/
Configure-VVD-DFW.ps1
373 lines (333 loc) · 19.2 KB
/
Configure-VVD-DFW.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
#PowerShell script to configure the NSX-V Distributed Firewall per VMware Validated Design guidance
#Created by Brian O'Connell
#VMware ISBU Solutions Architecture
### User Variables ###
#Target vCenter Server details
$vCenterServer = "sfo01m01vc01.rainpole.local"
$vCenterServerUser = "administrator@vsphere.local"
$vCenterServerPassword = "VMw@re1!"
# Target NSX Manager details
$NSXServer = "sfo01m01nsx01.rainpole.local"
$NSXAdminPassword = "VMw@re1!"
#VM Name of vCenter to exclude. e.g. "sfo01m01vc01"
$vCenterToExclude = "sfo01m01vc01"
#Comma separated list of Platform Services Controller IPs. e.g. "192.168.110.61,192.168.110.63"
$PSCIPs = @("192.168.110.61,192.168.110.63")
#Comma separated list of vCenter Server IPs. e.g. "192.168.110.62,192.168.110.64"
$VCIPs = @("192.168.110.62,192.168.110.64")
#Comma separated list of vRealize Automation Appliance IPs. e.g. "192.168.11.50,192.168.11.51,192.168.11.52"
$vRAIPs = "192.168.11.50,192.168.11.51,192.168.11.52"
#Comma separated list of vRealize Automation IaaS Web, Manager & DEM instance IPs. e.g. "192.168.11.54,192.168.11.55,192.168.11.57,192.168.11.58,192.168.11.60,192.168.11.61"
$vRAIaaSIPs = "192.168.11.54,192.168.11.55,192.168.11.57,192.168.11.58,192.168.11.60,192.168.11.61"
#Comma separated list of vRealize Automation IaaS Proxy Agent IPs. e.g. "192.168.31.52,192.168.31.53"
$vRAProxyIPs = "192.168.31.52,192.168.31.53"
#vRealize Business Server IP. e.g. "192.168.11.66"
$vRBIPs = "192.168.11.66"
#Comma separated list of vRealize Business Collector IPs. e.g. "192.168.31.54"
$vRBCIPs = "192.168.31.54"
#Comma separated list of vRealize Operations Manager Analytics cluster node IPs. e.g. "192.168.11.31,192.168.11.32,192.168.11.33"
$vROPsIPs = "192.168.11.31,192.168.11.32,192.168.11.33"
#Comma separated list of vRealize Operations Manager Remote Collector node IPs. e.g. "192.168.31.31,192.168.31.32"
$vROPsCIPs = "192.168.31.31,192.168.31.32"
#Comma separated list of vRealize Log Insight node IPs including forwarders. e.g. "192.168.31.11,192.168.31.12,192.168.31.13"
$vRLIIPs = "192.168.31.11,192.168.31.12,192.168.31.13"
#Comma separated list of vRealize Lifecycle Manager node IPs. e.g. "192.168.11.20"
$vRSLCMIPs = "192.168.11.20"
#Region Specific Site Recovery Manager IP. e.g. "192.168.110.124"
$SRMIPs = "192.168.110.124"
#Region Specific vSphere Replication IP. e.g. "192.168.110.123"
$vRIPs = "192.168.110.123"
#Region Specific Update Manager Download Service IP. e.g. "192.168.110.67"
$UMDSIPs = "192.168.110.67"
#Comma separated list of Management-VLAN_Subnets, Management-VXLAN_Subnets. e.g. "192.168.110.0/24,192.168.11.0/24,192.168.31.0/24"
$SDDCIPs = "192.168.110.0/24,192.168.11.0/24,192.168.31.0/24"
#Comma separated list of Administrator Subnets. e.g. "192.168.110.0/24"
$AdminsIPs = "192.168.110.0/24"
### DO NOT MODIFY ANYTHING BELOW THIS LINE UNLESS YOU REQUIRE CUSTOM NAMES FOR IP SETS & SECURITY GROUPS ###
$IpSetPSCName = "Platform Services Controller Instances"
$IpSetVCName = "vCenter Server Instances"
$IPSetvRAName = "vRealize Automation Appliances"
$IPSetvRAIaaSName = "vRealize Automation Windows"
$IPSetvRAProxyName = "vRealize Automation Proxy Agents"
$IPSetvRBName = "vRealize Business Server"
$IPSetvRBCName = "vRealize Business Data Collector"
$IPSetvROPsName = "vRealize Operations Manager"
$IPSetvROPsCName = "vRealize Operations Manager Remote Collectors"
$IPSetvRLIName = "vRealize Log Insight"
$IPSetvRSLCMName = "vRealize Suite Lifecycle Manager"
$IPSetSRMName = "Site Recovery Manager"
$IPSetvRName = "vSphere Replication"
$IPSetUMDSName = "Update Manager Download Service"
$IPSetSDDCName = "SDDC"
$IPSetAdminsName = "Administrators"
$WindowsServersSGName = "Windows Servers"
$VMwareAppliancesSGName = "VMware Appliances"
$NSXFirewallSectionName = "VMware Management Services"
$Rule1Name = "Allow vRA Portal to end users"
$Rule2Name = "Allow vRA Console Proxy to end users"
$Rule3Name = "Allow SDDC to any"
$Rule4Name = "Allow PSC to admins"
$Rule5Name = "Allow SSH to admins"
$Rule6Name = "Allow RDP to admins"
$Rule7Name = "Allow Orchestrator to admins"
$Rule8Name = "Allow vRB Data Collector to admins"
$Rule9Name = "Allow vROPs to admins"
$Rule10Name = "Allow vRLI to admins"
$Rule11Name = "Allow vRSLCM to admins"
$Rule12Name = "Allow VAMI to admins"
$Rule13Name = "Allow VMware VADP Solution to admins"
### DO NOT MODIFY ANYTHING BELOW THIS LINE ###
Function Get-PowerCli {
# Check if PowerCli Module is installed
Write-Host "Checking if PowerCli is installed" -ForegroundColor Cyan
if (Get-Command -Module *VMWare*) {
Write-Host "PowerCli is installed" -ForegroundColor Green
}
else {
Write-Host "PowerCli is not installed" -ForegroundColor Red
Write-Host "Attempting Install" -ForegroundColor Cyan
Find-Module -Name VMware.PowerCLI | Install-Module
}
}
Function Get-PowerNSX {
# Check if PowerNSX Module is installed
Write-Host "Checking if PowerNSX is installed" -ForegroundColor Cyan
if (Get-Module -ListAvailable -Name PowerNSX) {
Write-Host "PowerNSX is installed" -ForegroundColor Green
}
else {
Write-Host "PowerNSX is not installed" -ForegroundColor Red
Write-Host "Attempting Install" -ForegroundColor Cyan
Find-Module PowerNSX | Install-Module
}
}
Function Connect-Server {
Write-Host "Connecting to $vCenterServer" -ForegroundColor Cyan
Connect-VIServer -Server $vCenterServer -user $vCenterServerUser -password $vCenterServerPassword | Out-Null
Write-Host "Connecting to $NSXServer" -ForegroundColor Cyan
Connect-NSXServer -Server $NSXServer -user "admin" -password $NSXAdminPassword | Out-Null
}
#Add VMs to the DFW Exclusion List
Function ExcludeVM {
Write-Host "Adding $vCenterToExclude to the DFW Exclusions List" -ForegroundColor Cyan
Get-VM $vCenterToExclude | Add-NsxFirewallExclusionListMember | Out-Null
Write-Host "Done" -ForegroundColor Green
}
#Create IP Sets
Function CreateNSXIpSets {
$IPSetHash = @{$IpSetPSCName = $PSCIPs;$IpSetVCName=$VCIPs;$IPSetvRAName=$vRAIPs;$IPSetvRAIaaSName=$IPSetvRAIaaIPs;$IPSetvRAProxyName=$vRAProxyIPs;$IPSetvRBName=$vRBIPs;$IPSetvRBCName=$vRBCIPs;$IPSetvROPsName=$vROPsIPs;$IPSetvROPsCName=$vROPsCIPs;$IPSetvRLIName=$vRLIIPs;$IPSetvRSLCMName=$vRSLCMIPs;$IPSetSRMName=$SRMIPs;$IPSetvRName=$vRIPs;$IPSetUMDSName=$UMDSIPs;$IPSetSDDCName=$SDDCIPs;$IPSetAdminsName=$AdminsIPs}
foreach ($key in $IPSetHash.keys) {
$value = $IPSetHash[$key]
Write-Host "Createing IP Set $key" -ForegroundColor Cyan
new-nsxipset -Name $key -Universal -IPAddress $value | Out-Null
Write-Host "Done" -ForegroundColor Green
}
}
# Create Security Groups
Function CreateNSXSecurityGroups {
$IPSets = @($IpSetPSCName,$IpSetVCName,$IPSetvRAName,$IPSetvRAIaaSName,$IPSetvRAProxyName,$IPSetvRBName,$IPSetvRBCName,$IPSetvROPsName,$IPSetvROPsCName,$IPSetvRLIName,$IPSetvRSLCMName,$IPSetSRMName,$IPSetvRName,$IPSetUMDSName,$IPSetSDDCName,$IPSetAdminsName)
Foreach ($IPSet in $IPSets) {
$IPSetName = Get-NsxIpSet $IPSet | Select-Object -ExpandProperty Name
$Member = Get-NsxIpSet $IPSet
Write-Host "Creating Security Group $IPSetName" -ForegroundColor Cyan
New-NsxSecurityGroup $IPSetName -Universal -IncludeMember $Member | Out-Null
Write-Host "Done" -ForegroundColor Green
}
#Create Nested Security Group Windows Servers
Write-Host "Creating Security Group $WindowsServersSGName" -ForegroundColor Cyan
$WindowsServers = @($IPSetSRMName, $IPSetvRAIaaSName, $IPSetvRAProxyName)
New-NsxSecurityGroup $WindowsServersSGName -Universal | Out-Null
Foreach ($Server in $WindowsServers) {
$SG = Get-NSXSecurityGroup $WindowsServersSGName
$Member = Get-NsxSecurityGroup $Server
Add-NSXSecurityGroupMember -SecurityGroup $SG -Member $Member | Out-Null
}
Write-Host "Done" -ForegroundColor Green
#Create Nested Security Group VMware Appliances
Write-Host "Creating Security Group $VMwareAppliancesSGName" -ForegroundColor Cyan
$VMwareAppliances = @($IpSetPSCName, $IpSetVCName, $IPSetvRName, $IPSetvRAName, $IPSetvRBName, $IPSetvRBCName, $IPSetvROPsName, $IPSetvROPsCName, $IPSetvRSLCMName, $IPSetvRLIName)
New-NsxSecurityGroup $VMwareAppliancesSGName -Universal | Out-Null
Foreach ($Server in $VMwareAppliances) {
$SG = Get-NSXSecurityGroup $VMwareAppliancesSGName
$Member = Get-NsxSecurityGroup $Server
Add-NSXSecurityGroupMember -SecurityGroup $SG -Member $Member | Out-Null
}
Write-Host "Done" -ForegroundColor Green
}
# Create Firewall Section
Function CreateNSXFirewallSection {
New-NsxFirewallSection $NSXFirewallSectionName -Universal
}
Function Create-NSXFirewallRules {
# Get Service IDs
$SSH = Get-NsxService SSH | Where-Object {$_.isUniversal -eq $true}
$HTTP = Get-NsxService HTTP | Where-Object {$_.isUniversal -eq $true}
$HTTPS = Get-NsxService HTTPS | Where-Object {$_.isUniversal -eq $true}
$RDP = Get-NsxService RDP | Where-Object {$_.isUniversal -eq $true}
$HTTPALL = @($HTTP,$HTTPS)
$TCP8444 = New-NsxService -name 'TCP8444' -Universal -protocol tcp -port 8444
$TCP5480 = New-NsxService -name 'TCP5480' -Universal -protocol tcp -port 5480
$TCP8543 = New-NsxService -name 'TCP8543' -Universal -protocol tcp -port 8543
$TCP8283_8281 = New-NsxService -name 'TCP8283-8281' -Universal -protocol tcp -port '8283,8281'
#Create Rule: Allow vRA Portal to end users
$RuleName = $Rule1Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -service $HTTPALL | out-Null
#Add Destinations
$Destinations = ($IPSetvRAName, $IPSetvRAIaaSName, $IPSetvRBName)
Foreach ($Destination in $Destinations) {
Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"} | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $Destination) | Out-Null
}
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow vRA Console Proxy to end users
$RuleName = $Rule2Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -service (Get-NSXService 'TCP8444') | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetvRAName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow SDDC to any
$RuleName = $Rule3Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetSDDCName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow PSC to admins
$RuleName = $Rule4Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service $HTTPS | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IpSetPSCName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow SSH to admins
$RuleName = $Rule5Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service $SSH | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $VMwareAppliancesSGName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetUMDSName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow RDP to admins
$RuleName = $Rule6Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service $RDP | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $WindowsServersSGName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow Orchestrator to admins
$RuleName = $Rule7Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service (Get-NSXService 'TCP8283-8281') | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetvRAName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow vRB Data Collector to admins
$RuleName = $Rule8Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service $HTTPALL | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetvRBCName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow vROPs to admins
$RuleName = $Rule9Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service $HTTPALL | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetvROPsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetvROPsCName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow vRLI to admins
$RuleName = $Rule10Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service $HTTPALL | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetvRLIName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow vRSLCM to admins
$RuleName = $Rule11Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service $HTTPS | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $IPSetvRSLCMName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow VAMI to admins
$RuleName = $Rule12Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service (Get-NSXService 'TCP5480') | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $VMwareAppliancesSGName) | out-Null
Write-Host "Done" -ForegroundColor Green
#Create Rule: Allow VMware VADP Solution to admins
$RuleName = $Rule13Name
Write-Host "Creating DFW Rule: $RuleName" -ForegroundColor Cyan
Get-NsxFirewallSection $NSXFirewallSectionName | New-NsxFirewallRule -name $RuleName -action "allow" -Service (Get-NSXService 'TCP8543') | out-Null
#Add Destinations
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Source (Get-NSXSecurityGroup $IPSetAdminsName) | out-Null
(Get-NSXFirewallRule -name $RuleName | Where-Object {$_.managedBy -eq "universalroot-0"}) | Add-NsxFirewallRuleMember -MemberType Destination (Get-NSXSecurityGroup $VMwareAppliancesSGName) | out-Null
Write-Host "Done" -ForegroundColor Green
}
Function anyKey
{
Write-Host -NoNewline -Object 'Press any key to return to the main menu...' -ForegroundColor Cyan
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown')
Menu
}
Function Menu
{
Clear-Host
Do
{
Clear-Host
Write-Host -Object 'Please choose an option'
Write-Host -Object '**********************'
Write-Host -Object 'Configure VVD NSX Distributed Firewall' -ForegroundColor Cyan
Write-Host -Object '**********************'
Write-Host -Object ''
Write-Host -Object '1. Create DFW exclusions, IP Sets & Security Groups'
Write-Host -Object ''
Write-Host -Object '2. Create DFW Rules'
Write-Host -Object ''
Write-Host -Object 'Q. Quit'
Write-Host -Object $errout
$Menu = Read-Host -Prompt '(1-2, Q)'
switch ($Menu)
{
1
{
Get-PowerCli
Get-PowerNSX
Connect-Server
ExcludeVM
CreateNSXIpSets
CreateNSXSecurityGroups
anyKey
}
2
{
Connect-Server
Create-NSXFirewallRules
anyKey
}
3
{
Exit
}
default
{
$errout = 'Invalid option please try again........Try 1-2 or Q only'
}
}
}
until ($Menu -ne '')
}
Menu