search

vmware-archive / powernsx

PowerShell module that abstracts the VMware NSX-v API to a set of easily used PowerShell functions
173 stars 89 forks source link

Powernsx :Unable to create a universal firewall rule in universal Firewall section (not use service composer ) #618

Closed guptatarun1989 closed 4 years ago

guptatarun1989 commented 4 years ago

team ,

i am newbie in automation so seeking help here . I want to create a universal firewall rule in universal firewall section . I came to know that i can leverage NSX API to create a firewall rule in a universal section , but i have no idea how to automate that .

Requirement

  1. Source :universal IP set ( not an IP address)

2 . Destination : Universal IP set

  1. Applied to : Universal Logical Switch .

    Is there any Powernsx command to create a universal rule .. Please help

alagoutte commented 4 years ago

Hi,

What error do you have ? you don't forget to use -universal parameter for create IPSet ?

    PS C:\> New-NsxIPSet -Name UniversalIPSet -Description "Testing Universal" -IPAddress "1.2.3.4,1.2.3.0/24" -Universal

    Creates a new Universal IP Set.
guptatarun1989 commented 4 years ago

Hi alagoutte, Thanks for replying . what i wanted to ask is is there any Command to create a NSX universal rule . I was googling and found this below

Get-NsxFirewallSection $FWSection | New-NsxFirewallRule -Name $FWRuleName -Source $SourceList -Destination $DestinationList -Service $ServiceList -Action allow -AppliedTo $AppliedTo -Position bottom

My question is " can i use New-NsxFirewallRule to create a universal rule " or it only works with service composer (or distirbuted firewall) ?

guptatarun1989 commented 4 years ago

I have tried this .

$FWSection=Get-NSXFirewallsection -name "Tarun" $SourceList ="1.1.1.1" $DestinationList="2.2.2.2" $ServiceList=Get-NsxService -name "Tarun" -UniversalOnly $AppliedTo =Get-NsxLogicalSwitch -name "Test2" $FWRuleName ="Test90"

Get-NsxFirewallSection $FWSection | New-NsxFirewallRule -Name $FWRuleName -Source $SourceList -Destination $DestinationList -Service $ServiceList -Action allow -AppliedTo $AppliedTo -Position bottom

image

I dont see any rule nor any error ..what am i missing ? image

dcoghlan commented 4 years ago

You don't need to do Get-NsxFirewallSection twice.

You have already retrieved the firewall section and saved it as the variable $FWSection

PS C:\Users\Administrator> $FWSection=Get-NSXFirewallsection -name "Tarun"
PS C:\Users\Administrator> $FWSection

id               : 434e9980-887c-4847-80dd-b7695f8b7488
name             : Tarun
generationNumber : 1585523047495
timestamp        : 1585523047495
managedBy        : universalroot-0
tcpStrict        : false
stateless        : false
useSid           : false
type             : LAYER3
rule             : rule

All you need to do now is to pass the variable long the pipeline. I removed the logical switch in the example so I could replicate easily.

PS C:\Users\Administrator> $FWSection | New-NsxFirewallRule -Name $FWRuleName -Source $SourceList -Destination $DestinationList -Service $ServiceList -Action allow -Position bottom

id            : 2147483649
disabled      : false
logged        : false
managedBy     : universalroot-0
name          : Test9
action        : allow
appliedToList : appliedToList
sectionId     : 434e9980-887c-4847-80dd-b7695f8b7488
sources       : sources
destinations  : destinations
services      : services
direction     : inout
packetType    : any

If you're going to add multiple rules into the section, you'll need to get the firewall section after every change to get the updated e-tag header.

That's why it's easier to just get the firewall section everytime you add a new rule.

Get-NsxFirewallSection -Name "Tarun" | New-NsxFirewallRule -Name $FWRuleName -Source $SourceList -Destination $DestinationList -Service $ServiceList -Action allow -Position bottom
guptatarun1989 commented 4 years ago

Thanks thanks a lot :) :) dcoghlan . This really helps . i am able to publish rules now .

Closing this Case .