NSX-V Firewall rules automation with PowerNSX

Share this:

Summary

Those of you who deal with FW rules creation on daily basis already know how boring could be to create 20-100 FW rules. And what if you need to repeat this task next day or next week again and again.

In this case you need to automate this process.

I want to share with you simplified version of my script and function I developed for such cases. When you need to automate NSX-V FW rule creation process by script you can use PowerNSX which gives you good possibilities for that. But if you already have bunch of FW rules created and you don’t want to create duplicated rules you need to check all existing FW rules and compare if there is any FW rule with the same Sources, Destinations, Services exists already.

I want to share with you Function “FWRuleCreate” which I’ve created and use in my PowerNSX scripts for a while. You can put this Function in your script and call it with the following parameters:

  • Firewall Section name
  • Firewall Rule name
  • List of Sources
  • List of Destinations
  • List of Services
  • List of objects you want to ApplyTo this FW rule (used for Micro-segmentation purposes)

You can provide one Source/Destination/Service object or list of objects divided by commas.

If FW rules doesn’t exist new FW rule will be added at the end of the list of FW rules in specified FW Section.

If FW rule with the same Sources, Destinations, Services exists this Function will skip the FW rule creation and show you original FW rule name.

It will work even if existent FW rule contains more Sources or Destinations or Services than requested. As such rule will cover your need, it will show you the name of the rule and skip new rule creation.

You can call this Function as many times as you need from your script to create as many FW rules as required.

The script is self-explained, so you can understand the logic and adopt it for your purposes.

PowerNSX script

########################################
##### Create FW Rules for NSX-V    #####
##### (c) Yevgeniy Steblyanko      #####
########################################

# vCenter Server FQDN or IP
$vCenterServerName = "vcenter.local"

Connect-NsxServer -vCenterServer $vCenterServerName

### Defining new function "FWRuleCreate" with list of parameters
Function FWRuleCreate {
  param (
    $FWSection,
    $FWRuleName,
    $SourceList,
    $DestinationList,
    $ServiceList,
    $AppliedTo
  )
  Process {

    #### Check if FW rule already exists ###################################

    $SourceListName = $SourceList.name            #list of Sources for new FW rule
    $DestinationListName = $DestinationList.name  #list of Destinations for new FW rule
    $ServiceListName = $ServiceList.name          #list of Services for new FW rule

    $FWRuleExists = 0                             #reset FW rule existance counter
    $DuplicatedFWRuleName = ""

    ForEach ($FWRule in $FWRuleFullList) {
      $FWSourceName = $FWRule.sources.source.name                 #list of Sources in FW rule
      $FWDestinationName = $FWRule.destinations.destination.name  #list of Destinations in FW rule
      $FWServiceName = $FWRule.services.service.name              #list of Services in FW rule

      # Check and compare sources
      If (-Not ($SourceListName | Where-Object {$FWSourceName -notcontains $_}) ) {
        # For the FW rules which contain all sources -> Check & compare destinations
        If (-Not ($DestinationListName | Where-Object {$FWDestinationName -notcontains $_})) {
          # For the FW rules which contain all sources & destinations -> Check & compare Services
          If (-Not ($ServiceListName | Where-Object {$FWServiceName -notcontains $_})) {
            $FWRuleExists += 1                                    # increase count if rule exists already
            # Prepare the output if exitent FW rule is Disabled or Enabled
            If ($FWRule.Disabled -eq "true") { $FWRuleDisabledStatus = "Disabled" }
            Else { $FWRuleDisabledStatus = "Enabled" }
            $DuplicatedFWRuleName += $FWRule.Name + "("+$FWRuleDisabledStatus+"), "
          }
        }
      }
    }

    # Create FW rule if no existent FW rules found
    If ($FWRuleExists -eq 0) {
      $newRule = Get-NsxFirewallSection $FWSection | New-NsxFirewallRule -Name $FWRuleName -Source $SourceList -Destination $DestinationList -Service $ServiceList -Action allow -AppliedTo $AppliedTo -Position bottom
      Write-Host -foregroundcolor "Yellow" "FW rule created ->" $newRule.Name
    }
    Else {
      Write-Host "Skipping FW rule creation, at least one duplicate FW rule found: " $DuplicatedFWRuleName
    }
  }
}
### Function end ###

# Here is example on how you need to prepare parameters and call the Function

# You can use VMs as Sources or Destinations
$VM_appDev_Name = "AppDevVM"
$VM_appUat_Name = "AppUatVM"
$VM_appProd_Name = "AppProdVM"
$VM_JumpHost_Name = "JumpHost01"

### You can use IpSets as Sources or Destinations
$HOST_IPSET1_Name = "IPLIST1"
$HOST_IPSET2_Name = "IPLIST2"

### You can use Security Groups as Sources or Destinations
$SG1_Name = "SG1"
$SG2_Name = "SG2"

### List of Edges if you need to apply the FW rules to specific NSX ESGs ###
$ESG1_Name = "nsx-esg1"
$ESG2_Name = "nsx-esg2"

### Which FW Section to use for new FW rules
$FWSec_Name = "New FW rules created by script"

# Collect information about VMs
$VM_appDev = Get-VM -Name $VM_appDev_Name
$VM_appUat = Get-VM -Name $VM_appUat_Name
$VM_appProd = Get-VM -Name $VM_appProd_Name
$VM_JumpHost = Get-VM -Name $VM_JumpHost_Name

# Collect information about IpSets
$HOST_IPSET1 = Get-NsxIpSet -Name	$HOST_IPSET1_Name
$HOST_IPSET2 = Get-NsxIpSet -Name	$HOST_IPSET2_Name

# Collect information about Security Groups
$SG1 = Get-NsxSecurityGroup -Name $SG1_Name
$SG2 = Get-NsxSecurityGroup -Name $SG2_Name

# Collect information about ESGs
$ESG1 = Get-NsxEdge -Name $ESG1_Name
$ESG2 = Get-NsxEdge -Name $ESG2_Name

# Collect information about Services
$serviceRDP = Get-NsxService -Name "RDP" -LocalOnly
$serviceHTTP = Get-NsxService -Name "HTTP" -LocalOnly
$serviceHTTPS = Get-NsxService -Name "HTTPS" -LocalOnly

# Collect information about ServiceGroups
$serviceGrpMSAD = Get-NsxServiceGroup -Name "Microsoft Active Directory" -LocalOnly

### Get All existent FW rules
$FWRuleFullList = Get-NsxFirewallRule

# Specify Sources/Destinations/Services/ApplyTo and call Function
$FWRuleName1 = "FW1 - from JumpHost to Application servers by RDP and MS AD services"
$Src1 = $VM_JumpHost
$Dest1 = $VM_appDev, $VM_appUat, $VM_appProd
$Service1 = $serviceRDP, $serviceGrpMSAD
$AppliedTo1 = $ESG1, $ESG2, $VM_JumpHost, $VM_appDev, $VM_appUat, $VM_appProd
FWRuleCreate -FWSection $FWSec_Name -FWRuleName $FWRuleName1 -SourceList $Src1 -DestinationList $Dest1 -ServiceList $Service1 -AppliedTo $AppliedTo1

$FWRuleName1 = "FW2 - from IPSET1 to Application Prod servers and SG1 by HTTPS"
$Src1 = $HOST_IPSET1
$Dest1 = $VM_appProd, $SG1
$Service1 = $serviceHTTPS
$AppliedTo1 = $ESG1, $VM_appProd, $SG1
FWRuleCreate -FWSection $FWSec_Name -FWRuleName $FWRuleName1 -SourceList $Src1 -DestinationList $Dest1 -ServiceList $Service1 -AppliedTo $AppliedTo1

$FWRuleName1 = "FW3 - from IPSET2 to Application Dev/UAT servers and SG2 by HTTP/HTTPS"
$Src1 = $HOST_IPSET2
$Dest1 = $VM_appDev, $VM_appUat, $SG2
$Service1 = $serviceHTTP, $serviceHTTPS
$AppliedTo1 = $VM_appDev, $VM_appUat, $SG2
FWRuleCreate -FWSection $FWSec_Name -FWRuleName $FWRuleName1 -SourceList $Src1 -DestinationList $Dest1 -ServiceList $Service1 -AppliedTo $AppliedTo1

# Close connections to NSX Manager and vCenter
Disconnect-NsxServer -vCenterServer $vCenterServerName
Disconnect-VIServer -Server $vCenterServerName -Confirm:$False

Write-Host -foregroundcolor "Green" "`nScript completed!"

The following two tabs change content below.

Yevgeniy Steblyanko

Yevgeniy Steblyanko is an Infrastructure Architect/SME with experience in virtualization area for more than 15 years. His areas of interest are VMware vSphere, vSAN, NSX, automation on PowerCLI/PowerNSX. He has VMware certifications: VCIX-DCV, VCIX-NV.

About Yevgeniy Steblyanko

Yevgeniy Steblyanko is an Infrastructure Architect/SME with experience in virtualization area for more than 15 years. His areas of interest are VMware vSphere, vSAN, NSX, automation on PowerCLI/PowerNSX. He has VMware certifications: VCIX-DCV, VCIX-NV.
Bookmark the permalink.

2 Comments

  1. Mrudkovskaya@gmail.com'
    Marian Rudkowski

    Your article is really very helpful! Thank you for the summary.

  2. Pingback: Firewall Rule Automation? Best 238 Answer

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.