VMware Cloud Community
SCharchouf
Hot Shot
Hot Shot
‎04-20-2020 10:19 AM
Jump to solution

Review the host firewall rules for all incoming connections.

I would like to create a script that can help me to get From the vSphere Client select the ESXi Host the properties for each enabled service for Firewall and review the incoming requests where it is allowed from "All" IPs.

the ENV. is very huge and we need on the first step identify the configuration and then found a way via script to set the correct configuration

any idea?

1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎04-20-2020 10:34 AM
Jump to solution

Something like this perhaps?

Get-VMHost -PipelineVariable esx |

ForEach-Object -Process {

    $esxcli = Get-EsxCli -VMHost $esx -V2

    $esxcli.network.firewall.ruleset.rule.list.Invoke() |

    Select @{N='VMHost';E={$esx.Name}},RuleSet,

    @{N='Enabled';E={$esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid="$($_.Ruleset)"}).Enabled}},

    Direction,Protocol,PortBegin,PortEnd,PortType

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
5 Replies
LucD
Leadership
Leadership
‎04-20-2020 10:34 AM
Jump to solution

Something like this perhaps?

Get-VMHost -PipelineVariable esx |

ForEach-Object -Process {

    $esxcli = Get-EsxCli -VMHost $esx -V2

    $esxcli.network.firewall.ruleset.rule.list.Invoke() |

    Select @{N='VMHost';E={$esx.Name}},RuleSet,

    @{N='Enabled';E={$esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid="$($_.Ruleset)"}).Enabled}},

    Direction,Protocol,PortBegin,PortEnd,PortType

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
SCharchouf
Hot Shot
Hot Shot
‎04-21-2020 06:28 AM
Jump to solution

Thank you Smiley Happy

can I add information AllowedIP Addresses after PortType?

0 Kudos
LucD
Leadership
Leadership
‎04-21-2020 06:47 AM
Jump to solution

Sure, try like this

Get-VMHost -PipelineVariable esx |

ForEach-Object -Process {

    $esxcli = Get-EsxCli -VMHost $esx -V2

    $esxcli.network.firewall.ruleset.rule.list.Invoke() |

    select @{N = 'VMHost'; E = { $esx.Name } }, RuleSet,

    @{N = 'Enabled'; E = { $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = "$($_.Ruleset)" }).Enabled } },

    Direction, Protocol, PortBegin, PortEnd, PortType,

    @{N = 'AllowedIP'; E = { ($esxcli.network.firewall.ruleset.allowedip.list.Invoke(@{rulesetid = "$($_.Ruleset)" })).AllowedIPAddresses -join '|' } }

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

sjoshi25
Contributor
Contributor
‎01-25-2022 01:51 PM
Jump to solution

Thanks for sharing. This script works for me.

Can we modify this script to export these results in a CSV file.

0 Kudos
LucD
Leadership
Leadership
‎01-25-2022 03:18 PM
Jump to solution

Just add the Export-Csv after the last curly brace.

Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    $esxcli = Get-EsxCli -VMHost $esx -V2
    $esxcli.network.firewall.ruleset.rule.list.Invoke() |
    select @{N = 'VMHost'; E = { $esx.Name } }, RuleSet,
    @{N = 'Enabled'; E = { $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = "$($_.Ruleset)" }).Enabled } },
    Direction, Protocol, PortBegin, PortEnd, PortType,
    @{N = 'AllowedIP'; E = { ($esxcli.network.firewall.ruleset.allowedip.list.Invoke(@{rulesetid = "$($_.Ruleset)" })).AllowedIPAddresses -join '|' } }
} | Export-Csv -Path .\report.csv -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos