:
- IP Pools
- IP Sets
- Security Groups
- Security Tags
- Security Tag associations
- Service Groups
- Create, Edit, Delete - Logical Switches
- Attach / Detach virtual machines
- Create, Edit, Delete - Transport Zones
- Edit Segment IDs
- Create, Edit, Delete - DLRs
- Create, Edit, Delete - ESG Templates
- Edit Logical Switch associations
Real-time operations for NSX Load Balancers
Within ReSTNSX, users can now create, edit and operate their NSX load balancers easier than ever before. In a single dashboard, users can monitor critical alerts and manage all edge load balancers of a given NSX domain.
For creating new load balancers, ReSTNSX provides a 5 step create wizard that will build and deploy load balancers quickly and easily. Every step required for a valid configuration is provided.
ReSTNSX also provides full life-cycle management of NSX load balancers. Within the dashboard, users can: Create, Edit and Delete:
- Virtual Servers
- Application Profiles
- Server Pools
- Application Rules
- Service Monitors
Diagnostics and Troubleshooting
In addition to the dashboard metrics, ReSTNSX provides a load balancer troubleshooting tool that will run a series of diagnostic commands to help isolate problems. The tool performs a series of CLI-based troubleshooting commands and presents the output while highlighting potential configuration issues. The tool can be run on a virtual server by virtual server basis and provide insight into problem areas within seconds.
- Note: In v2.6, Pool side certificates are not supported for Pool-side SSL
Real-time replication of Networking and Security N&S Objects
With NSX Mover, Administrators can easily copy N&S objects and dFW rules between NSX Managers of the same or different type instantly. Objects are copied in real-time to the destination NSX-v or NSX-T Manager without having to login to the remote system. Copying can be done from source to one or many remote NSX Manager(s). If the data sources (NSX Managers) are configured into Groups, users are able to select the Group and ReSTNSX will copy the objects and/or firewall rules to multiple destinations at once.
Migrate vCenter VM Tags to NSX Security tags. Any VM Tag that exists in vCenter can be migrated to NSX Security Tags and applied to a VM in one easy step. Navigate to Operations -> N&S Objects -> Tags and select "Import VM Tag" from the main menu to select a VM Tag. Note: only VM Tags currently applied to VMs will be imported. Upon importing and conversion of the tag to a security tag, it will automatically be applied to the same VM the vCenter tag was applied to.
Users can select a single or multiple dFW rules and/or sections to copy across Managers.
To access the Mover tool, navigate to the N&S object types of interest in your origin datasource, select a single or multiple object, and navigate to the drop-down menu and select "Copy Selected To..."
Supported objects types are listed below. To learn more about NSX Mover, please see the ReSTNSX Overview page.
|Object||NSX -v 6.3||NSX -v 6.4||NSX -T 2.2+|
|Service Groups *||Y||Y||Y|
|Security Groups* , **||Y||Y||N|
* NSX Mover's analytics engine determines if dependent objects exist and will prompt the user if they wish to create the dependent objects on the destination system. Examples of objects that could have dependencies include Service Groups and Security Groups where they may be referencing other objects that do not yet exist.
** NSX Mover supports Security Groups for migrating dependent objects such as IPSets and Security Tags. Logical Switches and Virtual Machines will be supported in future release.
Administrators, Auditors and IT Managers now have access to a unified reporting fabric to gain visibility into all of the ReSTNSX managed domains - regardless of NSX version or location. ReSTNSX now provides three report types:
System Reports - Environment summary, service status and configuration details of each NSX Manager under ReSTNSX management are provided by a daily report or on-demand. Difference reports that will highlight the NSX configuration differences between the latest collected inventory and service status with the previous collections. Users may also select custom retention intervals. The default storage policy is to retain the previous 14 days of configurations for comparison. The maximum allowed setting is 180 days.
Activity Reports - Filtered real-time, system log events that can be sorted by username for insight into a user’s action over time.
Tenant Reports - A combination of the System and Activity reports. Data is filtered to provide insight into any given ReSTNSX configured tenant. Similar to the System reports, the Tenant report provides Administrators and Auditors a configuration summary on a tenant-by-tenant basis. Tenant reports reflect real-time information for configuration and user activity.
ReSTNSX now provides a central repository for CSV Configuration Files. In addition to uploading the CSVs directly into a given workflow, users can now also reference the files stored on the ReSTNSX appliance. Users are also able to upload multiple types and versions of files that can be re-used in workflows by multiple users.
Upgrades to ReST NSX leverage configuration export for easy migrations. When exported, the following information is retained:
- Local Users
- Saved Workflows
- Custom Wizards
- Tenant Information
- Data Sources
- System Settings
- CSV Workflow Files
- Central CLI Favorites
By exporting this information, upgrades are performed in parallel to the production platform. Once the new version of ReSTNSX is online, simply import the previously exported configuration file and the system is online. Administrators can manage the same NSX environment(s) with both ReSTNSX versions at the same time and
Note: When both systems are online, configuration settings are not synchronized between the different versions and must be maintained separately until the old version is decommissioned.
For a step-by-step upgrade, please refer to the ReSTNSX Upgrade Guide