From 25cfffa14f343f799fc236d6e1108297aaea0c49 Mon Sep 17 00:00:00 2001 From: William Lam Date: Wed, 2 Jan 2019 10:07:40 -0800 Subject: [PATCH 1/2] Adding "Get" functions for Distribugted FW rules --- Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 | 282 +++++++++++++++++-- 1 file changed, 266 insertions(+), 16 deletions(-) diff --git a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 index 5a30156..426a357 100644 --- a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 +++ b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 @@ -126,7 +126,8 @@ Function Get-NSXTSegment { } $results } else { - Write-Error "Failed to retrieve NSX-T Segments" + Write-Error "Error in retrieving NSX-T Segments" + Write-Error "Return code: " $requests.StatusCode } } } @@ -198,8 +199,8 @@ Function New-NSXTSegment { Write-Host "Succesfully created new NSX-T Segment $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id } else { - Write-Error "Failed to create new NSX-T Segment" - + Write-Error "Error in creating new NSX-T Segment" + Write-Error "Return code: " $requests.StatusCode } } } @@ -249,8 +250,8 @@ Function Remove-NSXTSegment { if($requests.StatusCode -eq 200) { Write-Host "Succesfully removed NSX-T Segment $Name" } else { - Write-Error "Failed to remove NSX-T Segments" - + Write-Error "Error in removing NSX-T Segments" + Write-Error "Return code: " $requests.StatusCode } } } @@ -321,7 +322,11 @@ Function Get-NSXTFirewall { Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$sourceGroupURL`n" } try { - $requests = Invoke-WebRequest -Uri $sourceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $sourceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $sourceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers + } } catch { Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" break @@ -343,7 +348,11 @@ Function Get-NSXTFirewall { Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$destionationGroupURL`n" } try { - $requests = Invoke-WebRequest -Uri $destionationGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $destionationGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $destionationGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers + } } catch { Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" break @@ -365,7 +374,11 @@ Function Get-NSXTFirewall { Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$serviceGroupURL`n" } try { - $requests = Invoke-WebRequest -Uri $serviceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $serviceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $serviceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers + } } catch { Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" break @@ -389,7 +402,8 @@ Function Get-NSXTFirewall { $results } else { - Write-Error "Failed to retrieve NSX-T Firewall Rules" + Write-Error "Error in retrieving NSX-T Firewall Rules" + Write-Error "Return code: " $requests.StatusCode } } } @@ -487,7 +501,8 @@ Function New-NSXTFirewall { Write-Host "Succesfully created new NSX-T Firewall Rule $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id } else { - Write-Error "Failed to create new NSX-T Firewall Rule" + Write-Error "Error in creating new NSX-T Firewall Rule" + Write-Error "Return code: " $requests.StatusCode } } } @@ -538,7 +553,8 @@ Function Remove-NSXTFirewall { if($requests.StatusCode -eq 200) { Write-Host "Succesfully removed NSX-T Firewall Rule $Name" } else { - Write-Error "Failed to create new NSX-T Firewall Rule" + Write-Error "Error in creating new NSX-T Firewall Rule" + Write-Error "Return code: " $requests.StatusCode } } } @@ -622,7 +638,8 @@ Function Get-NSXTGroup { } $results } else { - Write-Error "Failed to retrieve NSX-T Groups" + Write-Error "Error in retrieving NSX-T Groups" + Write-Error "Return code: " $requests.StatusCode } } } @@ -687,7 +704,8 @@ Function New-NSXTGroup { Write-Host "Succesfully created new NSX-T Group $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id } else { - Write-Error "Failed to create new NSX-T Group" + Write-Error "Error in creating new NSX-T Group" + Write-Error "Return code: " $requests.StatusCode } } } @@ -738,7 +756,8 @@ Function Remove-NSXTGroup { if($requests.StatusCode -eq 200) { Write-Host "Succesfully removed NSX-T Group $Name" } else { - Write-Error "Failed to create new NSX-T Group" + Write-Error "Error in creating new NSX-T Group" + Write-Error "Return code: " $requests.StatusCode } } } @@ -812,7 +831,8 @@ Function Get-NSXTService { } $results } else { - Write-Error "Failed to retrieve NSX-T Services" + Write-Error "Error in retrieving NSX-T Services" + Write-Error "Return code: " $requests.StatusCode } } } @@ -881,7 +901,237 @@ Function New-NSXTService { Write-Host "Succesfully created new NSX-T Service $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id } else { - Write-Error "Failed to create new NSX-T Service" + Write-Error "Error in creating new NSX-T Service" + Write-Error "Return code: " $requests.StatusCode + } + } +} + +Function Get-NSXTDistFirewallSection { +<# + .NOTES + =========================================================================== + Created by: William Lam + Date: 12/31/2018 + Organization: VMware + Blog: http://www.virtuallyghetto.com + Twitter: @lamw + =========================================================================== + + .SYNOPSIS + Returns all NSX-T Distributed Firewall Groups + .DESCRIPTION + This cmdlet retrieves all NSX-T Distributed Firewall Sections + .EXAMPLE + Get-NSXTDistFirewallSection + .EXAMPLE + Get-NSXTDistFirewallSection -Name "App Section 1" + .EXAMPLE + et-NSXTDistFirewallSection -Category Emergency +#> + param( + [Parameter(Mandatory=$false)][String]$Name, + [Parameter(Mandatory=$false)][ValidateSet("Emergency","Infrastructure","Environment","Application")][String]$Category, + [Switch]$Troubleshoot + ) + + If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { + $method = "GET" + $distFirewallGroupURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/cgw/communication-maps" + + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$distFirewallGroupURL`n" + } + + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $distFirewallGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $distFirewallGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } + + if($requests.StatusCode -eq 200) { + $groups = ($requests.Content | ConvertFrom-Json).results + + if ($PSBoundParameters.ContainsKey("Name")){ + $groups = $groups | where {$_.display_name -eq $Name} + } + + if ($PSBoundParameters.ContainsKey("Category")){ + $groups = $groups | where {$_.category -eq $Category} + } + + $results = @() + foreach ($group in $groups | Sort-Object -Property category) { + $tmp = [pscustomobject] @{ + Id = $group.id; + Section = $group.display_name; + Category = $group.category; + Precedence = $group.precedence; + } + $results+=$tmp + } + $results + + } else { + Write-Error "Error in retrieving NSX-T Distributed Firewall Sections" + Write-Error "Return code: " $requests.StatusCode + } + } +} + +Function Get-NSXTDistFirewall { +<# + .NOTES + =========================================================================== + Created by: William Lam + Date: 09/11/2018 + Organization: VMware + Blog: http://www.virtuallyghetto.com + Twitter: @lamw + =========================================================================== + + .SYNOPSIS + Returns all NSX-T Distributed Firewall Rules for a given Section + .DESCRIPTION + This cmdlet retrieves all NSX-T Distributed Firewall Rules for a given Section + .EXAMPLE + Get-NSXTDistFirewall -Name "App Section 1" +#> + param( + [Parameter(Mandatory=$true)][String]$Name, + [Switch]$Troubleshoot + ) + + If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { + try { + $distGroupId = (Get-NSXTDistFirewallSection -Name $Name).Id + } + catch { + Write-Host -ForegroundColor Red "`nUnable to find NSX-T Distributed Firewall Group named $Name`n" + break + } + + $method = "GET" + $distFirewallURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/cgw/communication-maps/$distGroupId" + + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$distFirewallURL`n" + } + + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $distFirewallURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $distFirewallURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + Write-Host -ForegroundColor Red "`nFailed to retrieve Distributed Firewall Rules`n" + break + } + + if($requests.StatusCode -eq 200) { + $rules = ($requests.Content | ConvertFrom-Json).communication_entries + + $results = @() + foreach ($rule in $rules | Sort-Object -Property sequence_number) { + $sourceGroups = $rule.source_groups + $source = @() + foreach ($sourceGroup in $sourceGroups) { + if($sourceGroup -eq "ANY") { + $source += $sourceGroup + break + } else { + $sourceGroupURL = $global:nsxtProxyConnection.Server + "/policy/api/v1" + $sourceGroup + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$sourceGroupURL`n" + } + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $sourceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $sourceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + Write-Host -ForegroundColor Red "`nFailed to retrieve Source Group Rule mappings`n" + break + } + $group = ($requests.Content | ConvertFrom-Json) + $source += $group.display_name + } + } + + $destinationGroups = $rule.destination_groups + $destination = @() + foreach ($destinationGroup in $destinationGroups) { + if($destinationGroup -eq "ANY") { + $destination += $destinationGroup + break + } else { + $destionationGroupURL = $global:nsxtProxyConnection.Server + "/policy/api/v1" + $destinationGroup + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$destionationGroupURL`n" + } + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $destionationGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $destionationGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + Write-Host -ForegroundColor Red "`nFailed to retireve Destination Group Rule mappings`n" + break + } + $group = ($requests.Content | ConvertFrom-Json) + $destination += $group.display_name + } + } + + $serviceGroups = $rule.services + $service = @() + foreach ($serviceGroup in $serviceGroups) { + if($serviceGroup -eq "ANY") { + $service += $serviceGroup + break + } else { + $serviceGroupURL = $global:nsxtProxyConnection.Server + "/policy/api/v1" + $serviceGroup + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$serviceGroupURL`n" + } + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $serviceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $serviceGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + Write-Host -ForegroundColor Red "`nFailed to retrieve Services Rule mappings`n" + break + } + $group = ($requests.Content | ConvertFrom-Json) + $service += $group.display_name + } + } + + $tmp = [pscustomobject] @{ + SequenceNumber = $rule.sequence_number; + Name = $rule.display_name; + ID = $rule.id; + Source = $source; + Destination = $destination; + Services = $service; + Action = $rule.action; + } + $results+=$tmp + } + $results + } else { + Write-Error "Error in retrieving NSX-T Distributed Firewall Rules" + Write-Error "Return code: " $requests.StatusCode } } } \ No newline at end of file From 5571a8900a4d39c5a8739e6f3a13276a05fe0734 Mon Sep 17 00:00:00 2001 From: William Lam Date: Thu, 3 Jan 2019 12:21:50 -0800 Subject: [PATCH 2/2] Added {New,Remove}-NSXTDisFirewall functions --- Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 | 411 ++++++++++++++----- 1 file changed, 319 insertions(+), 92 deletions(-) diff --git a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 index 426a357..ef83777 100644 --- a/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 +++ b/Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1 @@ -96,8 +96,14 @@ Function Get-NSXTSegment { $requests = Invoke-WebRequest -Uri $segmentsURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in retrieving NSX-T Segments" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { @@ -125,9 +131,6 @@ Function Get-NSXTSegment { $results+=$tmp } $results - } else { - Write-Error "Error in retrieving NSX-T Segments" - Write-Error "Return code: " $requests.StatusCode } } } @@ -191,16 +194,19 @@ Function New-NSXTSegment { $requests = Invoke-WebRequest -Uri $newSegmentsURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Segment" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { Write-Host "Succesfully created new NSX-T Segment $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id - } else { - Write-Error "Error in creating new NSX-T Segment" - Write-Error "Return code: " $requests.StatusCode } } } @@ -243,15 +249,18 @@ Function Remove-NSXTSegment { $requests = Invoke-WebRequest -Uri $deleteSegmentsURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in removing NSX-T Segments" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { Write-Host "Succesfully removed NSX-T Segment $Name" - } else { - Write-Error "Error in removing NSX-T Segments" - Write-Error "Return code: " $requests.StatusCode } } } @@ -297,8 +306,14 @@ Function Get-NSXTFirewall { $requests = Invoke-WebRequest -Uri $edgeFirewallURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in retrieving NSX-T Firewall Rules" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { @@ -401,9 +416,6 @@ Function Get-NSXTFirewall { } $results - } else { - Write-Error "Error in retrieving NSX-T Firewall Rules" - Write-Error "Return code: " $requests.StatusCode } } } @@ -424,15 +436,14 @@ Function New-NSXTFirewall { .DESCRIPTION This cmdlet creates a new NSX-T Firewall Rule on MGW or CGW .EXAMPLE - New-NSXTFirewall -GatewayType MGW -Name TEST -Id TEST -SourceGroupId ESXI -DestinationGroupId ANY -Service ANY -Logged $true -SequenceNumber 7 -Action ALLOW + New-NSXTFirewall -GatewayType MGW -Name TEST -SourceGroup @("ANY") -DestinationGroup @("ESXI") -Service ANY -Logged $true -SequenceNumber 0 -Action ALLOW #> Param ( [Parameter(Mandatory=$True)]$Name, [Parameter(Mandatory=$true)][ValidateSet("MGW","CGW")][String]$GatewayType, - [Parameter(Mandatory=$True)]$Id, [Parameter(Mandatory=$True)]$SequenceNumber, - [Parameter(Mandatory=$True)]$SourceGroupId, - [Parameter(Mandatory=$True)]$DestinationGroupId, + [Parameter(Mandatory=$True)]$SourceGroup, + [Parameter(Mandatory=$True)]$DestinationGroup, [Parameter(Mandatory=$True)]$Service, [Parameter(Mandatory=$True)][ValidateSet("ALLOW","DENY")]$Action, [Parameter(Mandatory=$false)][Boolean]$Logged=$false, @@ -441,34 +452,43 @@ Function New-NSXTFirewall { If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { - if($DestinationGroupId -eq "ANY") { - $destinationGroups = $DestinationGroupId - } else { - $destinationGroups = "/infra/domains/$($GatewayType.toLower())/groups/$DestinationGroupId" + $generatedId = (New-Guid).Guid + + $destinationGroups = @() + foreach ($group in $DestinationGroup) { + if($group -eq "ANY") { + $destinationGroups = @("ANY") + } else { + $tmp = (Get-NSXTGroup -GatewayType $GatewayType -Name $group).Path + $destinationGroups+= $tmp + } } $sourceGroups = @() - foreach ($group in $SourceGroupId) { - $tmp = "/infra/domains/$($GatewayType.toLower())/groups/$group" - $sourceGroups+= $tmp + foreach ($group in $SourceGroup) { + if($group -eq "ANY") { + $sourceGroups = @("ANY") + } else { + $tmp = (Get-NSXTGroup -GatewayType $GatewayType -Name $group).Path + $sourceGroups+= $tmp + } } $services = @() foreach ($serviceName in $Service) { - if($serviceName -eq "ANY") { - $tmp = "ANY" + if($group -eq "ANY") { + $services = @("ANY") } else { $tmp = "/infra/services/$serviceName" + $services+=$tmp } - $services+=$tmp } $payload = @{ display_name = $Name; resource_type = "CommunicationEntry"; - id = $Id; sequence_number = $SequenceNumber; - destination_groups = @($destinationGroups); + destination_groups = $destinationGroups; source_groups = $sourceGroups; logged = $Logged; scope = @("/infra/labels/$($GatewayType.toLower())"); @@ -479,7 +499,7 @@ Function New-NSXTFirewall { $body = $payload | ConvertTo-Json -depth 5 $method = "PUT" - $newFirewallURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/$($GatewayType.toLower())/gateway-policies/default/rules/$Id" + $newFirewallURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/$($GatewayType.toLower())/gateway-policies/default/rules/$generatedId" if($Troubleshoot) { Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$newFirewallURL`n" @@ -493,16 +513,19 @@ Function New-NSXTFirewall { $requests = Invoke-WebRequest -Uri $newFirewallURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Firewall Rule" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { Write-Host "Succesfully created new NSX-T Firewall Rule $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id - } else { - Write-Error "Error in creating new NSX-T Firewall Rule" - Write-Error "Return code: " $requests.StatusCode } } } @@ -546,15 +569,18 @@ Function Remove-NSXTFirewall { $requests = Invoke-WebRequest -Uri $deleteGgroupURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Firewall Rule" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { - Write-Host "Succesfully removed NSX-T Firewall Rule $Name" - } else { - Write-Error "Error in creating new NSX-T Firewall Rule" - Write-Error "Return code: " $requests.StatusCode + Write-Host "Succesfully removed NSX-T Firewall Rule" } } } @@ -600,8 +626,14 @@ Function Get-NSXTGroup { $requests = Invoke-WebRequest -Uri $edgeFirewallGroupsURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in retrieving NSX-T Groups" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { @@ -633,13 +665,11 @@ Function Get-NSXTGroup { ID = $group.id; Type = $groupType; Members = $members; + Path = $group.path; } $results+=$tmp } $results - } else { - Write-Error "Error in retrieving NSX-T Groups" - Write-Error "Return code: " $requests.StatusCode } } } @@ -682,7 +712,8 @@ Function New-NSXTGroup { $body = $payload | ConvertTo-Json -depth 5 $method = "PUT" - $newGroupURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/$($GatewayType.toLower())/groups/$Name" + $generatedId = (New-Guid).Guid + $newGroupURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/$($GatewayType.toLower())/groups/$generatedId" if($Troubleshoot) { Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$newGroupURL`n" @@ -696,16 +727,19 @@ Function New-NSXTGroup { $requests = Invoke-WebRequest -Uri $newGroupURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Group" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { Write-Host "Succesfully created new NSX-T Group $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id - } else { - Write-Error "Error in creating new NSX-T Group" - Write-Error "Return code: " $requests.StatusCode } } } @@ -749,15 +783,18 @@ Function Remove-NSXTGroup { $requests = Invoke-WebRequest -Uri $deleteGgroupURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Group" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { Write-Host "Succesfully removed NSX-T Group $Name" - } else { - Write-Error "Error in creating new NSX-T Group" - Write-Error "Return code: " $requests.StatusCode } } } @@ -802,8 +839,14 @@ Function Get-NSXTService { $requests = Invoke-WebRequest -Uri $serviceGroupsURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in retrieving NSX-T Services" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { @@ -830,9 +873,6 @@ Function Get-NSXTService { $results += $tmp } $results - } else { - Write-Error "Error in retrieving NSX-T Services" - Write-Error "Return code: " $requests.StatusCode } } } @@ -893,16 +933,19 @@ Function New-NSXTService { $requests = Invoke-WebRequest -Uri $newServiceURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Service" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { Write-Host "Succesfully created new NSX-T Service $Name" ($requests.Content | ConvertFrom-Json) | select display_name, id - } else { - Write-Error "Error in creating new NSX-T Service" - Write-Error "Return code: " $requests.StatusCode } } } @@ -912,7 +955,7 @@ Function Get-NSXTDistFirewallSection { .NOTES =========================================================================== Created by: William Lam - Date: 12/31/2018 + Date: 01/01/2019 Organization: VMware Blog: http://www.virtuallyghetto.com Twitter: @lamw @@ -950,8 +993,14 @@ Function Get-NSXTDistFirewallSection { $requests = Invoke-WebRequest -Uri $distFirewallGroupURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in retrieving NSX-T Distributed Firewall Sections" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { @@ -976,10 +1025,6 @@ Function Get-NSXTDistFirewallSection { $results+=$tmp } $results - - } else { - Write-Error "Error in retrieving NSX-T Distributed Firewall Sections" - Write-Error "Return code: " $requests.StatusCode } } } @@ -989,7 +1034,7 @@ Function Get-NSXTDistFirewall { .NOTES =========================================================================== Created by: William Lam - Date: 09/11/2018 + Date: 01/01/2019 Organization: VMware Blog: http://www.virtuallyghetto.com Twitter: @lamw @@ -1000,20 +1045,26 @@ Function Get-NSXTDistFirewall { .DESCRIPTION This cmdlet retrieves all NSX-T Distributed Firewall Rules for a given Section .EXAMPLE - Get-NSXTDistFirewall -Name "App Section 1" + Get-NSXTDistFirewall -SectionName "App Section 1" #> param( - [Parameter(Mandatory=$true)][String]$Name, + [Parameter(Mandatory=$true)][String]$SectionName, [Switch]$Troubleshoot ) If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { try { - $distGroupId = (Get-NSXTDistFirewallSection -Name $Name).Id + $distGroupId = (Get-NSXTDistFirewallSection -Name $SectionName).Id } catch { - Write-Host -ForegroundColor Red "`nUnable to find NSX-T Distributed Firewall Group named $Name`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Host -ForegroundColor Red "`nUnable to find NSX-T Distributed Firewall Section named $SectionName`n" + Write-Error "`n($_.Exception.Message)`n" + break + } } $method = "GET" @@ -1030,8 +1081,14 @@ Function Get-NSXTDistFirewall { $requests = Invoke-WebRequest -Uri $distFirewallURL -Method $method -Headers $global:nsxtProxyConnection.headers } } catch { - Write-Host -ForegroundColor Red "`nFailed to retrieve Distributed Firewall Rules`n" - break + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in retrieving NSX-T Distributed Firewall Rules" + Write-Error "`n($_.Exception.Message)`n" + break + } } if($requests.StatusCode -eq 200) { @@ -1129,9 +1186,179 @@ Function Get-NSXTDistFirewall { $results+=$tmp } $results - } else { - Write-Error "Error in retrieving NSX-T Distributed Firewall Rules" - Write-Error "Return code: " $requests.StatusCode + } + } +} + +Function New-NSXTDistFirewall { +<# + .NOTES + =========================================================================== + Created by: William Lam + Date: 01/03/2019 + Organization: VMware + Blog: http://www.virtuallyghetto.com + Twitter: @lamw + =========================================================================== + + .SYNOPSIS + Creates a new NSX-T Distribuged Firewall Rule + .DESCRIPTION + This cmdlet creates a new NSX-T Distribuged Firewall Rule + .EXAMPLE + New-NSXTDistFirewall -Name "App1 to Web1" -Section "App Section 1" ` + -SourceGroup "App Server 1" ` + -DestinationGroup "Web Server 1" ` + -Service HTTPS -Logged $true ` + -SequenceNumber 10 ` + -Action ALLOW +#> + Param ( + [Parameter(Mandatory=$True)]$Name, + [Parameter(Mandatory=$True)]$Section, + [Parameter(Mandatory=$True)]$SequenceNumber, + [Parameter(Mandatory=$True)]$SourceGroup, + [Parameter(Mandatory=$True)]$DestinationGroup, + [Parameter(Mandatory=$True)]$Service, + [Parameter(Mandatory=$True)][ValidateSet("ALLOW","DENY")]$Action, + [Parameter(Mandatory=$false)][Boolean]$Logged=$false, + [Switch]$Troubleshoot + ) + + If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { + + $sectionId = (Get-NSXTDistFirewallSection -Name $Section).Id + + $destinationGroups = @() + foreach ($group in $DestinationGroup) { + if($group -eq "ANY") { + $destinationGroups = @("ANY") + } else { + $tmp = (Get-NSXTGroup -GatewayType CGW -Name $group).Path + $destinationGroups+= $tmp + } + } + + $sourceGroups = @() + foreach ($group in $SourceGroup) { + if($group -eq "ANY") { + $sourceGroups = @("ANY") + } else { + $tmp = (Get-NSXTGroup -GatewayType CGW -Name $group).Path + $sourceGroups+= $tmp + } + } + + $services = @() + foreach ($serviceName in $Service) { + if($serviceName -eq "ANY") { + $services = @("ANY") + } else { + $tmp = "/infra/services/$serviceName" + $services+=$tmp + } + } + + $payload = @{ + display_name = $Name; + sequence_number = $SequenceNumber; + destination_groups = $destinationGroups; + source_groups = $sourceGroups; + logged = $Logged; + scope = @("ANY"); + services = $services; + action = $Action; + } + + $body = $payload | ConvertTo-Json -depth 5 + + $method = "PUT" + $generatedId = (New-Guid).Guid + $newDistFirewallURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/cgw/communication-maps/$sectionId/communication-entries/$generatedId" + + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$newDistFirewallURL`n" + Write-Host -ForegroundColor cyan "[DEBUG]`n$body`n" + } + + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $newDistFirewallURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $newDistFirewallURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Distribugted Firewall Rule" + Write-Error "`n($_.Exception.Message)`n" + break + } + } + + if($requests.StatusCode -eq 200) { + Write-Host "Succesfully created new NSX-T Distributed Firewall Rule $Name" + ($requests.Content | ConvertFrom-Json) | select display_name, id + } + } +} + +Function Remove-NSXTDistFirewall { +<# + .NOTES + =========================================================================== + Created by: William Lam + Date: 01/03/2019 + Organization: VMware + Blog: http://www.virtuallyghetto.com + Twitter: @lamw + =========================================================================== + + .SYNOPSIS + Removes an NSX-T Distribugted Firewall Rule + .DESCRIPTION + This cmdlet removes an NSX-T Distribugted Firewall Rule + .EXAMPLE + Remove-NSXTFirewall -Id TEST -Troubleshoot +#> + Param ( + [Parameter(Mandatory=$True)]$Id, + [Parameter(Mandatory=$True)]$Section, + [Switch]$Troubleshoot + ) + + If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { + $sectionId = (Get-NSXTDistFirewallSection -Name $Section).Id + $dfwId = (Get-NSXTDistFirewall -SectionName $Section).Id + + $method = "DELETE" + $deleteDistFirewallURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/domains/cgw/communication-maps/$sectionId/communication-entries/$dfwId" + + if($Troubleshoot) { + Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$deleteDistFirewallURL`n" + } + + try { + if($PSVersionTable.PSEdition -eq "Core") { + $requests = Invoke-WebRequest -Uri $deleteDistFirewallURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck + } else { + $requests = Invoke-WebRequest -Uri $deleteDistFirewallURL -Method $method -Headers $global:nsxtProxyConnection.headers + } + } catch { + if($_.Exception.Response.StatusCode -eq "Unauthorized") { + Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" + break + } else { + Write-Error "Error in creating new NSX-T Firewall Rule" + Write-Error "`n($_.Exception.Message)`n" + break + } + } + + if($requests.StatusCode -eq 200) { + Write-Host "Succesfully removed NSX-T Distribugted Firewall Rule" } } } \ No newline at end of file