Going to start working on this script, but if anyone know's of one, I would be interested. Trying to create a script that changes the vSwitch security settings "MAC Address Changes" and "Forged Transmits" to "Reject" for all vSwitches on the host. I'd like the script to look to a csv file with a list of ESX servers, so the script should authenticate directly to the ESX server. Thank you.
Yes, you need a header line in the CSV file
Move the prompt outside the loop, something like this
$rootpassword = Read-Host -AsSecureString -Prompt "Enter the root password"
Import-Csv "C:\esxnames.csv" -UseCulture | %{ Connect-Viserver $_.Name -user root -password $rootpassword $esx = Get-View -ViewType HostSystem -Filter @{"Name"=$_.Name} $NetworkSystem = Get-View $esx.ConfigManager.NetworkSystem foreach ($sw in $NetworkSystem.Networkconfig.Vswitch){ $swspec = $sw.spec $swspec.policy.security.AllowPromiscuous=$false
$swspec.policy.security.ForgedTransmits=$false
$swspec.policy.security.MacChanges=$false
$NetworkSystem.UpdateVirtualSwitch($sw.name,$swspec) } Disconnect-VIServer -Server $_.Name -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Have a look at my script in How to set network security of "AllowPromiscuous","MacChanges" and "ForgedTransmits"
It shows how to change the settings for portgroups, but vSwitches follows the same principle.
Just use the UpdateVirtualSwitch method instead.
How do you intend to provide the input in the CSV ?
The name of switch and the host and then the desired security settings ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks. The security setting is static (Reject/False), so that can be a detail within the script, but I intend on simply providing a csv file with a list of host names. Also, the vSwitch names will not be in the csv as those as well can be covered in the script logic (change setting on all vSwitches).
Thanks
Try something like this
Import-Csv "C:\esxnames.csv" -UseCulture | %{ $esx = Get-View -ViewType HostSystem -Filter @{"Name"=$_.Name} $NetworkSystem = Get-View $esx.ConfigManager.NetworkSystem foreach ($sw in $NetworkSystem.Networkconfig.Vswitch){ $swspec = $sw.spec $swspec.policy.security.AllowPromiscuous=$false
$swspec.policy.security.ForgedTransmits=$false
$swspec.policy.security.MacChanges=$false
$NetworkSystem.UpdateVirtualSwitch($sw.name,$swspec) } }
It assumes your CSV file looks like this
Name
host1
host2
host3
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you.
Is there any way you can intergrate a portion that prompts for the ESX, root password and then adjust the script to login locally to each ESX server to perform the changes?
I am thinking code like this:
write-host "Enter the root password"
$rootpassword = Read-Host
connect-viserver $esx -user root -password $rootpassword
Sure, try something like this
Import-Csv "C:\esxnames.csv" -UseCulture | %{ $rootpassword = Read-Host -AsSecureString -Prompt ("Enter the root password for " + $_.Name)
Connect-Viserver $_.Name -user root -password $rootpassword $esx = Get-View -ViewType HostSystem -Filter @{"Name"=$_.Name} $NetworkSystem = Get-View $esx.ConfigManager.NetworkSystem foreach ($sw in $NetworkSystem.Networkconfig.Vswitch){ $swspec = $sw.spec $swspec.policy.security.AllowPromiscuous=$false
$swspec.policy.security.ForgedTransmits=$false
$swspec.policy.security.MacChanges=$false $NetworkSystem.UpdateVirtualSwitch($sw.name,$swspec) } Disconnect-VIServer -Server $_.Name -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Can't wait until all of our ESX servers are upgraded past 3.5. Then I can upgrade our PowerCLI version. Looks like 4.0 / U1 PowerCLI doesn't have import-csv - http://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/.
The Import-Csv cmdlet doesn't belong to PowerCLI, it is a standard PowerShell cmdlet.
Are you sure you don't have it ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
NM. That isn't the problem. The cmdlet populates fine from console. When I run the script it quickly returns back to the prompt. Trying to look through now to see what the problem is.
I was only testing with one server name - located in the first line of the csv file . Got that part. Last one on this. Any way to have it use the password provided for all the servers and not prompt on each server for root password?
Yes, you need a header line in the CSV file
Move the prompt outside the loop, something like this
$rootpassword = Read-Host -AsSecureString -Prompt "Enter the root password"
Import-Csv "C:\esxnames.csv" -UseCulture | %{ Connect-Viserver $_.Name -user root -password $rootpassword $esx = Get-View -ViewType HostSystem -Filter @{"Name"=$_.Name} $NetworkSystem = Get-View $esx.ConfigManager.NetworkSystem foreach ($sw in $NetworkSystem.Networkconfig.Vswitch){ $swspec = $sw.spec $swspec.policy.security.AllowPromiscuous=$false
$swspec.policy.security.ForgedTransmits=$false
$swspec.policy.security.MacChanges=$false
$NetworkSystem.UpdateVirtualSwitch($sw.name,$swspec) } Disconnect-VIServer -Server $_.Name -Confirm:$false
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Perfect. Thanks again.
Thanks, I modified this and used it to address the VMware Security Hardening Guide for 2 of the recommendations. I included the ability to exclude specified port groups from being modified to address VMs that use MSCS for example. I also save the original settings to a CSV file.
$ObjAllHosts = Get-Cluster -Name $cluster | Get-VMHost | sort Name $ObjAllHosts | %{ $esx = Get-View -ViewType HostSystem -Filter @{"Name"=$_} $NetworkSystem = Get-View $esx.ConfigManager.NetworkSystem foreach ($sw in $NetworkSystem.Networkconfig.Vswitch){ $swspec = $sw.spec #Save original settings
$row = "" | Select Host, vSwitch, PG, ForgedTransmits, MacChanges
$row.Host = $esx.Name $row.vSwitch = $sw.Name $row.PG = "default"
$row.ForgedTransmits = $swspec.policy.security.ForgedTransmits $row.MacChanges = $swspec.policy.security.MacChanges $report += $row $swspec.policy.security.ForgedTransmits=$false
$swspec.policy.security.MacChanges=$false #Import new settings
$NetworkSystem.UpdateVirtualSwitch($sw.name,$swspec) } foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){ if($excludedPGs -notcontains $pg.Spec.Name){ $pgspec = $pg.spec #Save original settings
$row = "" | Select Host, vSwitch, PG, ForgedTransmits, MacChanges
$row.Host = $esx.Name $row.vSwitch = $sw.Name $row.PG = $pg.Spec.Name $row.ForgedTransmits = $pgspec.policy.security.ForgedTransmits $row.MacChanges = $pgspec.policy.security.MacChanges $report += $row $pgspec.policy.security.forgedTransmits=$false
$pgspec.policy.security.macChanges=$false
#Import new settings
$NetworkSystem.UpdatePortgroup($pgspec.name,$pgspec) } } } $report | Export-Csv $output_file -NoTypeInformation
Invoke-Item $output_file
I have tried this script, but getting following error:
[Error Start]
Import-Csv : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its
properties do not match any of the parameters that take pipeline input.
At C:\Users\abcd\Documents\vSwitchSeucrityConfig.ps1:2 char:1
+ Import-Csv "C:\Users\abcd\Documents\HostNames.csv" -UseCulture | %{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (VMware.Vim.VirtualMachine:PSObject) [Import-Csv], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.ImportCsvCommand
[Error End]
Can anyone help me?
I would need to see the complete script you are using.
Can you attach it?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference