Status of the host firewall settings (Allow connec...

SCharchouf · ‎05-04-2020

I have a big list of ESXi server that require a lot of change to modify firewall policy for allowed ip's

my idea is to creat a script that can change these services and get a report for what was changed from old value to old value

for sure the script need to be created in a way that ESXi should be added in a seperate file

Below are the list and their required value

Row 1:Service Name,Enabled,Setting,Status

Row 2:ntpClient,true,allIp,true

Row 3:vSphereClient,true,allIp,true

Row 4:dns,true,allIp,true

Row 5:HPProvider,true,allIp,true

Row 6:activeDirectoryAll,true,allIp,true

Row 7:WOL,true,allIp,true

Row 8:nfsClient,true,allIp,false

Row 9:vsanvp,true,allIp,true

Row 10:esxupdate,true,allIp,true

Row 11:dynamicruleset,true,allIp,true

Row 12:CIMHttpsServer,true,allIp,true

Row 13:cmmds,true,allIp,true

Row 14:autodeploy,true,allIp,true

Row 15:rabbitmqproxy,true,allIp,true

Row 16:faultTolerance,true,allIp,true

Row 17:snmp,true,allIp,true

Row 18:CIMHttpServer,true,allIp,true

Row 19:dhcp,true,allIp,true

Row 20:syslog,true,allIp,true

Row 21:CIMSLP,true,allIp,true

Row 22:rdt,true,allIp,true

Row 23:fdm,true,allIp,true

Row 24:vMotion,true,allIp,true

Row 25:DHCPv6,true,allIp,true

Row 26:NFC,true,allIp,true

Row 27:HBR,true,allIp,true

Row 28:sshClient,true,allIp,true

Row 29:sshServer,true,allIp,true

Row 30:webAccess,true,allIp,true

Row 31:vpxHeartbeats,true,allIp,true

I'm using the below script which help me to set value for only one service

$esx = Get-VMHost -Name ESXTEST

$esxcli = Get-Esxcli -VMHost $esx -V2

$arguments = @{

rulesetid = 'sshServer'

enabled = $true

allowedall = $false

}

$esxcli.network.firewall.ruleset.set.Invoke($arguments)

any idea?

any suggestions?

LucD · ‎05-04-2020

You could use 2 nested foreach loops, one over all the ESXi nodes and the other one through the complete CSV.

Something like this for example.

I assume that the 'allip' in your CSV means 'allowedall = $true'

Also, is there a need to test the current value first?

In this form, the script just calls the method for each service, independent of the current setting.

# CSV layout

#

# Service Name,Enabled,Setting,Status

# ntpClient,true,allIp,true

# vSphereClient,true,allIp,true

$rules = Import-Csv -Path .\services.csv -UseCulture

Get-VMHost -PipelineVariable esx |

ForEach-Object -Process {

$esxcli = Get-Esxcli -VMHost $esx -V2

$rules | ForEach-Object -Process {

$arguments = @{

rulesetid = $_.'Service Name'

enabled = $_.Enabled

allowedall = $true

}

$esxcli.network.firewall.ruleset.set.Invoke($arguments)

}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

SCharchouf · ‎05-04-2020

the reason fo why I need info regarding the old parametre is just for reporting

and regarding the script that you have shared it's possible to have a seperate file that contain ESX info?

LucD · ‎05-04-2020

Sure, try like this

# CSV layout

#

# Service Name,Enabled,Setting,Status

# ntpClient,true,allIp,true

# vSphereClient,true,allIp,true

$rules = Import-Csv -Path .\services.csv -UseCulture

# CSV layout

#

# Name

# esx1

# esx2

$vmhost = Import-Csv -Path .\esxnames.csv -UseCulture

Get-VMHost -Name $vmHost.Name -PipelineVariable esx |

ForEach-Object -Process {

$esxcli = Get-Esxcli -VMHost $esx -V2

$rules | ForEach-Object -Process {

$arguments = @{

rulesetid = $_.'Service Name'

enabled = $_.Enabled

allowedall = $true

}

$esxcli.network.firewall.ruleset.set.Invoke($arguments)

}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

Status of the host firewall settings (Allow connections from any IP address - All)