dcoghlan
commented
3 years ago To find all rules where a security group is directly referenced can be done quite easily with X-Path
$uri="/api/4.0/firewall/globalroot-0/config"
$response = invoke-nsxwebrequest -URI $uri -Method GET
[xml]$dfwConfig = $response.content
$nodes = (Invoke-XpathQuery -QueryMethod SelectNodes -Node $dfwConfig -query "//rule[sources/source/value='securitygroup-16430' or destinations/destination/value='securitygroup-16430']")
$nodes Just replaced securitygroup-16430 with the objectId of what ever object your looking for.
The problem your going to have is when the group you have just modified is not directly referenced in a rule, but it may be nested in another group, and its these parent groups that can be used in rules. This requires that you have a complete understanding of all the groups ancestors, as these will all be affected, and in turn any rules that reference the ancestors too. Again, this can be figured out by using X-Path queries if the membership is done by regular includes, but if you have exclude members or dynamic criteria that references the groups, then it gets a lot harder to figure this out.
rischiboy
Hey guys.
To update the "AppliedTo" field of the Firewall rules, I need to know which rules are affected when a Security Group is modified. There is no function that lets me do this query. I know for a fact that a mapping between Security Groups and the Firewall rules exists, because on deletion of a security group (without the force flag), an error is thrown in which all the Firewall rules are listed that contain the security group to be deleted.
A similar function called "Get-NsxApplicableFwRule" exists, where given a Security Group returns all the FW rules, but the problem is that there are no securityactions defined for my security groups (which is intended).
It would be much appreciated, if someone could assist me solving this problem.
Thanks, Rishi