Summary
Those of you who deal with FW rules creation on daily basis already know how boring could be to create 20-100 FW rules. And what if you need to repeat this task next day or next week again and again.
In this case you need to automate this process.
I want to share with you simplified version of my script and function I developed for such cases. When you need to automate NSX-V FW rule creation process by script you can use PowerNSX which gives you good possibilities for that. But if you already have bunch of FW rules created and you don’t want to create duplicated rules you need to check all existing FW rules and compare if there is any FW rule with the same Sources, Destinations, Services exists already.
I want to share with you Function “FWRuleCreate” which I’ve created and use in my PowerNSX scripts for a while. You can put this Function in your script and call it with the following parameters:
- Firewall Section name
- Firewall Rule name
- List of Sources
- List of Destinations
- List of Services
- List of objects you want to ApplyTo this FW rule (used for Micro-segmentation purposes)
You can provide one Source/Destination/Service object or list of objects divided by commas.
If FW rules doesn’t exist new FW rule will be added at the end of the list of FW rules in specified FW Section.
If FW rule with the same Sources, Destinations, Services exists this Function will skip the FW rule creation and show you original FW rule name.
It will work even if existent FW rule contains more Sources or Destinations or Services than requested. As such rule will cover your need, it will show you the name of the rule and skip new rule creation.
You can call this Function as many times as you need from your script to create as many FW rules as required.
The script is self-explained, so you can understand the logic and adopt it for your purposes.
PowerNSX script
######################################## ##### Create FW Rules for NSX-V ##### ##### (c) Yevgeniy Steblyanko ##### ######################################## # vCenter Server FQDN or IP $vCenterServerName = "vcenter.local" Connect-NsxServer -vCenterServer $vCenterServerName ### Defining new function "FWRuleCreate" with list of parameters Function FWRuleCreate { param ( $FWSection, $FWRuleName, $SourceList, $DestinationList, $ServiceList, $AppliedTo ) Process { #### Check if FW rule already exists ################################### $SourceListName = $SourceList.name #list of Sources for new FW rule $DestinationListName = $DestinationList.name #list of Destinations for new FW rule $ServiceListName = $ServiceList.name #list of Services for new FW rule $FWRuleExists = 0 #reset FW rule existance counter $DuplicatedFWRuleName = "" ForEach ($FWRule in $FWRuleFullList) { $FWSourceName = $FWRule.sources.source.name #list of Sources in FW rule $FWDestinationName = $FWRule.destinations.destination.name #list of Destinations in FW rule $FWServiceName = $FWRule.services.service.name #list of Services in FW rule # Check and compare sources If (-Not ($SourceListName | Where-Object {$FWSourceName -notcontains $_}) ) { # For the FW rules which contain all sources -> Check & compare destinations If (-Not ($DestinationListName | Where-Object {$FWDestinationName -notcontains $_})) { # For the FW rules which contain all sources & destinations -> Check & compare Services If (-Not ($ServiceListName | Where-Object {$FWServiceName -notcontains $_})) { $FWRuleExists += 1 # increase count if rule exists already # Prepare the output if exitent FW rule is Disabled or Enabled If ($FWRule.Disabled -eq "true") { $FWRuleDisabledStatus = "Disabled" } Else { $FWRuleDisabledStatus = "Enabled" } $DuplicatedFWRuleName += $FWRule.Name + "("+$FWRuleDisabledStatus+"), " } } } } # Create FW rule if no existent FW rules found If ($FWRuleExists -eq 0) { $newRule = Get-NsxFirewallSection $FWSection | New-NsxFirewallRule -Name $FWRuleName -Source $SourceList -Destination $DestinationList -Service $ServiceList -Action allow -AppliedTo $AppliedTo -Position bottom Write-Host -foregroundcolor "Yellow" "FW rule created ->" $newRule.Name } Else { Write-Host "Skipping FW rule creation, at least one duplicate FW rule found: " $DuplicatedFWRuleName } } } ### Function end ### # Here is example on how you need to prepare parameters and call the Function # You can use VMs as Sources or Destinations $VM_appDev_Name = "AppDevVM" $VM_appUat_Name = "AppUatVM" $VM_appProd_Name = "AppProdVM" $VM_JumpHost_Name = "JumpHost01" ### You can use IpSets as Sources or Destinations $HOST_IPSET1_Name = "IPLIST1" $HOST_IPSET2_Name = "IPLIST2" ### You can use Security Groups as Sources or Destinations $SG1_Name = "SG1" $SG2_Name = "SG2" ### List of Edges if you need to apply the FW rules to specific NSX ESGs ### $ESG1_Name = "nsx-esg1" $ESG2_Name = "nsx-esg2" ### Which FW Section to use for new FW rules $FWSec_Name = "New FW rules created by script" # Collect information about VMs $VM_appDev = Get-VM -Name $VM_appDev_Name $VM_appUat = Get-VM -Name $VM_appUat_Name $VM_appProd = Get-VM -Name $VM_appProd_Name $VM_JumpHost = Get-VM -Name $VM_JumpHost_Name # Collect information about IpSets $HOST_IPSET1 = Get-NsxIpSet -Name $HOST_IPSET1_Name $HOST_IPSET2 = Get-NsxIpSet -Name $HOST_IPSET2_Name # Collect information about Security Groups $SG1 = Get-NsxSecurityGroup -Name $SG1_Name $SG2 = Get-NsxSecurityGroup -Name $SG2_Name # Collect information about ESGs $ESG1 = Get-NsxEdge -Name $ESG1_Name $ESG2 = Get-NsxEdge -Name $ESG2_Name # Collect information about Services $serviceRDP = Get-NsxService -Name "RDP" -LocalOnly $serviceHTTP = Get-NsxService -Name "HTTP" -LocalOnly $serviceHTTPS = Get-NsxService -Name "HTTPS" -LocalOnly # Collect information about ServiceGroups $serviceGrpMSAD = Get-NsxServiceGroup -Name "Microsoft Active Directory" -LocalOnly ### Get All existent FW rules $FWRuleFullList = Get-NsxFirewallRule # Specify Sources/Destinations/Services/ApplyTo and call Function $FWRuleName1 = "FW1 - from JumpHost to Application servers by RDP and MS AD services" $Src1 = $VM_JumpHost $Dest1 = $VM_appDev, $VM_appUat, $VM_appProd $Service1 = $serviceRDP, $serviceGrpMSAD $AppliedTo1 = $ESG1, $ESG2, $VM_JumpHost, $VM_appDev, $VM_appUat, $VM_appProd FWRuleCreate -FWSection $FWSec_Name -FWRuleName $FWRuleName1 -SourceList $Src1 -DestinationList $Dest1 -ServiceList $Service1 -AppliedTo $AppliedTo1 $FWRuleName1 = "FW2 - from IPSET1 to Application Prod servers and SG1 by HTTPS" $Src1 = $HOST_IPSET1 $Dest1 = $VM_appProd, $SG1 $Service1 = $serviceHTTPS $AppliedTo1 = $ESG1, $VM_appProd, $SG1 FWRuleCreate -FWSection $FWSec_Name -FWRuleName $FWRuleName1 -SourceList $Src1 -DestinationList $Dest1 -ServiceList $Service1 -AppliedTo $AppliedTo1 $FWRuleName1 = "FW3 - from IPSET2 to Application Dev/UAT servers and SG2 by HTTP/HTTPS" $Src1 = $HOST_IPSET2 $Dest1 = $VM_appDev, $VM_appUat, $SG2 $Service1 = $serviceHTTP, $serviceHTTPS $AppliedTo1 = $VM_appDev, $VM_appUat, $SG2 FWRuleCreate -FWSection $FWSec_Name -FWRuleName $FWRuleName1 -SourceList $Src1 -DestinationList $Dest1 -ServiceList $Service1 -AppliedTo $AppliedTo1 # Close connections to NSX Manager and vCenter Disconnect-NsxServer -vCenterServer $vCenterServerName Disconnect-VIServer -Server $vCenterServerName -Confirm:$False Write-Host -foregroundcolor "Green" "`nScript completed!"
Yevgeniy Steblyanko
Latest posts by Yevgeniy Steblyanko (see all)
- Automate bulk Windows and Linux VMs creation from template with Guest OS customization - July 18, 2024
- VMware NSX VPN tunnels statistics collection with PowerShell - February 29, 2024
- vSphere & NSX: Active Directory over LDAPs authentication - February 3, 2022
Your article is really very helpful! Thank you for the summary.
Pingback: Firewall Rule Automation? Best 238 Answer