top of page
Release Notes v5.3
9_edited.png

Release and Configuration Notes

First Published: 11/1/2023

This document contains system requirements, new features and feature overview for ReSTNSX's CloudControl v5.3

 

Important Notes

As of version 5.3, the ReSTNSX application is now named CloudControl.  This name change aligns with the intent of the product for multi-cloud management and migrations.  The user experience has been updated to reflect the focus on multi-cloud.

Multi-cloud management login page

System Requirements

Support matrix and system requirements for CloudControl (formerly ReSTNSX). 

For REST API access, HTTPS (TCP Port 443) must be allowed through any transient firewalls for the CloudControl Appliance to access vCenter and NSX Manager.  For NSX-T Central CLI and edge node troubleshooting tools, CloudControl requires SSH connectivity to the primary NSX Manager / vCenter hosts.

VMCoAWS (VMware Cloud on AWS) is supported for direct connect connections and running as an OVA within the compute cluster within a given SDDC.  CGW and MGW rules must be added for HTTP for CloudControl to connect to NSX Manager and vCenter.  See the CloudControl quick start guide for details. 

Browser Support

  • Chrome 84+ for the best user experience

  • Firefox  52+ (Limited Interop Testing)

 

New Features

General

  • New UI theme

  • Re-designed Global Dashboard that aggregates inventory across all NSX data sources - NSX-v, NSX-T, VMCoAWS and VMware powered clouds such as Microsoft Azure, Oracle, IBM and Google (GCVE)

  • Official support for migrating to and managing VMware powered clouds such as Microsoft Azure, Oracle, IBM and Google (GCVE)

NSX Cloud Global Dashboard

​Tools

Policy Engine (formerly Policy Sync) 

  • Synchronization of Checkpoint firewall network objects to NSX-T.  This feature enhances the Checkpoint integration from a one-time conversion to the ability to pull Checkpoint network objects (all or by specific Checkpoint tags) and update their corresponding NSX-T Security Group IP list.  This feature can be scheduled or run real-time. 

  • Prior to running a Firewall synchronization policy, users can now preview the results.  Previewing will poll the source data source and destination(s) to determine latency, how many objects/rules will be created, updated or referenced. 

  • Firewall policy synchronization between NSX-T Global Managers to provide consistent policy between disparate NSX Federated environments. 

  • Added support for bi-directional sync.  Policy Engine is normally enforces source -> destination(s) logic. This feature for NSX-T/VMCoAWS allows partial sync back to the source. With this direction enabled, destinations Security Groups (IPs / effective members) will be pushed back to the source.

  • NSX-T to NSX-T synchronization when a segment is contained in a rule or applied-to.  This feature will query the destination NSX-T manager for a segment matching by name to be placed in the NS Group.

    • If no matching entry is found:

    • Then If source segment = VLAN, collect VM IPs on source segment

      • Else If source segment = Routed, collect Segment IP Subnet

    • Place IP(s)/Subnet(s) in destination NS Group

  • Supported versions for Firewall, Security Group and Service objects synchronization:

Firewall Organizer 

  • A new tool to easily collapse or expand distributed firewall sections.  This feature can:

    • Collapse. Filter out firewall sections by rule count (ex: sections with 1, 2, 3, etc... rules) and easily collapse them into a new section.  Note that CloudControl does not delete the old sections. These are maintained with the new section placed below the last section selected for merge

    • Expand. Filter out firewall sections by rule count but focused on large sections (hundreds of rules) where a user might want to break them up into more manageable amounts.  For example, a single firewall section may contain 1,000 rules (NSX configuration maximum) and it is desired to break it up into small, more manageable portions.  Expand will break the 1,000 rules into any number of sections entered (i.e. 10 sections of 100 rules each, etc...).  As with the Collapse option, CloudControl will not remove the existing section. 

Object Analyzer

  • No new features

Firewall Conversion

  • Parser and publish methods re-written to better support new vendor firewall conversions.  Today, CloudControl supports Checkpoint, Palo Alto, Cisco ASA and Fortinet/Fortigate conversion to NSX-T on-prem and VMware Clouds. 

  • Introduced post-conversion reports to report all actions taken (create, update, reference or error events).

  • Added support for publishing to a NSX-T Tier-1 Shared rules section. This is in addition to the existing support for publishing to distributed firewall, Tier-1 and Tier-0. 

Operations

  • All all security object pages under Operations, introduced the ability to easier filter the last five objects a user added, edited or viewed.  This allows operators to quickly reference an object that was recently viewed or created without searching lists of objects.

  • Object Templates.  System administrators can now define an object (Security Group, Service, dFW Rule) template that will have pre-filled fields for other users.  The templates provide a baseline config so users do not need to enter the same information repeatedly (ex: Item description, tag, etc...)   (NSX-T/VMCoAWS)

  • Operations > Clouds.  Ability to download and synchronize provider (Azure, Google, Amazon) maintained service subnets.  These are provider maintained lists that will be created as Sec Groups (IP Lists) in NSX and when they are changed by the provider, CloudControl will update NSX

  • Operations > Clouds > ToR.  Adds support to subscribe to the Checkpoint ToR blacklist of IPs and maintain a Sec Group of IPs in NSX

  • Operations > Bulk delete of objects will now allow the user to delete nested objects

  • Operations > dFW enhancements:

    • Added support for dragging object between rules (copy)

    • Multi-section move tool. Ability to re-order sections (within a category) in a simpler drag / drop fashion using Global action of "Manage Section Order"

    • Added more granular support for hit count/temperature icons in a rule.  New logic will stack ranks hit count/popularity index within a dFW category

  • Operations > Context Profiles editing simplified.

 

Workflows

  • Custom workflows allow an administrator can build a custom workflow with specific permissions. This option enables a workflow creator to define exactly which fields a user can and cannot change.  In the example below, an Admin can lock all user fields.  Additionally, the drop-downs and text boxes can be set to a specific value that the end user cannot change when they executed the workflow.  This feature is available for NSX-v and with 5.x, NSX-T.

custom-min-2048x1003.png

Reporting

  • System reports now include Edge Node details (CPU, etc...) (NSX-T only).

  • Difference reports (compare NSX manager inventory) now is full-screen instead of a pop-up window.

  • New Security Audit report.  This new report combines multiple reports into a single output for easy auditing of NSX distributed firewall rules and objects.  The feature combines the output of Object Analyzer (stale rules, objects);  Rule Analyzer (rule statistics such as top rules based upon session count) and Change history for a given period of time. 

    • When selecting a timeframe to run the audit, users can view object usage, configuration changes, rules with no hit during that period, rules with no hits and no changes during that same period for easy identification of what can be removed from the environment. ​

 

Administration

  • Troubleshooting BOT.  This feature helps determine what issues, if any, exist between CloudControl and a given data source (NSX, vCenter, vRNI).  CloudControl will poll a data source and display the response that is received from the network and data source.  Information includes: Ping of data source, ping of default gateway, HTTPS (generic) access to the data source and HTTPS (with login information) to the data source.  

  • Added support for multiple vRNI data sources. When additional vRNI data sources are added, CloudControl will poll vRNI to determine which NSX managers are associated to the given vRNI instance.  As a result, CloudControl will honor the mapping.

Multi-Tenant New Features (NSX-T)

  • None

 

CloudControl - Main Features Overview

System Features

Query

CloudControl provides an easy way to query both NSX and vCenter objects quickly and easily.  On every page within the application, users can slide out the Query tab to perform inventory searches.  Within that same window, users are able to export the data to CSV for inventory purposes or CloudControl bulk provisioning workflows.

 

Usage Notes:​

  • With a single click, all searches in query will run and the resulting CSV data will be zipped and downloaded to the user's desktop.

  • All CSV exports are now CloudControl workflow (bulk provisioning) compatible. Users can export data from Query and use them in workflows with little editing of the data.

 

Query Support for NSX-T Objects

  • Edge Clusters

  • Discovered Nodes (Workload Hosts)

  • Transport Nodes

  • Physical servers

  • Layer 3 Sections (Policies)

  • Logical Switches (Segments)

  • NS Groups (Security Groups)

  • Context Profiles

  • Services

  • Tier 0 Routers

  • Tier 1 Routers

  • Security Tags

  • Virtual Machines, including their vCenter information, IP and connectivity information

  • Cross launch into vRNI to view flows for a given Virtual Machine and create firewall policy from observed flows

  • Virtual Interfaces (VIFs)

  • Distributed Firewall excluded Virtual Machines

Query Support for NSX-v Objects

  • Controllers

  • Edges

  • IP Pools

  • IP Sets

  • Layer 3 Sections

  • Load Balancers

  • Logical Switches

  • Logical Routers

  • Security Groups

  • Security Tags

  • Services

  • Service Groups

  • Transport Zones

 

Query Support for vCenter Objects

  • Virtual Machines.  Note: VM list is the inventory as reported by NSX Manager

  • Clusters

  • Hosts

  • Virtual Machine Tags (vCenter tag)

 

Central CLI (NSX-v, NSX-T)

CloudControl Central CLI provides web-based (HTTPS) API-driven access to the NSX Manager CLI.

 

Highlights include:

  • Easy buttons allowing users to click an icon to run pre-defined CLI commands such as "show logical-switch list all" without typing one character.

  • Enhanced command output with Intelligent Hyperlinks that allows easy buttons to run additional nested commands that are context aware.

  • For any CLI command, users can save the commands for future use with a single click.

  • Color picker for saving text, hyperlink and background color. These settings are saved per user.

 

API Scout (NSX-v, NSX-T)

API Scout provides in-application access to the NSX Manager and vCenter APIs without having to use an external client.  Based upon the active data source, users can perform GET, PUT, POST functions without the complexity of auth/session cookies or having to leave the UI for API access.  Additionally, common API calls for each data source type are provided for easy access.

Personal favorites can also be stored.  The URI is stored in the user profile along with personalized, searchable URI history.

Security Planner (NSX-v, NSX-T)

CloudControl's Security Planner integrates into VMware's vRealize Network Insight (vRNI) (Aria Operations for Networks) platform for easy firewall rule creation in NSX Manager.  With this integration, Security Planner will connect to vRNI via API methods to collect IP flow information based upon vCenter cluster and time range (up to 30 days prior to the current date).  Upon collecting the data, flows are automatically de-duplicated with additional options for the user to optimize the flows.  In the initial release of Security Planner, flows with like IP destinations are automatically combined. Users can publish the same analyzed flows against NSX-v and NSX-T. Additionally, users are able to apply flow filters to exclude specific IP sources, destinations or TCP/UDP ports to narrow the flow collection.

Once the flows are collected, the processed flows are displayed for further editing:

  • Drag/drop rules to combine together

  • Multi-select of rules to combine together

  • Single or multi-select of rules to transform IP Source and/or destination to IPSets

  • When connected to NSX Managers of version 6.4 or greater, users may choose to resolve the raw IPs to VM-IDs to be used in the rule set

  • These rules are now ready to publish to NSX Manager.  Select individual or all rules to be published.  Upon doing so, a new Section in dFW will be created at the top of the rule set.  In this section, all vRNI flows that were selected are present.

  • Note: Upon publish, all rules in this new section are disabled by default.  To enable the rules, click the global select box and "Enable Selected" from the global drop-down menu.

Operations 

CloudControl Operations pages provide real-time, instant creation, modification and deletion of NSX objects.  In comparison to work-flows for bulk object creation and roll-back, Operations is designed for performing the typical Day 2 tasks and common management functions.  Operations is divided up into NSX System for managing the NSX Manager settings and Networking/Security Objects; Networking for logical switching, routermanagement;  Security for dFW and eFW; and Load Balancing.

 

dFW Management

Real-time operations for dFW

 

Create, Edit, Delete, Import and Export (via CSV and point-click) dFW rules.

 

Support for firewall generation and object generation numbers to see if the firewall rule has been successfully published to the hosts and clusters. If they are out of synch, the host or cluster will be marked orange with the user's ability to force a re-synch of the rules and objects.

 

Support for dFW mover to copy sections, rules and dependent objects between NSX Managers.

dFW Mover copies L3 Rules and Sections from a source NSX manager to one or more NSX Managers. Below are application notes related to behavior between the source and destination sections

 

Sections and Rules: Matched by Name

If matched, the section on the target manager will be replaced with the same rule names

Else, the new section will be created to the top of the dFW section list

Objects referenced in the rule: Matched by Name

If the source object matches the destination object name, Mover will use the existing destination object.

 

Supported objects include:
IP Sets (NSX-v)
Virtual Machines
Security Groups
Logical Switches
Services
Service Groups
Edge Service Gateways

Else, the user has the option to create the dependant object on the target.

Supported objects include:
IP Sets (NSX-v)
Services
Service Groups
Security Groups

VM Troubleshooter / Analyzer

Real-time visibility into VM Security Status

Within dFW and Query, users can select an individual VM to analyze its security posture - including which Security Groups and dFW Sections / Rules it belongs to; the current status of dFW rules and objects on the host where it resides and the ability to download a copy of the installed dvFilter information.  Additionally, a top-down visualization of the same security posture data in a relationship diagram is provided.

Networking and Security Objects - N&S - (NSX-v, NSX-T)

Real-time operations for N&S objects

Create, Edit and Delete N&S objects instantly through CloudControl.  The following objects are supported in this release:

  • IP Sets (NSX-v)

  • Security Groups

  • Security Tags

  • Security Tag associations - single or bulk assignment 

  • Services

  • Service Groups (NSX-v)

  • Context Profiles

 

Logical Switching

  • Create, Edit, Delete - Logical Switches / Segments

  • Attach / Detach virtual machines

Routing

  • Create, Edit, Delete - DLRs / Tier-1 / Tier-0

  • Edit Logical Switch / Segment associations

 

Load Balancing

Real-time operations for NSX Load Balancers

Within CloudControl, users can create, edit and operate their NSX load balancers (including AVI) easier than ever before.  In a single dashboard, users can monitor critical alerts and manage all edge load balancers of a given NSX domain.

 

Provisioning

For creating new load balancers, CloudControl provides a 5 step create wizard that will build and deploy load balancers quickly and easily. Every step required for a valid configuration is provided.

Operations

CloudControl also provides full life-cycle management of NSX load balancers.  Within the dashboard, users can: Create, Edit and Delete:

  • Virtual Servers

  • Application Profiles

  • Server Pools

  • Application Rules

  • Service Monitors

Diagnostics and Troubleshooting

In addition to the dashboard metrics, CloudControl provides a load balancer troubleshooting tool that will run a series of diagnostic commands to help isolate problems.  The tool performs a series of CLI-based troubleshooting commands and presents the output while highlighting potential configuration issues.  The tool can be run on a virtual server by virtual server basis and provide insight into problem areas within seconds.

NSX Mover

Real-time replication of Networking and Security N&S Objects

With NSX Mover, Administrators can easily copy N&S objects and dFW rules between NSX Managers of the same or different type instantly.  Objects are copied in real-time to the destination NSX-v or NSX-T Manager without having to login to the remote system.  Copying can be done from source to one or many remote NSX Manager(s).  If the data sources (NSX Managers) are configured into Groups, users are able to select the Group and CloudControl will copy the objects and/or firewall rules to multiple destinations at once.

 

Migrate vCenter VM Tags to NSX Security tags.  Any VM Tag that exists in vCenter can be migrated to NSX Security Tags and applied to a VM in one easy step.  Navigate to Operations -> N&S Objects -> Tags and select "Import VM Tag" from the main menu to select a VM Tag.  Note: only VM Tags currently applied to VMs will be imported. Upon importing and conversion of the tag to a security tag, it will automatically be applied to the same VM the vCenter tag was applied to.

Users can select a single or multiple dFW rules and/or sections to copy across Managers.

To access the Mover tool, navigate to the N&S object types of interest in your origin datasource, select a single or multiple object, and navigate to the drop-down menu and select "Copy Selected To..."

Supported objects types are listed below. 

Mover-Steps.png

* NSX Mover's analytics engine determines if dependent objects exist and will prompt the user if they wish to create the dependent objects on the destination system. Examples of objects that could have dependencies include Service Groups and Security Groups where they may be referencing other objects that do not yet exist.

 

** NSX Mover supports Security Groups for migrating dependent objects such as IPSets and Security Tags.  Logical Switches and Virtual Machines will be supported in future release.

Reporting

Administrators, Auditors and IT Managers now have access to a unified reporting fabric to gain visibility into all of the CloudControl managed domains - regardless of NSX version or location.  CloudControl now provides three report types:

 

System Reports -   Environment summary, service status and configuration details of each NSX Manager under CloudControl management are provided by a daily report or on-demand.  Difference reports that will highlight the NSX configuration differences between the latest collected inventory and service status  with the previous collections.  Users may also select custom retention intervals. The default storage policy is to retain the previous 14 days of configurations for comparison.  The maximum allowed setting is 180 days.

 

Activity Reports - Filtered real-time, system log events that can be sorted by username for insight into a user’s action over time.

 

Tenant Reports - A combination of the System and Activity reports. Data is filtered to provide insight into any given CloudControl configured tenant.  Similar to the System reports, the Tenant report provides Administrators and Auditors a configuration summary on a tenant-by-tenant basis.  Tenant reports reflect real-time information for configuration and user activity.

Workflows

CloudControl provides a central repository for CSV Configuration Files.  In addition to uploading the CSVs directly into a given workflow, users can now also reference the files stored on the ReSTNSX appliance.  Users are also able to upload multiple types and versions of files that can be re-used in workflows by multiple users.

 

Upgrading CloudControl

Upgrades to CloudControl leverage configuration export for easy migrations.  When exported, the following information is retained:

  • Local Users

  • Saved Workflows

  • Custom Wizards

  • Tenant Information

  • Data Sources

  • System Settings

  • CSV Workflow Files

  • Central CLI Favorites

 

By exporting this information, upgrades are performed in parallel to the production platform.  Once the new version of CloudControl is online, simply import the previously exported configuration file and the system is online.  Administrators can manage the same NSX environment(s) with both CloudControl versions at the same time and

Note: When both systems are online, configuration settings are not synchronized between the different versions and must be maintained separately until the old version is decommissioned.

Alternatively, CloudControl supports in-place upgrades via the user interface. 

 

For a step-by-step upgrade, please refer to the CloudControl upgrade guide.

bottom of page