Release Notes v5.0
Release and Configuration Notes
First Published: 9/1/2022, Revised 10/1/2022
This document contains system requirements, supported features and bugs for ReSTNSX CloudControl v5.0
The ReSTNSX appliance no longer ships with a 45 day Evaluation License. Users must email firstname.lastname@example.org to receive a limited, temporary license. In evaluations mode, the following limitations are enforced:
▪ A limit of two data sources (NSX Managers) can be configured
▪ Tenants count limited to 2
▪ No additional users or external auth may be provisioned
▪ vRNI flows are limited to 15 ▪ ASA import to dFW publish is disabled
▪ Maximum of 10 workflow items can be published to NSX Manager
▪ For Operations -> dFW, a limit of 20 rule changes / 4 section changes total is enforced when importing NSX rules from CSV or published to NSX Manager. dFW Mover is limited to 1 Section / 15 rules per instantiation.
▪ For Operations -> N&S, Mover is limited to 15 objects per instantiation.
In evaluation mode, the default login information is as follows:
Username: admin Password: default
For REST API access, HTTPS (TCP Port 443) must be allowed through any transient firewalls for the ReSTNSX Appliance to access vCenter and NSX Manager. For NSX-T Central CLI and edge node troubleshooting tools, ReSTNSX requires SSH connectivity to the primary NSX Manager / vCenter hosts. VMCoAWS is supported for direct connect connections and running as an OVA within the compute cluster within a given SDDC. CGW and MGW rules must be added for HTTP for ReSTNSX to connect to NSX Manager and vCenter
▪ Chrome 84+ for the best user experience
▪ Firefox 52+ (Limited Interop Testing)
▪ Query: Added Security Tags with the effective members (VMs). (NSX-T).
▪ Query: VM details added to show Guest information and networking (Segment, Tier 1) details. (NSX-T)
▪ Work Authorizations: Custom email template support for the Request, Approval and Implementation stages of work authorizations. This feature allows the system admin to define custom emails when notifications are sent
▪ Work Authorizations: Initiate ReSTFUL API calls to 3rd party systems for Request, Approval and Implementation events
Policy Engine (formerly Policy Sync)
▪ A new audit file export where the updates made in the latest Policy Engine run for NSX-v dFW rules, IP Sets, Security Groups and Services are reported. The data includes the object definition before and after the policy was run.
▪ NSX-v to NSX-T Global Manager dFW Sync added
▪ NSX-T to NSX-T synchronization when a segment is contained in a rule or applied-to. This feature will query the destination NSX-T manager for a segment matching by name to be placed in the NS Group.
▪ If no matching entry is found:
▪ Then If source segment = VLAN, collect VM IPs on source segment
▪ Else If source segment = Routed, collect Segment IP Subnet ▪ Place IP(s)/Subnet(s) in destination NS Group
▪ Supported versions for Firewall and Security Group synchronization:
▪ Users can now clone entire NSX-T Security Configurations to another NSX-T manager. This is in addition to Bulk Provisioning (CSV files); NSX Mover (One object type at a time) and Policy Engine (dFW Sections and objects) Object Analyzer
▪ For customers who were required to disable stat collection on ESXi hosts, this feature allows Object Analyzer to collect dFW stats directly from ESXi hosts and thus bypassing NSX. Firewall Conversion
▪ Added support for Checkpoint firewall rule conversion to NSX-T & VMCoAWS via API GET to Checkpoint Management Server. Note domain name import or NAT rules are currently not supported. Rules can be published to dFW or Tier 1 / CGW.
▪ Added support for Fortinet firewall rule conversion to NSX-T & VMCoAWS via file import (JSON output of config).
Operations > dFW now allows users to preview a rules effective members (source, destination) before publishing to visualize how/if the rule will affect traffic
Custom workflows where an administrator can build a custom workflow with specific permissions. This option allows a workflow creator to define exactly which fields a user can and cannot change. In the example below, an Admin can lock all user fields. Additionally, the drop-downs and text boxes can be set to a specific value that the end user cannot change when they executed the workflow. This feature is available for NSX-v and with 5.x, NSX-T.
Difference Reports introduces the capability to compare, ondemand, up to three NSX-T Managers. This feature allows users to compare security configurations and detect variations as slight as differences in object descriptions.
▪ Data sources can now be enabled to send notifications to 3rd party systems via ReSTFUL API calls. These notifications can be configured on a per user group basis and per object type. For example, when a user modifies a NSX object via ReSTNSX, send an API notification in addition to syslog.
▪ System report notification maximum email destinations increased to 25 from 3
Multi-Tenant New Features
(NSX-T) ▪ VM page showing more column options to display additional Virtual Machine details (CPU, Memory, Tags, etc...). ▪ Logging dashboard now limited to user events and system level events filtered out
ReSTNSX - Features Overview
Enterprise license support. Beginning with ReSTNSX 2.2, customers will have the option of a Standard or Enterprise license. Standard licenses enable all the core features of the platform whereas Enterprise provides advanced functionality such as NSX Mover and Multi-Tenant Administration without requiring separate feature licenses for each capability.
Note: NSX Mover is available in the current release as a tech preview for non-Enterprise licensed customers. Future releases will require Enterprise licensing to enable this feature
Query ReSTNSX provides an easy way to query both NSX and vCenter objects quickly and easily. On every page within the application, users can slide out the Query tab to perform inventory searches. Within that same window, users are able to export the data to CSV, Excel, PDF and the system clipboard for use in ReSTNSX workflows.
▪ VM queries against NSX 6.4 Managers will show the corresponding IP address(es) for any given VM
▪ With a single click, all searches in query will run and the resulting CSV data will be zipped and downloaded to the user's desktop
▪ All CSV exports are now ReSTNSX workflow compatible. Users can export data from Query and use them in workflows with little editing of the data
Query Support for NSX-T Objects
▪ Layer 3 Sections (Policies)
▪ Logical Switches (Segments)
▪ NS Groups ▪ Services
▪ Tier 0 Routers
▪ Tier 1 Routers
▪ Security Tags
Query Support for NSX-v Objects
▪ IP Pools
▪ IP Sets
▪ Layer 3 Sections
▪ Load Balancers
▪ Logical Switches
▪ Logical Routers
▪ Security Groups
▪ Security Tags
▪ Service Groups
▪ Transport Zones
Query Support for vCenter Objects
▪ Virtual Machines.
Note: VM list is the inventory as reported by NSX Manager
Central CLI (NSX-v, NSX-T)
ReSTNSX's Central CLI provides web-based (HTTPS) API-driven access to the NSX Manager CLI without the need for SSH or leaving the web UI for troubleshooting NSX. Highlights include:
▪ Easy buttons allowing users to click an icon to run pre-defined CLI commands such as "show logical-switch list all" without typing one character.
▪ Enhanced command output with Intelligent Hyperlinks that allows easy buttons to run additional nested commands that are context aware.
▪ For any CLI command, users can save the commands for future use with a single click.
▪ Color picker for saving text, hyperlink and background color. These settings are saved per user.
API Scout (NSX-v, NSX-T)
API Scout provides in-application access to the NSX Manager and vCenter APIs without having to use an external client. Based upon the active data source, users can perform GET, PUT, POST functions without the complexity of auth/session cookies or having to leave the UI for API access. Additionally, common API calls for each data source type are provided for easy access. Personal favorites can also be stored. The URI is stored in the user profile along with personalized, searchable URI history
ReSTNSX's Security Planner integrates into VMware's vRealize Network Insight (vRNI) platform for easy firewall rule creation in NSX Manager. With this integration, Security Planner will connect to vRNI via API methods to collect IP flow information based upon vCenter cluster and time range (up to 30 days prior to the current date). Upon collecting the data, flows are automatically de-duplicated with additional options for the user to optimize the flows. In the initial release of Security Planner, flows with like IP destinations are automatically combined. Users can publish the same analyzed flows against NSX-v and NSX-T. Additionally, users are able to apply flow filters to exclude specific IP sources, destinations or TCP/UDP ports to narrow the flow collection.
Once the flows are collected, the processed flows are displayed for further editing:
▪ Drag/drop rules to combine together
▪ Multi-select of rules to combine together
▪ Single or multi-select of rules to transform IP Source and/or destination to IPSets
▪ When connected to NSX Managers of version 6.4 or greater, users may choose to resolve the raw IPs to VM-IDs to be used in the rule set
ReSTNSX Operations provides real-time, instant creation, modification and deletion of NSX objects. In comparison to work-flows with bulk object creation and roll-back, Operations is designed for performing the typical Day 2 tasks and common management functions. Operations is divided up into NSX System for managing the NSX Manager settings and Networking/Security Objects; Networking for logical switching, DLR and ESG management; Security for dFW and eFW; and Load Balancing. NSX System Real-time operations for NSX Manager settings
▪ Network settings, including IP, DNS, NTP and Syslog
▪ Security modes (FIPS) and Cipher selection
▪ Service status and status toggle for vPostgres, RabbitMQ, Universal Synch, Management, SSH and Lookup URL
▪ Backup settings, including FTP server, scheduling and items to be excluded
dFW Management Real-time operations for dFW
Create, Edit, Delete, Import and Export (via CSV and point-click) dFW rules.
Support for firewall generation and object generation numbers to see if the firewall rule has been successfully published to the hosts and clusters. If they are out of synch, the host or cluster will be marked orange with the user's ability to force a re-synch of the rules and objects.
Support for dFW mover to copy sections, rules and dependent objects between NSX Managers. dFW Mover copies L3 Rules and Sections from a source NSX manager to one or more NSX Managers. Below are application notes related to behavior between the source and destination sections
Sections and Rules: Matched by Name If matched, the section on the target manager will be replaced with the same rule names Else, the new section will be created to the top of the dFW section list
Objects referenced in the rule: Matched by Name If the source object matches the destination object name, Mover will use the existing destination object.
Supported objects include:
Edge Service Gateways
Else, the user has the option to create the dependant object on the target.
Supported objects include:
Import and Export (via CSV) is another option for copying rules between NSX managers. When exporting rule sets from dFW Operations into a ReSTNSX compatible template, you can use the file for importing into other NSX Managers via two methods
1. dFW Operations. Once a user exports the current rule set from the main menu (Global Actions -> Export Rules (CSV)), the file can be stored for use against other NSX Managers by selecting a new data source and importing by clicking Global Actions -> Import Rules (CSV). The user is then presented an option to Merge or Replace the rules on import.
2. dFW Workflow. Using the same export for Global Actions -> Export Rules (CSV), users can navigate to Predefined Calls -> Security -> dFW and import the ruleset into a workflow for publishing against NSX. Note: For CSV export, rule names with commas is not supported as it will create conflicts in the commabased CSV import/export
dFW Exclusion Management
VM exclusion lists just got easier with a table-based view to easily add / remove VMs from the dFW exclusion list. With this new feature, users can easily filter based upon VM name and select / multi-select adding or removing from the exclusion list.
VM Troubleshooter / Analyzer Real-time visibility into VM Security Status Within dFW, users can now select an individual VM to analyze its security posture - including which Security Groups and dFW Sections / Rules it belongs to; the current status of dFW rules and objects on the host where it resides and the ability to download a copy of the installed dvFilter information.
Networking and Security Objects - N&S - (NSX-v, NSX-T)
Real-time operations for N&S objects
Create, Edit and Delete N&S objects instantly through ReSTNSX.
The following objects are supported in this release:
▪ IP Sets
▪ Security Groups
▪ Security Tags
▪ Security Tag associations
▪ Service Groups
▪ Context Profiles
▪ Create, Edit, Delete Logical Switches
▪ Attach / Detach virtual machines
▪ Create, Edit, Delete - Transport Zones
▪ Edit Segment IDs
▪ Create, Edit, Delete - DLRs
▪ Create, Edit, Delete - ESG Templates
▪ Edit Logical Switch associations
Real-time operations for NSX Load Balancers Within ReSTNSX, users can now create, edit and operate their NSX load balancers easier than ever before. In a single dashboard, users can monitor critical alerts and manage all edge load balancers of a given NSX domain.
For creating new load balancers, ReSTNSX provides a 5 step create wizard that will build and deploy load balancers quickly and easily. Every step required for a valid configuration is provided.
ReSTNSX also provides full life-cycle management of NSX load balancers. Within the dashboard, users can:
Create, Edit and Delete:
▪ Virtual Servers
▪ Application Profiles
▪ Server Pools
▪ Application Rules
▪ Service Monitors
Diagnostics and Troubleshooting
In addition to the dashboard metrics, ReSTNSX provides a load balancer troubleshooting tool that will run a series of diagnostic commands to help isolate problems. The tool performs a series of CLI-based troubleshooting commands and presents the output while highlighting potential configuration issues. The tool can be run on a virtual server by virtual server basis and provide insight into problem areas within seconds.
Real-time replication of Networking and Security N&S Objects With NSX Mover, Administrators can easily copy N&S objects and dFW rules between NSX Managers of the same or different type instantly. Objects are copied in real-time to the destination NSX-v or NSX-T Manager without having to login to the remote system. Copying can be done from source to one or many remote NSX Manager(s). If the data sources (NSX Managers) are configured into Groups, users are able to select the Group and ReSTNSX will copy the objects and/or firewall rules to multiple destinations at once.
Migrate vCenter VM Tags to NSX Security tags. Any VM Tag that exists in vCenter can be migrated to NSX Security Tags and applied to a VM in one easy step. Navigate to Operations -> N&S Objects -> Tags and select "Import VM Tag" from the main menu to select a VM Tag. Note: only VM Tags currently applied to VMs will be imported. Upon importing and conversion of the tag to a security tag, it will automatically be applied to the same VM the vCenter tag was applied to.
Users can select a single or multiple dFW rules and/or sections to copy across Managers. To access the Mover tool, navigate to the N&S object types of interest in your origin datasource, select a single or multiple object, and navigate to the drop-down menu and select "Copy Selected To..."
* NSX Mover's analytics engine determines if dependent objects exist and will prompt the user if they wish to create the dependent objects on the destination system. Examples of objects that could have dependencies include Service Groups and Security Groups where they may be referencing other objects that do not yet exist.
** NSX Mover supports Security Groups for migrating dependent objects such as IPSets and Security Tags. Logical Switches and Virtual Machines will be supported in future release.
Administrators, Auditors and IT Managers now have access to a unified reporting fabric to gain visibility into all of the ReSTNSX managed domains - regardless of NSX version or location. ReSTNSX now provides three report types:
Environment summary, service status and configuration details of each NSX Manager under ReSTNSX management are provided by a daily report or on-demand. Difference reports that will highlight the NSX configuration differences between the latest collected inventory and service status with the previous collections. Users may also select custom retention intervals. The default storage policy is to retain the previous 14 days of configurations for comparison. The maximum allowed setting is 180 days.
Activity Reports - Filtered real-time, system log events that can be sorted by username for insight into a user’s action over time.
Tenant Reports - A combination of the System and Activity reports. Data is filtered to provide insight into any given ReSTNSX configured tenant. Similar to the System reports, the Tenant report provides Administrators and Auditors a configuration summary on a tenant-by-tenant basis. Tenant reports reflect real-time information for configuration and user activity.
ReSTNSX now provides a central repository for CSV Configuration Files. In addition to uploading the CSVs directly into a given workflow, users can now also reference the files stored on the ReSTNSX appliance. Users are also able to upload multiple types and versions of files that can be re-used in workflows by multiple users.
Upgrades to ReST NSX leverage configuration export for easy migrations. When exported, the following information is retained: ▪ Local Users
▪ Saved Workflows
▪ Custom Wizards
▪ Tenant Information
▪ Data Sources
▪ System Settings
▪ CSV Workflow Files
▪ Central CLI
By exporting this information, upgrades are performed in parallel to the production platform. Once the new version of ReSTNSX is online, simply import the previously exported configuration file and the system is online. Administrators can manage the same NSX environment(s) with both ReSTNSX versions at the same time and Note: When both systems are online, configuration settings are not synchronized between the different versions and must be maintained separately until the old version is decommissioned