Solved: Re: VMware host firewall rulesetid that contains a...

DHatt · ‎03-08-2019

Another question on running a PowerCLI script to change the firewall settings on a VMware Host.

When I run the script below and the "rulesetid" does not contain any spaces, it runs just fine.

However, if the rulesetid has a space I get the following error message:

Message: EsxCLI.CLIFault.summary;
InnerText: Invalid Ruleset Id.EsxCLI.CLIFault.summary
At line:1 char:1
+ $ESXcli.network.firewall.ruleset.set.Invoke($arguments1)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], MethodFault
+ FullyQualifiedErrorId : VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.MethodFault

The output for the hash table is:

Name                           Value
----                           -----
allowedall        False
rulsetid                       SSH Client

I have also set the $Security.Name variable in quotes ($Security.'Name' and $Security."Name") which resulted in the rulesetid to be in quotes ("SSH Client).

foreach ($Security in $SecurityProfile1) {

$arguments1 = @{"rulesetid"= $Security.Name
"allowedall" = $Security.Allowed}

$ESXcli.network.firewall.ruleset.set.Invoke($arguments1)
$ESXcli.network.firewall.ruleset.allowedip.add.Invoke($arguments2)
}

Any suggestions, etc. would be greatly appreciated.

Thanks.

LucD · ‎03-08-2019

The name your seeing in the Web Client and via the Get-VMHostFirewallException is not the rulesetid but the Summary field.

The rulesetid that you need in $esxcli.network.firewall.ruleset.set, is in fact the Name field coming from $esxcli.network.firewall.ruleset.list.

For the 'SSH Client' that rulesetid is in fact sshClient.

I would suggest you update your CSV with the real rulesetid.

In fact you can create a table for that

$esxName = 'MyEsx'

Get-VMHost -Name $esxName |

Get-VMHostFirewallException |

Select Name, @{N = 'rulesetid'; E = {$_.Extensiondata.Key}}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎03-08-2019

Can you give a bit more context?

Did you add the new rules directly into the services.xml on the ESXi node?

Where is the content of $SecurityProfile1 coming from? Is that something you read in from a file?

And is there a specific reason you need a blank in the new FW rule?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

DHatt · ‎03-08-2019

No, I did not add the rules to the services.xml file on the ESXi node.

The content for $SecurityProfile1 is coming from a .csv file which has the headers "Name" for the rulessetid and "Allowed" for the allowedall values. The PowerCLI line in the script is: $SecurityProfile1 = Import-Csv -Path 'C:\Test.csv

If you are asking about a space between SSH and Client, the space is present in the name when seen in vSphere Web Client and when I pull the firewall information with PowerCLI using Get-VMHostFirewallException -VMHost <VMHostName>

LucD · ‎03-08-2019

The name your seeing in the Web Client and via the Get-VMHostFirewallException is not the rulesetid but the Summary field.

The rulesetid that you need in $esxcli.network.firewall.ruleset.set, is in fact the Name field coming from $esxcli.network.firewall.ruleset.list.

For the 'SSH Client' that rulesetid is in fact sshClient.

I would suggest you update your CSV with the real rulesetid.

In fact you can create a table for that

$esxName = 'MyEsx'

Get-VMHost -Name $esxName |

Get-VMHostFirewallException |

Select Name, @{N = 'rulesetid'; E = {$_.Extensiondata.Key}}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

DHatt · ‎03-09-2019

Worked like a charm!!!!!

Thanks!

All

VMware host firewall rulesetid that contains a space.