Jon_Drake
Contributor
Contributor

PowerCLI to modify firewall policy for allowed ip's

Jump to solution

I need to change the ESXi firewall setting from Allow connections from any IP address to a list of networks.

Using the get-esxcli cmdlet I can set the ip's to use.

(Get-VMHost $esxhost )
$esxcli = Get-EsxCli -VMHost $esxhost

$esxcli.network.firewall.ruleset.allowedip.add("172.16.29.0/24", "sshServer")

The issue I have is that to run the above, I first need to go into vcenter and manually change the firewall setting from all ip's to only these ip's.

When I set my $esxcli and run: $esxcli.network.firewall.ruleset.set

this is the output:

TypeNameOfValue     : VMware.VimAutomation.ViCore.Util10Ps.EsxCliExtensionMethod

OverloadDefinitions : {boolean set(boolean allowedall, boolean enabled, string rulesetid)}

MemberType          : CodeMethod

Value               : boolean set(boolean allowedall, boolean enabled, string rulesetid)

Name                : set

IsInstance          : True

I think its possible to change the allowed all to disabled, but I can't figure out what they mean by this set(boolean allowedall, boolean enabled, string rulesetid).  I understand that the string rulesetid is sshServer, but what do they mean with boolean allowedall ?

Has anyone ever done this before ?

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

You pass a Boolean value ($true or $false) and for allowedall this means

  • $true : all IP addresses are allowed
  • $false : only the IP addresses in the IP list are allowed

See the esxcli network Commands documentation for the meaning of these parameters.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
11 Replies
LucD
Leadership
Leadership

You pass a Boolean value ($true or $false) and for allowedall this means

  • $true : all IP addresses are allowed
  • $false : only the IP addresses in the IP list are allowed

See the esxcli network Commands documentation for the meaning of these parameters.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
MRoushdy
Hot Shot
Hot Shot

Could you please give me more info? .. I couldn't figure out (nor my search returned a useful) the correct syntax to disable the "allowedall"

I tried this:

$esxcli.network.firewall.ruleset.allowed-all.set($false)

it returns a "non-value" error.

Thanks,

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
LucD
Leadership
Leadership

When you use the V2 switch on the Get-EsxCli cmdlet, you could do

$esx = Get-VMHost -Name MyEsx

$esxcli = Get-Esxcli -VMHost $esx -V2

$arguments = @{

    rulesetid = 'sshServer'

    enabled = $true

    allowedall = $false

}

$esxcli.network.firewall.ruleset.set.Invoke($arguments)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
MRoushdy
Hot Shot
Hot Shot

I used this:

$esx = Get-VMHost -Name <Myhost>
$esxcli = Get-Esxcli -VMHost $esx -V2

$arguments = @{

    rulesetid = 'syslog'

    allowedall = $false

}

$esxcli.network.firewall.ruleset.set.Invoke($arguments)

$esxcli.network.firewall.ruleset.allowedip.add("10.10.23.171", "syslog")

but I get this error

Cannot find an overload for "Set" and the argument count: "1".
At C:\Users\u981021\Documents\Commands\allowedip.ps1:12 char:1
+ $esxcli.network.firewall.ruleset.set.Invoke($arguments)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

Cannot find an overload for "add" and the argument count: "2".
At C:\username\Documents\Commands\allowedip.ps1:15 char:1
+ $esxcli.network.firewall.ruleset.allowedip.add("10.10.23.171", "syslo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
MRoushdy
Hot Shot
Hot Shot

The option was disabled, but it fails to add IPs, I tried this, is it incorrect?

$esx = Get-VMHost -Name HOST
$esxcli = Get-Esxcli -VMHost $esx -V2

$arguments = @{
rulesetid = 'syslog'
allowedall = $false
allowedip = "10.10.23.171"
}

$esxcli.network.firewall.ruleset.set.Invoke($arguments)

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
LucD
Leadership
Leadership

You can add allowed IP addresses like this

$esx = Get-VMHost -Name HOST

$esxcli = Get-Esxcli -VMHost $esx -V2

$arguments = @{

    rulesetid = 'syslog'

    ipaddress = '10.10.23.171'

}

$esxcli.network.firewall.ruleset.allowedip.add.Invoke($arguments)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
MRoushdy
Hot Shot
Hot Shot

Thank you!

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
nicholas1982
Hot Shot
Hot Shot

Luc, I'm now trying ESXCLI -V2 as it may solve another issue i'm having but when i specify an IP in the $argument i get the following error

$esx = Get-VMHost -Name vesxi01*

$esxcli = Get-Esxcli -VMHost $esx -V2

$arguments = @{

    rulesetid = 'sshServer'

    enabled = $true

    allowedall = $false

    allowedip = '192.168.1.157'

}

----------------------Result of running command here-------------------------------

$esxcli.network.firewall.ruleset.set.Invoke($arguments)

PS C:\scripts\hostfw> $esx = Get-VMHost -Name vesxi01*

PS C:\scripts\hostfw> $esxcli = Get-Esxcli -VMHost $esx -V2

PS C:\scripts\hostfw> $arguments = @{

    rulesetid = 'sshServer'

    enabled = $true

    allowedall = $false

    allowedip = '192.168.1.157'

}

PS C:\scripts\hostfw> $arguments

Name                           Value                                                                                                                                 

----                           -----                                                                                                                                 

rulesetid                      sshServer                                                                                                                             

allowedip                      192.168.1.157                                                                                                                         

allowedall                     False                                                                                                                                 

enabled                        True                                                                                                                                  

PS C:\scripts\hostfw> $esxcli.network.firewall.ruleset.set.Invoke($arguments)

Index (zero based) must be greater than or equal to zero and less than the size of the argument list.

At line:1 char:1

+ $esxcli.network.firewall.ruleset.set.Invoke($arguments)

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : OperationStopped: (:) [], FormatException

    + FullyQualifiedErrorId : System.FormatException

Nicholas VCP6
0 Kudos
markdjones82
Expert
Expert

Is there a way to take an existing host and save an argument list out so I can add it to a script?   IE something that can create the argument list for me with the hashtable?

http://www.twitter.com/markdjones82 | http://nutzandbolts.wordpress.com
0 Kudos
LucD
Leadership
Leadership

All the V2 functions, except the ones without parameters, have a CreateArgs() method that will generate a hash table.

For example

args.jpg


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
markdjones82
Expert
Expert

LUC,

  But does it actually export values?

IE I want to make a static list from this list that I can put in a script and then loop through and set all of them:

PowerCLI C:\> $esxcli.network.firewall.ruleset.list.Invoke()

Enabled Name

------- ----

true    sshServer

false   sshClient

false   nfsClient

false   nfs41Client

true    dhcp

true    dns

true    snmp

true    ntpClient

true    CIMHttpServer

true    CIMHttpsServer

true    CIMSLP

false   iSCSI

true    vpxHeartbeats

true    updateManager

true    faultTolerance

true    webAccess

true    vMotion

true    vSphereClient

true    activeDirectoryAll

true    NFC

true    HBR

false   ftpClient

false   httpClient

false   gdbserver

false   DVFilter

true    DHCPv6

true    DVSSync

true    syslog

true    WOL

false   vSPC

false   remoteSerialPort

false   rdt

false   cmmds

false   vsanvp

true    rabbitmqproxy

false   ipfam

false   vvold

true    iofiltervp

false   esxupdate

false   vsanEncryption

false   pvrdma

false   vsanhealth-multicasttest

http://www.twitter.com/markdjones82 | http://nutzandbolts.wordpress.com
0 Kudos