Hi.
Any help is appreciated here
Goal :
Enable ssh firewall rule so that , ssh is allowed from certain ips only
$VMHost=Get-VMHost -Name xxx
$esxcli = Get-Esxcli -VMHost $VMHost -V2
$rule = @{
enabled = $true
allowedall = $false
rulesetid = 'sshServer'
}
$esxcli.network.firewall.ruleset.set.Invoke($rule)
# ## till above all is ok
## add allow ip list ## below gives an error
$rule = @{
enabled = $true
allowedip = 'xxx'
rulesetid = 'sshServer'
}
$esxcli.network.firewall.ruleset.set.Invoke($rule)
LucD above is part of your code on other thread but i could not apply it with more tuning
thanks
I'm not sure where you got that code from, but that is not the command to add an IP address.
It should be something like this
enabled = $true
allowedall = $false
rulesetid = 'sshServer'
}
$esxcli.network.firewall.ruleset.set.Invoke($rule)
$ip = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.1'
}
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Can you share the error?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
last line only gives error
$esxcli.network.firewall.ruleset.set.Invoke($rule)
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At line:1 char:1
+ $esxcli.network.firewall.ruleset.set.Invoke($rule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], FormatException
+ FullyQualifiedErrorId : System.FormatException
I'm not sure where you got that code from, but that is not the command to add an IP address.
It should be something like this
enabled = $true
allowedall = $false
rulesetid = 'sshServer'
}
$esxcli.network.firewall.ruleset.set.Invoke($rule)
$ip = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.1'
}
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD , thanks, works for single IP
I get below error when i tried to use comma separated list of IPs , any suggestions Please
Message: EsxCLI.CLIFault.summary;
InnerText: Invalid IP Address StringEsxCLI.CLIFault.summary
At line:1 char:1
+ $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], MethodFault
+ FullyQualifiedErrorId : VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.MethodFault
How did you assign the multiple IP addresses to the variable $ip?
The command only allows a single or a range of IP addresses.
For multiple single IP addresses, you have to call the method for each IP address.
This is for a range.
rulesetid = 'sshServer'
ipaddress = '192.168.1.1/24'
}
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD That helped thanks
Hi,
For me working for only one IP.
How I can add multiple IPs.
Thanks
By repeating the call for each IP address.
That is done exactly the same as with the esxcli command itself, see Manage the ESXi Firewall (vmware.com)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
Many thanks for your help.
How I can apply to the entire cluster/vCenter in one go.
Thanks
Uday
Just use a Foreach-Object loop
$rule = @{
enabled = $true
allowedall = $false
rulesetid = 'sshServer'
}
$ip = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.1'
}
Get-Cluster | Get-VMHost |
ForEach-Object -Process {
$esxcli = Get-Esxcli -VMHost $_
$esxcli.network.firewall.ruleset.set.Invoke($rule)
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
}
Leave out the Get-Cluster if you want to do this for all ESXi nodes.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
Below command How I can allow multiple Ip addresses in one go.
$cluster = "<clusterName>"
$ip = "192.168.1.1"
foreach($vmHost in (Get-Cluster $cluster | Get-VMHost | Sort Name)){
write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow
if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){
Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)"
Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null
}
if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
Write-Host "Starting SSH service on $($vmHost.Name)"
Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
}
$esxcli = Get-EsxCli -V2 -VMHost $vmHost
if($esxcli -ne $null){
if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
Write-Host "Changing the sshServer firewall configuration"
$esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
$esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
$esxcli.network.firewall.refresh()
}
}
if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
Write-Host "Suppress the SSH warning message"
$vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
}
}
Thanks
Like I said earlier, by calling the add multiple times, once for each IP address
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
I tried but no luck,
When I am adding multiple IPs then the command is not working.
Thanks
Any errors?
How did you call the add multiple times?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
I am using like below.
$rule = @{
enabled = $true
allowedall = $false
rulesetid = 'sshServer'
}
$ip = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.1'
}
}
$ip = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.2'
}
ForEach-Object -Process {
$esxcli = Get-Esxcli -VMHost $_
$esxcli.network.firewall.ruleset.set.Invoke($rule)
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
}
Thanks
That will never work.
Try perhaps like this
$rule = @{
enabled = $true
allowedall = $false
rulesetid = 'sshServer'
}
$ip1 = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.1'
}
$ip2 = @{
rulesetid = 'sshServer'
ipaddress = '192.168.1.2'
}
Get-VMHost |
ForEach-Object -Process {
$esxcli = Get-EsxCli -VMHost $_ -V2
$esxcli.network.firewall.ruleset.set.Invoke($rule)
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip1)
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip2)
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
Thanks for your comment.
Could you please add your comment on the below command also?
$vi_server = "vcsa.everythingshouldbevirtual.local" # Set to your vCenter hostname|IP
$vcuser = "vcenteruser" # Set to your vCenter username to connect
$vcpass = "vcenterpassword" # Set to your vCenter username password to connect
$ip = 10.0.101.122 # Set IP to your manamgement station if you are locking down the firewall
Connect-VIServer -Server $vi_server -User $vcuser -Password $vcpass
# Setup variable to use in script for all hosts in vCenter
$vmhosts = @(Get-VMHost)
foreach ($vmhost in $vmhosts) {
write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow
if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){
Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)"
Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null
}
if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
Write-Host "Starting SSH service on $($vmHost.Name)"
Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
}
$esxcli = Get-EsxCli -VMHost $vmhost
if($esxcli -ne $null){
# Uncomment below to set firewall to allow only from a certain IP
if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
#Write-Host "Changing the sshServer firewall configuration"
#$esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
#$esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
#$esxcli.network.firewall.refresh()
#}
# End Uncomment
# Comment out below if using the above to set firewall to a specific IP
#if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -ne "All"){
Write-Host "Changing the sshServer firewall configuration"
$esxcli.network.firewall.ruleset.set($true, $true, "sshServer")
$esxcli.network.firewall.refresh()
}
# End Comment
if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
Write-Host "Suppress the SSH warning message"
$vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
}
}
# Disconnect from vCenter
Disconnect-VIServer * -Confirm:$false
Hi,
Thanks for your support.
How I can apply for a specific cluster.
Thanks