Solved: Re: Get-ESXCLI: How to validate firewall DNS allow...

Busted_Flush · ‎03-27-2019

I've used some borrowed code to only permit port 52 to use allowed IPs of our DNS servers.

I'd like to write something to validate those IPs are set. I just want to list the allowed IPs.

I'm getting close, but not quite there......

$esx = Get-VMHost -Name $vmhost

$esxcli = Get-Esxcli -VMHost $esx -v2

$esxcli.network.firewall.ruleset.list.invoke()

Enabled Name
------- ----
<snip>
true dns
<snip>

$esxcli.network.firewall.ruleset.list.invoke() | where {$_.name -eq 'dns'}

Enabled Name
------- ----
true dns

$esxcli.network.firewall.ruleset.list('dns')

Method invocation failed because [VMware.VimAutomation.ViCore.Impl.V1.EsxCli.EsxCliElementImpl] does not contain a

method named 'list'.

At line:1 char:1

+ $esxcli.network.firewall.ruleset.list('dns')

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (list:String) [], RuntimeException

+ FullyQualifiedErrorId : MethodNotFound

LucD · ‎03-27-2019

Try with

$esxcli.network.firewall.ruleset.allowedip.list.Invoke(@{rulesetid='dns'})

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎03-27-2019

You are using the V2 switch, the calls to esxcli have slightly changed for V2.

See PowerCLI 6.3 R1: Get-ESXCLI Why the V2? for more on that.

You should do

$esx = Get-VMHost -Name $vmhost

$esxcli = Get-Esxcli -VMHost $esx -v2

$esxcli.network.firewall.ruleset.list.invoke()

$esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = 'dns' })

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

dtaliafe · ‎03-27-2019

Try this to list allowed IPs for all rulesets:

$esxcli.network.firewall.ruleset.allowedip.list()

And for only DNS:

$esxcli.network.firewall.ruleset.allowedip.list() | where {$_.ruleset -eq 'dns'}

Busted_Flush · ‎03-27-2019

dtaliaf: Thanks, When I try I get a familiar error, one I'm getting a lot trying to figure this out....

Method invocation failed because [VMware.VimAutomation.ViCore.Impl.V1.EsxCli.EsxCliElementImpl] does not contain a method named 'list'.

At line:3 char:1

+ $esxcli.network.firewall.ruleset.allowedip.list() | where {$_.ruleset ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (list:String) [], RuntimeException

+ FullyQualifiedErrorId : MethodNotFound

LucD · ‎03-27-2019

I explained the V2 impact in my answer

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Busted_Flush · ‎03-27-2019

LucD,

I get:

Enabled Name

------ ----

dns true

Which is good, but already known. I'm trying to get the 'Allow Any' bool value (which I hope is $false) and also the allowed IPs.

LucD · ‎03-27-2019

Try with

$esxcli.network.firewall.ruleset.allowedip.list.Invoke(@{rulesetid='dns'})

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Busted_Flush · ‎03-28-2019

Sorry I didn't get to update this before now; I got pulled into something else, but this did the trick:

$esxcli.network.firewall.ruleset.allowedip.list.Invoke(@{rulesetid='dns'})

Thank you LucD

All

Get-ESXCLI: How to validate firewall DNS allowed IP?