Release and Configuration Notes
First Published: 4/15/2020
This document contains system requirements, supported features and bugs for ReSTNSX v3.4
The ReSTNSX appliance no longer ships with a 45 day Evaluation License. Users must email firstname.lastname@example.org to receive a limited, temporary license. In evaluations mode, the following limitations are enforced:
- A limit of two data sources (NSX Managers) can be configured
- Tenants count limited to 2
- No additional users or external auth may be provisioned
- vRNI flows are limited to 15
- ASA import to dFW publish is disabled
- Maximum of 10 workflow items can be published to NSX Manager
- For Operations -> dFW, a limit of 20 rule changes / 4 section changes total is enforced when importing NSX rules from CSV or published to NSX Manager. dFW Mover is limited to 1 Section / 15 rules per instantiation.
- For Operations -> N&S, Mover is limited to 15 objects per instantiation.
In evaluation mode, the default login information is as follows:
Support matrix and system requirements for ReSTNSX.
|ReSTNSX||2.8, 3.x||8 vCPU||16GB||50GB|
|NSX Manager (-v)||6.3, 6.4||-||-||-|
|NSX Manager (-T)||2.3, 2.4, 2.5|
For REST API access, HTTPS (TCP Port 443) must be allowed through any transient firewalls for the ReSTNSX Appliance to access vCenter and NSX Manager
- Chrome 66+ for the best user experience
- Firefox 52+ (Limited Interop Testing)
For REST API access, HTTPS (TCP Port 443) must be allowed through any transient firewalls for the ReSTNSX Appliance to access vCenter and NSX Manager. For NSX-T Central CLI access, ReSTNSX requires SSH connectivity to the primary NSX Manager.
- Added support for NSX-T Micro-Seg Policy objects.
- Common Policy API favorites added to the system defined favorites menu
- NSX-T Manager CLI via ReSTNSX is now integrated. Tab completion, Question mark and intelligent hyperlinks are supported, similar to NSX-v. Note: NSX-T does not support API access to the CLI commands. As a result, ReSTNSX initiates an outbound SSH connection to NSX-T using the data source credentials. If CLI credentials are different than the API account, the user is prompted to enter the correct credentials.
- Support for NSX-T Policy counters.
- Palo Alto Panorama can now be added as a data source for synchronizing Panorama Address Groups to NSX IP Sets. The Address Groups may be selected singularly by name or by PAN tag. Selecting a PAN tag enables the selection of multiple Address Groups to be synchronized with NSX IP Sets. This feature is a one-way pull from Panorama to one or more NSX-v or T IP Sets.
vRNI Flow Analyzer
- Additional NSX-v features such as the ability to add Security Tags and IP Sets to Security Groups. Previously, dFW rule publish was limited to publishing using raw IPs and IP Sets to a dFW rule.
- NSX-T Policy support for adding NS Groups with raw IP or IP Sets to the dFW source / destination criteria.
- In addition to the pre-defined API calls in the pull-out Search tab, users can now define their own personal favorites by clicking the cog at the bottom of the Query list. Upon clicking this link, the user will be taken to the custom favorites management screen to add or remove items. Below is an example of an API call that the user wishes to be available for quick access.
Enter any NSX (NSX-v or NSX-T Policy) API call that supports a GET function. ReSTNSX will issue the GET command and display all the returned fields with sample data. The user selects which fields to be displayed, adds a name to the favorite will now be available. Support for specific data sources or wildcards such as "Any NSX-v" or "Any NSX-T" data source are supported.
Define the API and select the desired attributes to be displayed
Favorite has been added to the user's Query searches and can be run anytime.
- Support for RBAC for custom and per workflow types has been added for NSX-v and NSX-T Policy. Administrators can restrict access (view, create, edit, delete and launch) on a per workflow type. Additionally, actions against any custom workflows the user creates can be enforced in the same manner.
- NSX-T Micro Seg bulk operations for IP Sets, NS Groups, Security Tags, Services and Context Profiles. Both manual and CSV-based imports are supported
- NSX-T Policy dFW screen has been updated to show all categories on a single page. All policies are displayed in order of processing (top down).
- Section and Rule Cloning is now possible between dFW categories.
- NSX-T Policy Exclusion support for bulk select and effective member preview. On the Exclusions page, users are able to see NS Group effective members, including a separate table showing all the effective VMs for every NS Group.
- Bulk create / edit of rule tag / labels that are sent in the syslog messages when a given rule is hit within NSX. This feature allows dFW users to apply rule logging tags and labels to more than one rule at a time.
Tier 0 / 1 Firewall Management
- Firewall policy management under Operations now supports Tier 0 and 1 Firewall instances. Users are able to select a single Tier 0 / 1 to view at a time or all Tier 1s or Tier 0s at the same time.
- In addition to the system reports for collecting inventory, runbooks have been introduced to provide a system snapshot for NSX-v and NSX-T Policy environments. A runbook provides a quick and easy method for providing documentation regarding the current NSX build. Objects include micro-seg, network virtualization and associated vCenter objects. Runbooks are initiated by the user and store only the latest revision of the NSX configurations. The data can be viewed onscreen and exported in Microsoft Word and Excel formats.
- Provided as a tech preview feature in this release, the Object Analyzer function is invoked to determine which objects are stale (not in use). This information is displayed on screen or provided in custom exports.
- NSX-T Policy objects support
- ReSTNSX license monitoring is now enabled within the application with warning thresholds upon Administrator role login. ReSTNSX is licensed per CPU and compliance is calculated using the prepared hosts for NSX. For each host, the physical CPU counts are calculated and compared against the ReSTNSX license quantities. In this release, exceeded license quantities do not limit the application functionality. This feature is supported for NSX-v and NSX T.
- With granular RBAC, ReSTNSX allows administrators to lock permissions down to the specific object IDs or objects by name. Support for NSX-T Tags has been added in this release to limit edit / delete functionality to objects that contain a specific tag and scope. With this addition, Administrators can define object policies, such as:
- Edit rights to any IP Set that begins with the characters "Customer1" on any NSX Manager
- Edit rights to a specific IP Set with a specific name (object ID) of "1111" on NSX Manager 172.16.100.232
- Edit rights to IP Sets that contain a tag of "Customer1" and scope "North America." This is a NSX-T only feature.
- For create and edit functions, roll-back is now available. Once a job has been completed, a user in the Enterprise Admin role can rollback a change that was completed as a result of a work authorization. The rollback is performed from the Enterprise Admin's Work Authorization Dashboard. Both the new and previous object configuration is provided in the work and system logs for comparison
- Support for NSX-T Policy N&S Objects and dFW create and edit functions
- NSX-T Policy object details have been added to the Content column in the system log. The Content column contains the JSON the user executed on the creation, editing or deletion of an object
- During Tenant creation, the Administrator can now define the dFW rule logging tag (NSX-v) or label (NSX-T) when sending external syslog messages. Whenever a Tenant creates a new dFW rule, the rule is automatically created with the defined tag/label for identifying the Tenant in the logging system.
- In addition to managing tenant users within the tenant space, System Administrators can add/edit/delete tenant users at the global level under Admin > Users & Policy > Tenants tab.
Enterprise license support. Beginning with ReSTNSX 2.2, customers will have the option of a Standard or Enterprise license. Standard licenses enable all the core features of the platform whereas Enterprise provides advanced functionality such as NSX Mover and Multi-Tenant Administration without requiring separate feature licenses for each capability. To learn more about the different ReSTNSX licensing options, please visit the licensing page.
Note: NSX Mover is available in the current release as a tech preview for non-Enterprise licensed customers. Future releases will require Enterprise licensing to enable this feature
ReSTNSX provides an easy way to query both NSX and vCenter objects quickly and easily. On every page within the application, users can slide out the Query tab to perform inventory searches. Within that same window, users are able to export the data to CSV, Excel, PDF and the system clipboard for use in ReSTNSX workflows.
- VM queries against NSX 6.4 Managers will show the corresponding IP address(es) for any given VM
- With a single click, all searches in query will run and the resulting CSV data will be zipped and downloaded to the user's desktop
- All CSV exports are now ReSTNSX workflow compatible. Users can export data from Query and use them in workflows with little editing of the data
Query Support for NSX-T Objects
- IP Pools
- IP Sets
- Layer 3 Sections (Policies)
- Logical Switches (Segments)
- Service Groups (N/A for Policy)
- Tier 0 Routers
- Tier 1 Routers
Query Support for NSX-v Objects
- IP Pools
- IP Sets
- Layer 3 Sections
- Load Balancers
- Logical Switches
- Logical Routers
- Security Groups
- Security Tags
- Service Groups
- Transport Zones
Query Support for vCenter Objects
- Virtual Machines. Note: VM list is the inventory as reported by NSX Manager
Central CLI (NSX-v)
ReSTNSX's Central CLI provides web-based (HTTPS) API-driven access to the NSX Manager CLI without the need for SSH or leaving the web UI for troubleshooting NSX.
- Easy buttons allowing users to click an icon to run pre-defined CLI commands such as "show logical-switch list all" without typing one character.
- Enhanced command output with Intelligent Hyperlinks that allows easy buttons to run additional nested commands that are context aware.
- For any CLI command, users can save the commands for future use with a single click.
- Color picker for saving text, hyperlink and background color. These settings are saved per user.
API Scout (NSX-v, NSX-T)
API Scout provides in-application access to the NSX Manager and vCenter APIs without having to use an external client. Based upon the active data source, users can perform GET, PUT, POST functions without the complexity of auth/session cookies or having to leave the UI for API access. Additionally, common API calls for each data source type are provided for easy access.
Personal favorites can also be stored. The URI is stored in the user profile along with personalized, searchable URI history
Security Planner (NSX-v, NSX-T)
ReSTNSX's Security Planner integrates into VMware's vRealize Network Insight (vRNI) platform for easy firewall rule creation in NSX Manager. With this integration, Security Planner will connect to vRNI via API methods to collect IP flow information based upon vCenter cluster and time range (up to 30 days prior to the current date). Upon collecting the data, flows are automatically de-duplicated with additional options for the user to optimize the flows. In the initial release of Security Planner, flows with like IP destinations are automatically combined.
Users can publish the same analyzed flows against NSX-v and NSX-T. Additionally, users are able to apply flow filters to exclude specific IP sources, destinations or TCP/UDP ports to narrow the flow collection.
Once the flows are collected, the processed flows are displayed for further editing:
- Drag/drop rules to combine together
- Multi-select of rules to combine together
- Single or multi-select of rules to transform IP Source and/or destination to IPSets
- When connected to NSX Managers of version 6.4 or greater, users may choose to resolve the raw IPs to VM-IDs to be used in the rule set
These rules are now ready to publish to NSX Manager. Select individual or all rules to be published. Upon doing so, a new Section in dFW will be created at the top of the rule set. In this section, all vRNI flows that were selected are present.
Note: Upon publish, all rules in this new section are disabled by default. To enable the rules, click the global select box and "Enable Selected" from the global drop-down menu.
ReSTNSX Operations provides real-time, instant creation, modification and deletion of NSX objects. In comparison to work-flows with bulk object creation and roll-back, Operations is designed for performing the typical Day 2 tasks and common management functions. Operations is divided up into NSX System for managing the NSX Manager settings and Networking/Security Objects; Networking for logical switching, DLR and ESG management; Security for dFW and eFW; and Load Balancing.
Real-time operations for NSX Manager settings
- Network settings, including IP, DNS, NTP and Syslog
- Security modes (FIPS) and Cipher selection
- Service status and status toggle for vPostgres, RabbitMQ, Universal Synch, Management, SSH and Lookup URL
- Backup settings, including FTP server, scheduling and items to be excluded
Real-time operations for dFW
Create, Edit, Delete, Import and Export (via CSV and point-click) dFW rules.
Support for firewall generation and object generation numbers to see if the firewall rule has been successfully published to the hosts and clusters. If they are out of synch, the host or cluster will be marked orange with the user's ability to force a re-synch of the rules and objects.
Support for dFW mover to copy sections, rules and dependent objects between NSX Managers.
dFW Mover copies L3 Rules and Sections from a source NSX manager to one or more NSX Managers. Below are application notes related to behavior between the source and destination sections
Sections and Rules: Matched by Name
If matched, the section on the target manager will be replaced with the same rule names
Else, the new section will be created to the top of the dFW section list
Objects referenced in the rule: Matched by Name
If the source object matches the destination object name, Mover will use the existing destination object.
Supported objects include:
Edge Service Gateways
Else, the user has the option to create the dependant object on the target.
Supported objects include:
Import and Export (via CSV) is another option for copying rules between NSX managers. When exporting rule sets from dFW Operations into a ReSTNSX compatible template, you can use the file for importing into other NSX Managers via two methods
- dFW Operations. Once a user exports the current rule set from the main menu (Global Actions -> Export Rules (CSV)), the file can be stored for use against other NSX Managers by selecting a new data source and importing by clicking Global Actions -> Import Rules (CSV). The user is then presented an option to Merge or Replace the rules on import.
- dFW Workflow. Using the same export for Global Actions -> Export Rules (CSV), users can navigate to Predefined Calls -> Security -> dFW and import the ruleset into a workflow for publishing against NSX.
Note: For CSV export, rule names with commas is not supported as it will create conflicts in the comma-based CSV import/export.
dFW Exclusion Management
VM exclusion lists just got easier with a table-based view to easily add / remove VMs from the dFW exclusion list. With this new feature, users can easily filter based upon VM name and select / multi-select adding or removing from the exclusion list.
VM Troubleshooter / Analyzer
Real-time visibility into VM Security Status
Within dFW, users can now select an individual VM to analyze its security posture - including which Security Groups and dFW Sections / Rules it belongs to; the current status of dFW rules and objects on the host where it resides and the ability to download a copy of the installed dvFilter information. Additionally, a visualization of the same security posture data in a relationship diagram is provided.
Networking and Security Objects - N&S - (NSX-v, NSX-T)
Real-time operations for N&S objects
Create, Edit and Delete N&S objects instantly through ReSTNSX. The following objects are supported in this release:
- IP Pools
- IP Sets
- Security Groups
- Security Tags
- Security Tag associations
- Service Groups
- Create, Edit, Delete - Logical Switches
- Attach / Detach virtual machines
- Create, Edit, Delete - Transport Zones
- Edit Segment IDs
- Create, Edit, Delete - DLRs
- Create, Edit, Delete - ESG Templates
- Edit Logical Switch associations
Real-time operations for NSX Load Balancers
Within ReSTNSX, users can now create, edit and operate their NSX load balancers easier than ever before. In a single dashboard, users can monitor critical alerts and manage all edge load balancers of a given NSX domain.
For creating new load balancers, ReSTNSX provides a 5 step create wizard that will build and deploy load balancers quickly and easily. Every step required for a valid configuration is provided.
ReSTNSX also provides full life-cycle management of NSX load balancers. Within the dashboard, users can: Create, Edit and Delete:
- Virtual Servers
- Application Profiles
- Server Pools
- Application Rules
- Service Monitors
Diagnostics and Troubleshooting
In addition to the dashboard metrics, ReSTNSX provides a load balancer troubleshooting tool that will run a series of diagnostic commands to help isolate problems. The tool performs a series of CLI-based troubleshooting commands and presents the output while highlighting potential configuration issues. The tool can be run on a virtual server by virtual server basis and provide insight into problem areas within seconds.
- Note: In v2.6, Pool side certificates are not supported for Pool-side SSL
Real-time replication of Networking and Security N&S Objects
With NSX Mover, Administrators can easily copy N&S objects and dFW rules between NSX Managers of the same or different type instantly. Objects are copied in real-time to the destination NSX-v or NSX-T Manager without having to login to the remote system. Copying can be done from source to one or many remote NSX Manager(s). If the data sources (NSX Managers) are configured into Groups, users are able to select the Group and ReSTNSX will copy the objects and/or firewall rules to multiple destinations at once.
Migrate vCenter VM Tags to NSX Security tags. Any VM Tag that exists in vCenter can be migrated to NSX Security Tags and applied to a VM in one easy step. Navigate to Operations -> N&S Objects -> Tags and select "Import VM Tag" from the main menu to select a VM Tag. Note: only VM Tags currently applied to VMs will be imported. Upon importing and conversion of the tag to a security tag, it will automatically be applied to the same VM the vCenter tag was applied to.
Users can select a single or multiple dFW rules and/or sections to copy across Managers.
To access the Mover tool, navigate to the N&S object types of interest in your origin datasource, select a single or multiple object, and navigate to the drop-down menu and select "Copy Selected To..."
Supported objects types are listed below. To learn more about NSX Mover, please see the ReSTNSX Overview page.
|Object||NSX -v 6.3||NSX -v 6.4||NSX -T 2.2+|
|Service Groups *||Y||Y||Y|
|Security Groups* , **||Y||Y||N|
* NSX Mover's analytics engine determines if dependent objects exist and will prompt the user if they wish to create the dependent objects on the destination system. Examples of objects that could have dependencies include Service Groups and Security Groups where they may be referencing other objects that do not yet exist.
** NSX Mover supports Security Groups for migrating dependent objects such as IPSets and Security Tags. Logical Switches and Virtual Machines will be supported in future release.
Administrators, Auditors and IT Managers now have access to a unified reporting fabric to gain visibility into all of the ReSTNSX managed domains - regardless of NSX version or location. ReSTNSX now provides three report types:
System Reports - Environment summary, service status and configuration details of each NSX Manager under ReSTNSX management are provided by a daily report or on-demand. Difference reports that will highlight the NSX configuration differences between the latest collected inventory and service status with the previous collections. Users may also select custom retention intervals. The default storage policy is to retain the previous 14 days of configurations for comparison. The maximum allowed setting is 180 days.
Activity Reports - Filtered real-time, system log events that can be sorted by username for insight into a user’s action over time.
Tenant Reports - A combination of the System and Activity reports. Data is filtered to provide insight into any given ReSTNSX configured tenant. Similar to the System reports, the Tenant report provides Administrators and Auditors a configuration summary on a tenant-by-tenant basis. Tenant reports reflect real-time information for configuration and user activity.
ReSTNSX now provides a central repository for CSV Configuration Files. In addition to uploading the CSVs directly into a given workflow, users can now also reference the files stored on the ReSTNSX appliance. Users are also able to upload multiple types and versions of files that can be re-used in workflows by multiple users.
Upgrades to ReST NSX leverage configuration export for easy migrations. When exported, the following information is retained:
- Local Users
- Saved Workflows
- Custom Wizards
- Tenant Information
- Data Sources
- System Settings
- CSV Workflow Files
- Central CLI Favorites
By exporting this information, upgrades are performed in parallel to the production platform. Once the new version of ReSTNSX is online, simply import the previously exported configuration file and the system is online. Administrators can manage the same NSX environment(s) with both ReSTNSX versions at the same time and
Note: When both systems are online, configuration settings are not synchronized between the different versions and must be maintained separately until the old version is decommissioned.
For a step-by-step upgrade, please refer to the ReSTNSX Upgrade Guide