Hi,
Is there a quicker way to add 100's of firewall rules to an edge gateway other than via the vCD web GUI which is quite limited. I'm either looking for a command line PowerCLI type script or another way to simplify or at least speed up the process.
Any suggestions greatly welcomed.
thanks,
Hi,
Rest Api would be perfect,please go through https://www.vmware.com/pdf/vshield_55_api.pdf(page no:75)
thanks, I can see that would be a good option however, our environment is managed by vCloud director so any changes directly using vShield Manager are not retained as vCD will overwrite them. Can you advise if there is a different API set or tools using PowerCLI that can administer this process via vCloud?
Hi,
Good Point.In that case you can use vCloud API to perform the task
It would be good start with network administration Page 169 http://pubs.vmware.com/vcd-55/topic/com.vmware.ICbase/PDF/vcd_55_api_guide.pdf
thanks for the reference - I'm not much of a developer, so it would seem a steep curve to work out how to programmatically get that to work via API - I don't really know where to begin with it to be honest.
I found this whilst looking around for scripts/tools:
ttps://github.com/gds-operations/vcloud-edge_gateway
Do you think it might do the trick?
cheers
Hi,
To be very honest you don't need to be a good developer to start with API Whenever you get time try to go through Exploring the vCloud REST API Part 1 | VMware vSphere Blog - VMware Blogs .Once you log-in to the Solution it is very easy task.
I'm unsure about the link that you provided,because i never tried that till now
thanks for the links, I'll check that out!
I know this is an older post but I have modified the scripts referenced below to load any number of Edge Gateway NAT rules at one time. See below: I'm using PowerCLI 5.8 with the below snapins. I've attached a sample csv.
param(
[Parameter(Mandatory = $true,Position = 0)][string]$te #this is the org name
)
#region Module/Snapin/Dot Sourcing
#Load SnapIns related to VMWare
$snapinList = @( 'VMware.VimAutomation.Core', 'VMware.VimAutomation.Vds', 'VMware.VimAutomation.License', 'VMware.DeployAutomation', 'VMware.ImageBuilder', 'VMware.VimAutomation.Cloud')
foreach($snapin in $snapinList)
{
if(!(Get-PSSnapin $snapin -ErrorAction:SilentlyContinue))
{
Add-PSSnapin $snapin
}
}
#endregion Module/Snapin/Dot Sourcing
Connect-CIServer -Server 10.1.0.34 -User [USERNAME] -Password [Password]
$EdgeGateway = 'EdgeGW-' + $te
$extNet = Get-ExternalNetwork | Where-Object {$_.Name -eq 'vCD-ExternalNetwork'}
Function New-GatewayRule
{
param
(
[System.Object]
$EdgeGateway,
[System.Object]
$ExternalNetwork
)
$Edgeview = Search-Cloud -QueryType EdgeGateway -name $EdgeGateway | Get-CIView
if (!$Edgeview)
{
Write-Warning -Message "Edge Gateway with name $Edgeview not found"
#Exit
}
$URI = ($Edgeview.Href + '/action/configureServices')
$wc = New-Object -TypeName System.Net.WebClient
# Add Authorization headers
$wc.Headers.Add('x-vcloud-authorization', $Edgeview.Client.SessionKey)
$wc.Headers.Add('Content-Type', 'application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml')
$wc.Headers.Add('Accept', 'application/*+xml;version=5.1')
$webclient = New-Object -TypeName system.net.webclient
$webclient.Headers.Add('x-vcloud-authorization',$Edgeview.Client.SessionKey)
$webclient.Headers.Add('accept',$Edgeview.Type + ';version=5.1')
[xml]$EGWConfXML = $webclient.DownloadString($Edgeview.href)
[xml]$OriginalXML = $EGWConfXML.EdgeGateway.Configuration.EdgegatewayServiceConfiguration.NatService.outerxml
$NewID = [int]($OriginalXML.NatService.natrule |
Sort-Object -Property id |
Select-Object -Property Id -Last 1).id + 1
If($NewID -eq 1)
{
$NewID = 65537
}
$csv = Import-Csv -Path [Path to CSV]
foreach($line in $csv | Where-Object {$_.Type -ne 'SNAT'})
{
$NewID = $line.ID
$OriginalIP = ($line.OriginIP + $line.Octet)
$OriginalPort = $line.SourcePort
$TranslatedIP = $line.translatedIP
$TranslatedPort = $line.DestPort
$Protocol = $line.Protocol
$strXML += '<NatRule>
<RuleType>DNAT</RuleType>
<IsEnabled>true</IsEnabled>
<Id>' + $NewID + '</Id>
<GatewayNatRule>
<Interface type="application/vnd.vmware.admin.network+xml" name="' + $ExternalNetwork.Name + '" href="' + $ExternalNetwork.Href + '"/>
<OriginalIp>' + $OriginalIP + '</OriginalIp>
<OriginalPort>' + $OriginalPort + '</OriginalPort>
<TranslatedIp>' + $TranslatedIP + '</TranslatedIp>
<TranslatedPort>' + $TranslatedPort + '</TranslatedPort>
<Protocol>' + $Protocol + '</Protocol>
</GatewayNatRule>
</NatRule>'
}
foreach($line in $csv | Where-Object {$_.Type -eq 'SNAT'})
{
$NewID = $line.ID
$OriginalIP = $line.translatedIP
$OriginalPort = $line.SourcePort
$TranslatedIP = ($line.OriginIP + $line.Octet)
$TranslatedPort = $line.DestPort
$Protocol = $line.Protocol
$strXML += '<NatRule>
<RuleType>SNAT</RuleType>
<IsEnabled>true</IsEnabled>
<Id>' + $NewID + '</Id>
<GatewayNatRule>
<Interface type="application/vnd.vmware.admin.network+xml" name="' + $ExternalNetwork.Name + '" href="' + $ExternalNetwork.Href + '"/>
<OriginalIp>' + $OriginalIP + '</OriginalIp>
<TranslatedIp>' + $TranslatedIP + '</TranslatedIp>
</GatewayNatRule>
</NatRule>'
}
$GoXML = '<?xml version="1.0" encoding="UTF-8"?>
<EdgeGatewayServiceConfiguration xmlns="http://www.vmware.com/vcloud/v1.5" >
<NatService>
<IsEnabled>true</IsEnabled>'
$OriginalXML.NatService.NatRule | ForEach-Object -Process {
$GoXML += $_.OuterXML
}
$GoXML += $strXML
$GoXML += '</NatService>
</EdgeGatewayServiceConfiguration>'
[byte[]]$byteArray = [System.Text.Encoding]::ASCII.GetBytes($GoXML)
$UploadData = $wc.UploadData($URI, 'POST', $byteArray)
}
New-GatewayRule -EdgeGateway $EdgeGateway -ExternalNetwork $extNet
Also, I just realized you were talking firewall rules. I have a script for that as well.
# Replaces all rules for a given vshield with the ones from a CSV file.
# CSV header is: Num,Descr,Proto,SrcIP,SrcPort,DstIP,DstPortRange,Policy,Direction,isEnabled,EnableLogging
# Note: SrcPort can be -1 (for any), any or a port number. DstPortRange can be any or a port number range (ex: 22-26)
param (
[parameter(Mandatory = $true, HelpMessage="vCD Server")][alias("-server","s")][ValidateNotNullOrEmpty()][string[]]$CIServer,
[parameter(Mandatory = $true, HelpMessage="Org")][alias("-vOrg","o")][ValidateNotNullOrEmpty()][string[]]$orgName,
[parameter(Mandatory = $true, HelpMessage="OrgNet")][alias("-orgNet","n")][ValidateNotNullOrEmpty()][string[]]$orgNet',
[parameter(Mandatory = $true, HelpMessage="CSV Path")][alias("-file","f")][ValidateNotNullOrEmpty()][string[]]$csvFile
)
# Add in the VI Toolkit
if ( (Get-PSSnapin -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) -eq $null ) {
Add-PSsnapin VMware.VimAutomation.Core
}
if ( (Get-PSSnapin -Name VMware.VimAutomation.Cloud -ErrorAction SilentlyContinue) -eq $null ) {
Add-PSsnapin VMware.VimAutomation.Cloud
}
try {
Connect-CIServer -Server $CIServer -username '[username]' -password '[password]' | out-null
} catch {
Exit
}
#Search EdgeGW
try {
$myOrgNet = Get-Org -Name $orgName | Get-OrgNetwork -Name $orgNet
$edgeHREF = $myOrgNet.ExtensionData.EdgeGateway.Href
$edgeView = Search-Cloud -QueryType EdgeGateway -ErrorAction Stop | Get-CIView | where {$_.href -eq $edgeHREF}
} catch {
[System.Windows.Forms.MessageBox]::Show("Exception: " + $_.Exception.Message + " - Failed item:" + $_.Exception.ItemName ,"Error.",0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)
Exit
}
#Item to Configure Services
$edgeView.Configuration.EdgeGatewayServiceConfiguration
$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
$fwService.DefaultAction = "drop"
$fwService.LogDefaultAction = $false
$fwService.IsEnabled = $true
$fwService.FirewallRule = @()
Ipcsv -path $csvFile |
foreach-object `
{
$fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule
$rowNum = $_.Num -as [int]
$fwService.FirewallRule[$rowNum].description = $_.Descr
$fwService.FirewallRule[$rowNum].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
switch ($_.Proto)
{
"tcp" { $fwService.FirewallRule[$rowNum].protocols.tcp = $true }
"udp" { $fwService.FirewallRule[$rowNum].protocols.udp = $true }
"any" { $fwService.FirewallRule[$rowNum].protocols.any = $true }
default { $fwService.FirewallRule[$rowNum].protocols.any = $true }
}
$fwService.FirewallRule[$rowNum].sourceip = $_.SrcIP
if ($_.SrcPort -eq "any" ) { $srcPort = "-1" } else { $srcPort = $_.SrcPort }
$fwService.FirewallRule[$rowNum].sourceport = $srcPort
$fwService.FirewallRule[$rowNum].destinationip = $_.DstIP
$fwService.FirewallRule[$rowNum].destinationportrange = $_.DstPortRange
$fwService.FirewallRule[$rowNum].policy = $_.Policy
$fwService.FirewallRule[$rowNum].isenabled = [System.Convert]::ToBoolean($_.isEnabled)
$fwService.FirewallRule[$rowNum].enablelogging = [System.Convert]::ToBoolean($_.EnableLogging)
}
#configure Edge
$edgeView.ConfigureServices($fwService)