March 20, 2020 NSX, Scripting, Security 2 Comments

PowerNSX: missing NSX Firewall rule functionality

PowerNSX (for vSphere) is a great tool for SDN automation. I use it on a daily basis and helps me and my customers a lot! But with every good product, there is always room for improvement!

One of my customers asked me to add descriptions to existing IpSet object, add services to existing DFW firewall rules and retrieve the DFW firewall rule stats.
Unfortunately these functionalities aren’t available out of the box, with PowerNSX.
So, I’ve created these cmdlets myself (which integrate with PowerNSX) with.

I tried to add these cmdlets to the original PowerNSX github repo, but I’m running into some (permission-)issues. I already reached out to the owners of PowerNSX (but received no reaction, yet).

You can found the cmdlets here:

  • https://github.com/Datacenter-Dennisch/PowerCLI-scripts/blob/master/Add-NSXFirewallRuleService.ps1
  • https://github.com/Datacenter-Dennisch/PowerCLI-scripts/blob/master/Get-NsxFirewallRuleStats.ps1
  • https://github.com/Datacenter-Dennisch/PowerCLI-scripts/blob/master/Set-NsxIpSet.ps1

admin

You may also like

  1. NSX-T – Manager upgrade failed

    June 12, 2023

  2. PWSH script to query LogInsight for NSX-T DFW rules

    July 22, 2022

  3. NSX V2T migration issue – Load Balancer status UNKNOWN

    June 26, 2022

2 Comments

  1. z
    December 6, 2020

    Hi
    i need to apply the flowing script
    new-nsxfirewallrule -source (an existing ipset name) -destination (an existing ipset name1, an existing ipset name2….) -service ( an existing service1,service2..) -allow

    how can i do that please

    Reply
    1. vVikingNL
      December 7, 2020

      $allIpsetobj = get-nsxipset
      $dfwsection = get-nsxfirewallsection | Out-GridView -OutputMode Single -Title “select DFW section” -passtrough
      $Sourceobj = $allIpsetobj.where({$_.name -eq “ipset01” -or $_.name -eq “ipset02”}) #add as many ipset objects as needed
      $destinationobj = $allIpsetobj.where({$_.name -eq “ipset01” -or $_.name -eq “ipset02”}) #add as many ipset objects as needed
      $serviceobj = get-nsxservice | Out-GridView -OutputMode Multiple -Title “select service(s) to add”
      New-NsxFirewallRule -Section $dfwsection -Source $Sourceobj -Destination $destinationobj -Action allow -service $serviceobj

      the critical point is to get all objects into one variable.
      I use two methods:
      – using the .where method, which is good for static scripting
      – using the out-gridview cmdlet, which is goor for more dynamic implementations.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top