VMware Cloud Community
Vimal348
Enthusiast
Enthusiast
Jump to solution

Adding a new Firewall Rule in each ESX hosts

Hello,

Can someone please help me on this:
We have almost 400 ESX hosts sitting in multiple vCenters. As a part of syslog configuration we have to add a new rule in each ESX hosts since we are using a different port for its communication as per syslog team. Some of the esx hosts already have that Firewall rule created. But many of them are missing.

Here I have the ESX hosts name (FQDN) in one notepad, that require the new firewall rule needed. Lets say notepad name is; 'ESXhostName' and its location is: D:\ESX

To create new Firewall rule in esx host, I have copied the firewall xml file (Lets say it name is: 'CompanyFirewall') in my local drive: D:\File\CompanyFirewall.xml

This is the xml file:

<service id="0032">

<id>concast backport</id>

<rule id='0000'>

<direction>outbound</direction>

<protocol>udp</protocol>

<porttype>dst</porttype>

<port>2004</port>

</rule>

<enabled>true</enabled>

<required>false</required>

</service>

Task:

Adding this xml file in each esx hosts is time consuming. Hence can someone please help me creating a script that I can

> Get the esx hosts from that notepad and

> login with root credentials and

> copy the xml file from my local drive and paste it in the esx hosts firewall location: /etc/vmware/firewall and (Not sure how can it possible)

> Refresh the firewall for each esx host (We may need to modify this command as per the script)

Got the below commands for refreshing the firewall from this link: vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall | vGee...

$esxcli =  Get-EsxCli -VMHost esxi002.vcloud-lab.com -V2

$esxcli.network.firewall.refresh.Invoke()

> Disconnect the host from the session

> Get the next host from the notepad and do the same task again

46 Replies
Vimal348
Enthusiast
Enthusiast
Jump to solution

LucD​, your script work like a charm!!! Thank you for that.

I have enabled the SSH and removed the value '$true' from second AcceptKey.. Now I can see it is working.

But instead of enabling/disabling ssh manually, can we add a command to do that.

Also, if the file is copied in the ESX host then can we get it displayed something like 'Firewall xml file is copied for <that esx host>

, if not copied (due to incorrect password or some other issue), can we get it displayed something like 'Firewall xml file is not copied for <that esx host>

I tried to add but getting this error:

Upload and share screenshots and images - print screen online | Snipboard.io

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Try something like this

$user = 'root'

$pswd = 'VMware1!'


$cred = New-Object -TypeName pscredential -ArgumentList $user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force)


Get-Content -Path .\names.txt -PipelineVariable esxFQDN |

ForEach-Object -Process {

    $sshStatus = Get-VMHost -Name $esxFQDN | Get-VMHostService | where{$_.Label -eq 'SSH'}

    if(-not $sshStatus.Running){

        Start-VMHostService -HostService $sshStatus -Confirm:$false

    }

    try{

        Set-SCPFile -ComputerName $esxFQDN -Credential $cred -RemotePath '/etc/vmware/firewall/service.xml' -LocalFile 'D:\File\CompanyFirewall.xml' -AcceptKey -ErrorAction Stop

        Write-Output "FW xml file copied to $esxFQDN"

    }

    catch{

        Write-Output "FW xml file not copied to $esxFQDN"

    }


    try{

        $session = New-SSHSession -ComputerName $esxFQDN -Credential $cred –AcceptKey -ErrorAction Stop

        Invoke-SSHCommand -SSHSession $session -Command ' esxcli network firewall refresh'

        Remove-SSHSession -SSHSession $session | Out-Null

    }

    catch{

        Write-Output "SSH session to $esxFQDN failed"

    }


    if(-not $sshStatus.Running){

        Stop-VMHostService -HostService $sshStatus -Confirm:$false

    }

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Vimal348
Enthusiast
Enthusiast
Jump to solution

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

You moved the opening curly brace of the script block after -Process to a new line, tat will not work.

Copy my snippet, that was correct


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

I just copy pasted your script as it is now:

This is what I am getting:
Upload and share screenshots and images - print screen online | Snipboard.io

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Is PowerCLI installed?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

And you didn't do a Connect-VIServer before running the script it seems.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

Also I ran the below mmand and got this result :

if(-not (Get-Module VMware.VimAutomation.Core)){

   Import-Module VMware.VimAutomation.Core -ErrorAction SilentlyContinue

}

if(-not (Get-Module VMware.VimAutomation.Vds)){

   Import-Module VMware.VimAutomation.Vds -ErrorAction SilentlyContinue

}

Upload and share screenshots and images - print screen online | Snipboard.io

Yes, I see power cli in my system:

Upload and share screenshots and images - print screen online | Snipboard.io

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

Can you please tell me where can I mention that connect-viserver command ?

I just copy pasted your command

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

What version of PowerCLI is that?

Looks old.

Can you try to upgrade?

See Welcome PowerCLI to the PowerShell Gallery – Install Process Updates


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

Thank you for that.

I have installed new power version of power cli:
Upload and share screenshots and images - print screen online | Snipboard.io

But not sure how to open it: Upload and share screenshots and images - print screen online | Snipboard.io

Unable to search it

I believe it is included in the power shell. And cannot open separately.

Anyways since you helped me to install the latest version how to get that script worked?

Upload and share screenshots and images - print screen online | Snipboard.io

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

That is correct, start a PowerShell session.

Then do a Connect-VIServer to your vCenter.

When completed, run the script


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

Ok. But like I mentioned earlier, I have all esx hosts in that txt file is sitting in different different vCenters.

In this case do I need to connect all the vCenters one by one?

Your first script is perfect, it is pulling all the ESX hosts from that txt file and connecting with its root credentials and then updating the firewall xml file in that location.

Here my new query was like how to start/stop SSH by the script and get the information if the xml file is copied/not copied.

Is this possible without connecting the vCenter ?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Yes, you will need to connect to all vCenters.

No, to stop/start the SSH server the script needs the Connect-VIServer and the PowerCLI cmdlets.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

Thank you very much. Thats really a helpful information.

I tried to connect the vCenter and ran the script and it ran. But the file didnt copy.  I think the SSH didnt start

Upload and share screenshots and images - print screen online | Snipboard.io

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

SSH was started and stopped as you can see in the Running property.

There could be other reasons the SCP didn't work.

You would need to check the logs on the ESXi node


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

I am able to copy the file using your first script after starting the ssh.

But I am unable to copy it using the second script. So do you think we have to adjust the script ?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

The 2nd script starts/stops SSH as well (see the changed Running status).

With the 1st script, you don't need PowerCLI, with the 2nd script you do need PowerCLI.

I can't really debug the issues in your environment from where I'm sitting.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Vimal348
Enthusiast
Enthusiast
Jump to solution

I got the fix from your first script.

I changed the first -AcceptKey value to $true and it worked.

Upload and share screenshots and images - print screen online | Snipboard.io

Now I changed the esx host password to an incorrect password and tried.And the file is not copying, but getting the message it is copied. Also seeing that SSH session to the host failed in both cases.

Upload and share screenshots and images - print screen online | Snipboard.io

Reply
0 Kudos