search

vmware-archive / powernsx

PowerShell module that abstracts the VMware NSX-v API to a set of easily used PowerShell functions
173 stars 90 forks source link

how to define multiple service in firewall rule for nsx edge firewall #635

Open sheetjai opened 3 years ago

sheetjai commented 3 years ago

Trying adding multiple server like ssh, http, https, rdp for a firewall rule. Getting below error. Any suggestion?

C:\Users\SheetalJain> $serviceRDP = Get-NsxService -Name "RDP" C:\Users\SheetalJain> $serviceHTTP = Get-NsxService -Name "HTTP" C:\Users\SheetalJain> $serviceHTTPS = Get-NsxService -Name "HTTPS" C:\Users\SheetalJain> $serviceSSH = Get-NsxService -Name "SSH" C:\Users\SheetalJain> $service = $serviceHTTP, $serviceHTTPS, $serviceRDP, $serviceSSH C:\Users\SheetalJain> Get-NsxEdge customer-nsx-edge | Get-NsxEdgeFirewall | New-NsxEdgeFirewallRule -name "testrule0" -source "1.2.3.4" -destination "1.2.3.4" -service $service -action accept invoke-nsxwebrequest : Invoke-NsxWebRequest : The NSX API response received indicates a failure. 400 : Bad Request : Response Body: {"errors":[{"errorCode":12009,"details":"[Firewall] Invalid groupingObjectId application-93 application-f5553a5e-bfe9-45a3-a768-ed6d432ddb71. This object does not exist or is not available for NSX Edge edge-3.","rootCauseString":null,"moduleName":"vShield Edge","errorData":null},{"errorCode":12009,"details":"[Firewall] Invalid groupingObjectId application-105 application-c7d6f2bd-1c96-439b-9fe7-d987ec5ee062. This object does not exist or is not available for NSX Edge edge-3.","rootCauseString":null,"moduleName":"vShield Edge","errorData":null},{"errorCode":12009,"details":"[Firewall] Invalid groupingObjectId application-54 application-dbcb5f40-4f07-4e12-8b8d-1de678d6cc71. This object does not exist or is not available for NSX Edge edge-3.","rootCauseString":null,"moduleName":"vShield Edge","errorData":null},{"errorCode":12009,"details":"[Firewall] Invalid groupingObjectId application-247 application-af0f13e5-5a03-4d69-b814-0e24a6a32d5a. This object does not exist or is not available for NSX Edge edge-3.","rootCauseString":null,"moduleName":"vShield Edge","errorData":null}]} At C:\Users\SheetalJain\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:14170 char:21

The property 'Headers' cannot be found on this object. Verify that the property exists. At C:\Users\SheetalJain\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:14172 char:9

invoke-nsxwebrequest : Invoke-NsxWebRequest : The NSX API response received indicates a failure. 405 : Method Not Allowed : Response Body: <!doctype html>HTTP Status 405 – Method Not Allowed

HTTP Status 405 – Method Not Allowed

Type Status Report

Message Request method 'GET' not supported

Description The method received in the request-line is known by the origin server but not supported by the target resource.

<hr class="line" /> At C:\Users\SheetalJain\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:14174 char:21

The property 'content' cannot be found on this object. Verify that the property exists. At C:\Users\SheetalJain\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:14175 char:9

The property 'firewallRule' cannot be found on this object. Verify that the property exists. At C:\Users\SheetalJain\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:14176 char:9

The property 'firewallRule' cannot be found on this object. Verify that the property exists. At C:\Users\SheetalJain\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:14177 char:9

dcoghlan commented 3 years ago

The error is due to the fact that when you are doing Get-NSXService -Name "RDP" its actually returning both the global and universal service objects. And you cannot use a universal object on an Edge.

You can see the universal object ID in this part of the message. application-105 application-c7d6f2bd-1c96-439b-9fe7-d987ec5ee062. This object does not exist or is not available for NSX Edge edge-3.

You need to make it so that your service variables only contain the global objects and NOT the universal objects.

$localServices = Get-NsxService -LocalOnly
$serviceRDP = $localServices | Where-Object {$_.name -eq "RDP"}
$serviceHTTP = $localServices | Where-Object {$_.name -eq "HTTP"}
$serviceHTTPS = $localServices | Where-Object {$_.name -eq "HTTPS"}
$serviceSSH = $localServices | Where-Object {$_.name -eq "SSH"}
$service = $serviceHTTP, $serviceHTTPS, $serviceRDP, $serviceSSH
sheetjai commented 3 years ago

I tried running the command you suggested, and looks like its not taking service.    C:\Users\SheetalJain> $serviceRDP = $localServices | Where-Object {$.name -eq "RDP"} C:\Users\SheetalJain> $serviceHTTP = $localServices | Where-Object {$.name -eq "HTTP"} C:\Users\SheetalJain> $serviceHTTPS = $localServices | Where-Object {$.name -eq "HTTPS"} C:\Users\SheetalJain> $serviceSSH = $localServices | Where-Object {$.name -eq "SSH"} C:\Users\SheetalJain> $service = $serviceHTTP, $serviceHTTPS, $serviceRDP, $serviceSSH C:\Users\SheetalJain> Get-NsxEdge customer-nsx-edge | Get-NsxEdgeFirewall | New-NsxEdgeFirewallRule -name "testrule0" -source "1.2.3.4" -destination "1.2.3.4" -service $service -action acceptNew-NsxEdgeFirewallRule : Cannot validate argument on parameter 'Service'. The argument is null. Provide a valid value for the argument, and then try running the command again.At line:1 char:147+ ... 0" -source "1.2.3.4" -destination "1.2.3.4" -service $service -action ...+                                                          ~~~~    + CategoryInfo          : InvalidData: (:) [New-NsxEdgeFirewallRule], ParameterBindingValidationException    + FullyQualifiedErrorId : ParameterArgumentValidationError,New-NsxEdgeFirewallRule  C:\Users\SheetalJain> $service C:\Users\SheetalJain> $serviceSSH = $localServices | Where-Object {$.name -eq "SSH"} C:\Users\SheetalJain>$serviceSSH C:\Users\SheetalJain> $serviceRDP C:\Users\SheetalJain> $serviceRDP = $localServices | Where-Object {$.name -eq "RDP"} C:\Users\SheetalJain> $serviceRDP C:\Users\SheetalJain>   Regards,Sheetal Jain Network Specialist GTS Labs, BCIT, 5th Floor , Bangalore, 560045 , India Mobile: +91 9902900771Email: sheetal.jain@in.ibm.comIBM Certified ITIL V3 Foundation     ----- Original message -----From: Dale Coghlan notifications@github.comTo: vmware/powernsx powernsx@noreply.github.comCc: sheetjai sheetal.jain@in.ibm.com, Author author@noreply.github.comSubject: [EXTERNAL] Re: [vmware/powernsx] how to define multiple service in firewall rule for nsx edge firewall (#635)Date: Wed, Oct 14, 2020 4:16 PM    The error is due to the fact that when you are doing Get-NSXService -Name "RDP" its actually returning both the global and universal service objects. And you cannot use a universal object on an Edge. You can see the universal object ID in this part of the message.application-105 application-c7d6f2bd-1c96-439b-9fe7-d987ec5ee062. This object does not exist or is not available for NSX Edge edge-3. You need to make it so that your service variables only contain the global objects and NOT the universal objects. $localServices = Get-NsxService -LocalOnly$serviceRDP = $localServices | Where-Object {$.name -eq "RDP"}$serviceHTTP = $localServices | Where-Object {$.name -eq "HTTP"}$serviceHTTPS = $localServices | Where-Object {$.name -eq "HTTPS"}$serviceSSH = $localServices | Where-Object {$.name -eq "SSH"}$service = $serviceHTTP, $serviceHTTPS, $serviceRDP, $serviceSSH —You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.  

dcoghlan commented 3 years ago

You need to break it down, and figure out which command is not working.

Do you see all the services from globalroot-0 when you run the following

$localServices = Get-NsxService -LocalOnly
$localServices

And then what do you see when you do the following?

$localServices | Where-Object {$_.name -eq "RDP"}
sheetjai commented 3 years ago

Great!! It worked.   1 more clarification, how I can created new service in edge level only, say TCP port 50000.   Regards,Sheetal Jain Network Specialist GTS Labs, BCIT, 5th Floor , Bangalore, 560045 , India Mobile: +91 9902900771Email: sheetal.jain@in.ibm.comIBM Certified ITIL V3 Foundation     ----- Original message -----From: Dale Coghlan notifications@github.comTo: vmware/powernsx powernsx@noreply.github.comCc: sheetjai sheetal.jain@in.ibm.com, Author author@noreply.github.comSubject: [EXTERNAL] Re: [vmware/powernsx] how to define multiple service in firewall rule for nsx edge firewall (#635)Date: Wed, Oct 14, 2020 5:13 PM    You need to break it down, and figure out which command is not working. Do you see all the services from globalroot-0 when you run the following $localServices = Get-NsxService -LocalOnly$localServices And then what do you see when you do the following? $localServices | Where-Object {$_.name -eq "RDP"} —You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.  

dcoghlan commented 3 years ago

When creating a service, you need to supply a scope of the edge-id.

New-NsxService -Name TestService -Description "Test creation of a service" -Protocol TCP -port 50000 -scopeid edge-5
sheetjai commented 3 years ago

Thankyou, it worked.   Regards,Sheetal Jain Network Specialist GTS Labs, BCIT, 5th Floor , Bangalore, 560045 , India Mobile: +91 9902900771Email: sheetal.jain@in.ibm.comIBM Certified ITIL V3 Foundation     ----- Original message -----From: Dale Coghlan notifications@github.comTo: vmware/powernsx powernsx@noreply.github.comCc: sheetjai sheetal.jain@in.ibm.com, Author author@noreply.github.comSubject: [EXTERNAL] Re: [vmware/powernsx] how to define multiple service in firewall rule for nsx edge firewall (#635)Date: Wed, Oct 14, 2020 5:31 PM    When creating a service, you need to supply a scope of the edge-id. New-NsxService -Name TestService -Description "Test creation of a service" -Protocol TCP -port 50000 -scopeid edge-5 —You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.