Automation

For some reason this is only working on port groups on vswitch0.

Foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

    $NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    Foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){
If($pg.spec.Name -like "VM*"){
Write $pg.spec.Name
        $pg.spec.policy.security.allowPromiscuous=$true
$NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)
}
    }

}

The rest get this error:

Property 'allowPromiscuous' cannot be found on this object; make sure it exists
and is settable.
At H:\Scripts\pg-security-test1.ps1:44 char:37
+             $pgspec.policy.security. <<<< allowPromiscuous=$true
    + CategoryInfo          : InvalidOperation: (allowPromiscuous:String) [],
   RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

In the error message is says "$pgspec.policy.security" instead of "$pg.spec.policy.security".

Is the dot after $pg really missing or is that a copy/paste problem ?

It is just a copy/paste problem.

Property 'allowPromiscuous' cannot be found on this object; make sure it exists
and is settable.
At H:\Scripts\pg-security-test2.ps1:9 char:34
+         $pg.spec.policy.security. <<<< allowPromiscuous=$true
    + CategoryInfo          : InvalidOperation: (allowPromiscuous:String) [],
   RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

I get the same error message when I run the script against a portgroup that has no NICs assigned.

With the following adaption you can avoid this situation

foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

    $NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){
        if($pg.spec.policy.NicTeaming -and
            ($pg.spec.policy.NicTeaming.NicOrder.ActiveNic -or
            $pg.spec.policy.NicTeaming.NicOrder.StandbyNic) -and
            $pg.spec.Name -like "VM*"){
            Write $pg.spec.Name
            $pg.spec.policy.security.allowPromiscuous=$true
            $NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)
        }
    }

}

Thanks LucD but some of my vswitches/port groups don't have an associated nic. However, this isn't matching anything even the ones that do.

Apparently the properties I'm testing against are only filled in in the ComputedPolicy property.

Try this variant on the script.

foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

$NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    foreach ($pg in $vh01.Config.Network.Portgroup){
        if($pg.ComputedPolicy.NicTeaming -and 
            ($pg.ComputedPolicy.NicTeaming.NicOrder.ActiveNic -or
            $pg.ComputedPolicy.NicTeaming.NicOrder.StandbyNic) -and
            $pg.spec.Name -like "VM*"){
            Write $pg.spec.Name
            $pg.spec.policy.security.allowPromiscuous=$true
            $NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)
        }
    }

}

That works on the ones that have nics associated with them but not the ones that don't.

That is exactly what the script is supposed to do.

If there are no NICs, the Security property in the HostPortgroupSpec object is $null and the script is not able to change the setting.

You can of course create theHostPortgroupSpec or HostNetworkSecurityPolicy object from scratch (with New-Object cmdlet).

And then call the UpdatePortgroup method with the object you created and populated.

Let me know if you need any assistance with that.

My skills are limited and I'll look up how to do this but if you could throw me a bone it would be much appreciated. :smileyhappy:

Try this.

The script check the conditions when the Security is $null and in that case it will create the object instead of using the copy from the portgroup.

foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

$NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    foreach ($pg in $vh01.Config.Network.Portgroup){
        if($pg.spec.Name -like "VM*"){
            if($pg.ComputedPolicy.NicTeaming -and
                 ($pg.ComputedPolicy.NicTeaming.NicOrder.ActiveNic -or
                $pg.ComputedPolicy.NicTeaming.NicOrder.StandbyNic)){
                Write $pg.spec.Name
                $pg.spec.policy.security.allowPromiscuous=$true
                $NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)
            }
            else{
                Write $pg.spec.Name
                $pg.spec.policy.security = New-Object VMware.Vim.HostNetworkSecurityPolicy
                $pg.spec.policy.security.allowPromiscuous=$true
                $pg.spec.policy.security.forgedtransmits=$true
                $pg.spec.policy.security.MacCHanges=$true
                $NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)
            }
        }
    }
}

Note that the other 2 security properties are also set in case the object is created from scratch.

That's it. Thank you!