Scripting: Querying NSX-v service objects by port 2


When using the NSX-v distributed firewall (DFW) have you ever need to find out if a service has already been configured in the system for a particular port number?

Recently I was given a sample ruleset from a client to re-create in the DFW, and one thing that stood out was that when creating NSX firewall rules and faced with a random port number that needed to be configured for a rule, there is no easy way to find out if a service has already been configured using that port.

nsx-query-services-01

When you are creating a new firewall rule, and you have clicked the link to add a pre-configured service, the filter box only searches the name of the service. So if I am looking for something configured for port 8080, I can’t find it in this part of the UI and will need to go look where the services are configured.

nsx-query-services-02

 

You can however click on the New Service link, which will allow you to create a new service with whatever port you want, but then how do you know if you’re doubling up?

nsx-query-services-03

nsx-query-services-04

 

To try and find any services configured with port 8080, we will need to go look where the services are configured.

  • Click Networking & Security and then click NSX Managers.
  • Click an NSX Manager in the Name column and then click the Manage tab.
  • Click the Grouping Objects tab and then click Service.

nsx-query-services-05

In my relatively small lab, I have 386 services configured. Most of them configured out-of-the-box. So how can we find what services are configured with port 8080?

If you type 8080 into the filter box on the top right hand side of the service window, this is next to useless as it only searches the name of the services. But, As you can see it has found the service we just created, but thats because we put the port number in the name. So if you have the opportunity, I would be naming all your services going forward with the port number in the name somewhere.

nsx-query-services-06

Back to my problem, Down the bottom of the window you will see a binocular icon with a search box next to it. When you type something in here it will highlight the text on the screen, and the annoying part is you now have to use the scroll bars to find the highlighted items. This to me is almost unusable. With my screen resolution and number of services configured, it takes 15 click in the side scrollbar to run the the list to find all the services – too clicky for me.

nsx-query-services-07

What does one do in this situation…..? Write a script to do the search for me.

The script is written in Python and is hosted on GitHub here. I am not a programmer but have done my best with what I know, or what I am learning along the way. But if you know of a better way to do things, please feel free to fork it, modify it, and submit a pull request.

Make sure to read the README file as it contains the prerequisites and instructions.

Here are some examples of the script in action.

The first one is doing a basic search on port 8080. The script only searches port numbers, so it will return both UDP and TCP services.

You’ll also notice you don’t need to specify a username and you get prompted for a password. The script will default to using admin as the username, as there is always an admin username configured on the NSX Manager. If you are not using the admin account to do your REST API calls, you can use the -u flag to specify an alternate username. You also have the option of hardcoding the password in the script if you don’t want to enter it in every time you run the script.

In this second example, i’ve used the -r flag to show services where the port falls within one of the ranges configured.

See, out of the box, there are a lot of services configured with port 8080 which were not so easy to find and see in a single screen until now 🙂

Stay tuned for more scripts and other interesting bits and pieces as they come up.


Leave a Reply

2 thoughts on “Scripting: Querying NSX-v service objects by port

  • Stephen Polzin

    Hey Dale, nice article.

    While I was doing one of the HOLs during creation of a firewall rule the lab script had you create a new service name. I made a typo and was crazy that I couldn’t rename the service while still being in the same area. Took me some time to find out where I had to go in the web interface. Networking & Security->NSX Managers->Manage tab->Grouping Objects tab->Service.

    Obvious right? 🙂 Please brush up your programming and rewrite the interface for NSX 7.0 while you convert everything in vCenter from flash to HTML5 in your spare time.