From 5c3e80bbf6e4e9272d1b13dbd2a70f1cac8b188a Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Mon, 25 May 2020 21:41:22 +0200 Subject: [PATCH 01/14] SetSecure inlline function --- Scripts/Set-VMHostSecureNTP.ps1 | 90 +++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 Scripts/Set-VMHostSecureNTP.ps1 diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 new file mode 100644 index 0000000..fb3204b --- /dev/null +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -0,0 +1,90 @@ +function Set-VMHostSecureNTP { + [CmdletBinding()] + param( + [Parameter(Mandatory=$True, ValueFromPipeline=$True, Position=0, HelpMessage = "Specifies the hosts to configure.")] + [ValidateNotNullorEmpty()] + [VMware.VimAutomation.Types.VMHost[]] $VMHost, + [Parameter(Mandatory=$False, ValueFromPipeline=$False, Position=1, HelpMessage = "Type of confugration")] + [ValidateSet("SetSecure","Secure")] + [String] $Type = "SetSecure", + [Parameter(Mandatory=$True, ValueFromPipeline=$False, Position=2, HelpMessage = "Array of NTP Serbers")] + [ValidateNotNullorEmpty()] + [Array] $NTP + ) + + begin { + + function SetSecure ($MyHost) { + ## Get NTP Service + $NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"} + ## Stop NTP Service if running + if($NTPService.Running -eq $True){ + Stop-VMHostService -HostService $NTPService -Confirm:$false | Out-Null + } + ## Enable NTP Service + if($NTPService.Policy -ne "on"){ + Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null + } + ## Remove all existiing NTP Servers + try { + foreach ($OldNtpServer in ($MyHost | Get-VMHostNtpServer)) { + $MyHost | Remove-VMHostNtpServer -NtpServer $OldNtpServer -Confirm:$false + } + } + catch [System.Exception] { + Write-Warning "Error during removing existing NTP Servers on Host '$($MyHost.Name)'." + } + ## Set New NTP Servers + foreach ($myNTP in $NTP) { + $MyHost | Add-VMHostNtpServer -ntpserver $myNTP -confirm:$False | Out-Null + } + ## Set Current time on Host + $HostTimeSystem = Get-View $MyHost.ExtensionData.ConfigManager.DateTimeSystem + $HostTimeSystem.UpdateDateTime([DateTime]::UtcNow) + ## Start NTP Service + Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null + ## Get NTP CLient Forewall Rule + $esxcli = Get-ESXCLI -VMHost $MyHost -v2 + $esxcliargs = $esxcli.network.firewall.ruleset.rule.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.rule.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + ## Set NTP Client Firewall Rule + $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() + $esxcliargs.enabled = "true" + $esxcliargs.allowedall = "false" + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule Set. See latest errors..." + } + ## Set NTP Client Firewall Rule AllowedIP + foreach ($myNTP in $NTP) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() + $esxcliargs.ipaddress = $myNTP + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule Update. See latest errors..." + } + } + } + + } + + process { + + } + + end { + + } +} \ No newline at end of file From bd70bfb5dc8afdc606895e27e9f52414ba65cbc3 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Mon, 25 May 2020 21:45:13 +0200 Subject: [PATCH 02/14] processing for SetSecure --- Scripts/Set-VMHostSecureNTP.ps1 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index fb3204b..e862fe1 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -82,6 +82,11 @@ function Set-VMHostSecureNTP { process { + if ($Type -eq "SetSecure") { + "Executing Set and Secure operation..." + $VMHost | Foreach-Object { Write-Output (SetSecure $_) } + } + } end { From 9a7dc6dd592728933ea403023a2620cbca3a6002 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Tue, 26 May 2020 22:37:26 +0200 Subject: [PATCH 03/14] Added Error Handling and Pre-Checks --- Scripts/Set-VMHostSecureNTP.ps1 | 84 ++++++++++++++++++++++++++++----- 1 file changed, 71 insertions(+), 13 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index e862fe1..1148bb1 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -15,17 +15,21 @@ function Set-VMHostSecureNTP { begin { function SetSecure ($MyHost) { - ## Get NTP Service + ## Get NTP Service + "Get NTP Service from VMHost ..." $NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"} - ## Stop NTP Service if running + ## Stop NTP Service if running + "Stop NTP Service if running ..." if($NTPService.Running -eq $True){ Stop-VMHostService -HostService $NTPService -Confirm:$false | Out-Null } ## Enable NTP Service + "Enable NTP Service if disabled..." if($NTPService.Policy -ne "on"){ Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null } ## Remove all existiing NTP Servers + "Remove all existiing NTP Servers ..." try { foreach ($OldNtpServer in ($MyHost | Get-VMHostNtpServer)) { $MyHost | Remove-VMHostNtpServer -NtpServer $OldNtpServer -Confirm:$false @@ -35,36 +39,90 @@ function Set-VMHostSecureNTP { Write-Warning "Error during removing existing NTP Servers on Host '$($MyHost.Name)'." } ## Set New NTP Servers + "Set New NTP Servers ..." foreach ($myNTP in $NTP) { $MyHost | Add-VMHostNtpServer -ntpserver $myNTP -confirm:$False | Out-Null } ## Set Current time on Host + "Set Current time on VMHost ..." $HostTimeSystem = Get-View $MyHost.ExtensionData.ConfigManager.DateTimeSystem $HostTimeSystem.UpdateDateTime([DateTime]::UtcNow) ## Start NTP Service + "Start NTP Service ..." Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null - ## Get NTP CLient Forewall Rule + ## Get ESXCLI -V2 $esxcli = Get-ESXCLI -VMHost $MyHost -v2 - $esxcliargs = $esxcli.network.firewall.ruleset.rule.list.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" + ## Get NTP Client Firewall + "Get NTP Client Firewall ..." try { - $esxcli.network.firewall.ruleset.rule.list.Invoke($esxcliargs) + $FirewallGet = $esxcli.network.firewall.get.Invoke() } catch [System.Exception] { Write-Warning "Error during Rule List. See latest errors..." } - ## Set NTP Client Firewall Rule - $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() - $esxcliargs.enabled = "true" - $esxcliargs.allowedall = "false" + "`tLoded: $($FirewallGet.Loaded)" + "`tEnabled: $($FirewallGet.Enabled)" + "`tDefaultAction: $($FirewallGet.DefaultAction)" + ## Get NTP Client Firewall Rule + "Get NTP Client Firewall RuleSet ..." + $esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs() $esxcliargs.rulesetid = "ntpClient" try { - $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) } catch [System.Exception] { - Write-Warning "Error during Rule Set. See latest errors..." + Write-Warning "Error during Rule List. See latest errors..." } + "`tEnabled: $($FirewallRuleList.Enabled)" + "Get NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses)" + ## Remove Existing IP from firewall rule + ## BUG: If AllowedIP was enabled and is disabled now, old IPs will not be removed + "Remove Existing IP from firewall rule ..." + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { + foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + $esxcliargs.ipaddress = $IP + try { + $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + + } + + } + ## Set NTP Client Firewall Rule + "Set NTP Client Firewall Rule ..." + if ($FirewallRuleList.Enabled -ne $True -or $FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") { + $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() + if ($FirewallRuleList.Enabled -ne $True) { + $esxcliargs.enabled = "true" + } + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") { + $esxcliargs.allowedall = "false" + } + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule Set. See latest errors..." + } + } ## Set NTP Client Firewall Rule AllowedIP + ## BUG: If AllowedIP was enabled and is disabled now, a duplicate Ip Cannot be added + "Set NTP Client Firewall Rule AllowedIP ..." foreach ($myNTP in $NTP) { $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $esxcliargs.ipaddress = $myNTP @@ -73,7 +131,7 @@ function Set-VMHostSecureNTP { $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) } catch [System.Exception] { - Write-Warning "Error during Rule Update. See latest errors..." + Write-Warning "Error during Rule AllowedIP Update. See latest errors..." } } } From 222f75a6ca9465eb975404530560692a62e3d9fb Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Wed, 27 May 2020 18:59:32 +0200 Subject: [PATCH 04/14] Workaround for duplicate IP --- Scripts/Set-VMHostSecureNTP.ps1 | 41 +++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 1148bb1..f323c31 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -121,7 +121,7 @@ function Set-VMHostSecureNTP { } } ## Set NTP Client Firewall Rule AllowedIP - ## BUG: If AllowedIP was enabled and is disabled now, a duplicate Ip Cannot be added + ### BUG: If AllowedIP was enabled and is disabled now, a duplicate Ip Cannot be added --> Workarund done "Set NTP Client Firewall Rule AllowedIP ..." foreach ($myNTP in $NTP) { $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() @@ -131,7 +131,44 @@ function Set-VMHostSecureNTP { $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) } catch [System.Exception] { - Write-Warning "Error during Rule AllowedIP Update. See latest errors..." + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -eq "Ip address already exist.") { + + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { + foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + $esxcliargs.ipaddress = $IP + try { + $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + + } + + } + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() + $esxcliargs.ipaddress = $myNTP + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule AllowedIP Update. '$ErrorMessage' See latest errors..." + + } + + } } } } From 91cac83589168dcd130d39cc88074ce2eb518d9e Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Thu, 28 May 2020 20:38:09 +0200 Subject: [PATCH 05/14] Fix for existing configurations --- Scripts/Set-VMHostSecureNTP.ps1 | 116 ++++++++++++++------------------ 1 file changed, 50 insertions(+), 66 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index f323c31..69d420c 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -1,15 +1,17 @@ function Set-VMHostSecureNTP { [CmdletBinding()] param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True, Position=0, HelpMessage = "Specifies the hosts to configure.")] + [Parameter(Mandatory=$True, ValueFromPipeline=$True, HelpMessage = "Specifies the hosts to configure.")] [ValidateNotNullorEmpty()] [VMware.VimAutomation.Types.VMHost[]] $VMHost, - [Parameter(Mandatory=$False, ValueFromPipeline=$False, Position=1, HelpMessage = "Type of confugration")] - [ValidateSet("SetSecure","Secure")] - [String] $Type = "SetSecure", - [Parameter(Mandatory=$True, ValueFromPipeline=$False, Position=2, HelpMessage = "Array of NTP Serbers")] + [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Set and Secure operation for new NTP Servers")] + [Switch] $SetSecure, + [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Array of NTP Serbers")] [ValidateNotNullorEmpty()] - [Array] $NTP + [Array] $NTP, + [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] + [Switch] $Secure + ) begin { @@ -74,6 +76,23 @@ function Set-VMHostSecureNTP { Write-Warning "Error during Rule List. See latest errors..." } "`tEnabled: $($FirewallRuleList.Enabled)" + ## Set NTP Client Firewall Rule + "Set NTP Client Firewall Rule ..." + $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() + $esxcliargs.enabled = "true" + $esxcliargs.allowedall = "false" + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Already use allowed ip list") { + Write-Warning "Error during Rule Set. See latest errors..." + + } + + } "Get NTP Client Firewall Rule AllowedIP ..." $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() $esxcliargs.rulesetid = "ntpClient" @@ -83,9 +102,8 @@ function Set-VMHostSecureNTP { catch [System.Exception] { Write-Warning "Error during Rule List. See latest errors..." } - "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses)" + "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" ## Remove Existing IP from firewall rule - ## BUG: If AllowedIP was enabled and is disabled now, old IPs will not be removed "Remove Existing IP from firewall rule ..." if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { @@ -98,30 +116,10 @@ function Set-VMHostSecureNTP { catch [System.Exception] { Write-Warning "Error during AllowedIP remove. See latest errors..." } - } } - ## Set NTP Client Firewall Rule - "Set NTP Client Firewall Rule ..." - if ($FirewallRuleList.Enabled -ne $True -or $FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") { - $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() - if ($FirewallRuleList.Enabled -ne $True) { - $esxcliargs.enabled = "true" - } - if ($FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") { - $esxcliargs.allowedall = "false" - } - $esxcliargs.rulesetid = "ntpClient" - try { - $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule Set. See latest errors..." - } - } ## Set NTP Client Firewall Rule AllowedIP - ### BUG: If AllowedIP was enabled and is disabled now, a duplicate Ip Cannot be added --> Workarund done "Set NTP Client Firewall Rule AllowedIP ..." foreach ($myNTP in $NTP) { $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() @@ -132,55 +130,41 @@ function Set-VMHostSecureNTP { } catch [System.Exception] { $ErrorMessage = $_.Exception.Message - if ($ErrorMessage -eq "Ip address already exist.") { - - $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" - try { - $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } - if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { - foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { - $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" - $esxcliargs.ipaddress = $IP - try { - $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during AllowedIP remove. See latest errors..." - } - - } - - } - $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() - $esxcliargs.ipaddress = $myNTP - $esxcliargs.rulesetid = "ntpClient" - try { - $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule AllowedIP Update. '$ErrorMessage' See latest errors..." - - } - + if ($ErrorMessage -ne "Ip address already exist.") { + Write-Warning "Error during AllowedIP remove. See latest errors..." } } } + ## Get New NTP Client Firewall Rule AllowedIP + "Get New NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" + ## Get New NTP Servers + "Get New NTP Servers ..." + $NewNTPServers = $MyHost | Get-VMHostNtpServer + "`tNew NTP Servers: $($NewNTPServers -join ", ")" + } } process { - if ($Type -eq "SetSecure") { - "Executing Set and Secure operation..." + if ($SetSecure) { + "Execute Set and Secure operation for new NTP Servers ..." $VMHost | Foreach-Object { Write-Output (SetSecure $_) } } + if ($Secure) { + "Execute Secure operation for exitsting NTP Servers ..." + $VMHost | Foreach-Object { Write-Output (Secure $_) } + } } From 3a91b48f15a6b8c917ae303f0db90ec6f1d2f460 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Thu, 28 May 2020 20:45:46 +0200 Subject: [PATCH 06/14] Add Secure Operation --- Scripts/Set-VMHostSecureNTP.ps1 | 103 +++++++++++++++++++++++++++++++- 1 file changed, 102 insertions(+), 1 deletion(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 69d420c..9fa4f44 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -9,7 +9,7 @@ function Set-VMHostSecureNTP { [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Array of NTP Serbers")] [ValidateNotNullorEmpty()] [Array] $NTP, - [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] + [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="Secure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] [Switch] $Secure ) @@ -152,6 +152,107 @@ function Set-VMHostSecureNTP { "`tNew NTP Servers: $($NewNTPServers -join ", ")" } + + function Secure ($myhost) { + ## Get NTP Servers + "Get NTP Servers ..." + [Array]$CurrentNTPServers = $MyHost | Get-VMHostNtpServer + "`tNTP Servers: $($NewNTPServers -join ", ")" + ## Get NTP Client Firewall + "Get NTP Client Firewall ..." + try { + $FirewallGet = $esxcli.network.firewall.get.Invoke() + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tLoded: $($FirewallGet.Loaded)" + "`tEnabled: $($FirewallGet.Enabled)" + "`tDefaultAction: $($FirewallGet.DefaultAction)" + ## Get NTP Client Firewall Rule + "Get NTP Client Firewall RuleSet ..." + $esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tEnabled: $($FirewallRuleList.Enabled)" + ## Set NTP Client Firewall Rule + "Set NTP Client Firewall Rule ..." + $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() + $esxcliargs.enabled = "true" + $esxcliargs.allowedall = "false" + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Already use allowed ip list") { + Write-Warning "Error during Rule Set. See latest errors..." + + } + + } + "Get NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" + ## Remove Existing IP from firewall rule + "Remove Existing IP from firewall rule ..." + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { + foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + $esxcliargs.ipaddress = $IP + try { + $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + } + + } + ## Set NTP Client Firewall Rule AllowedIP + "Set NTP Client Firewall Rule AllowedIP ..." + foreach ($myNTP in $CurrentNTPServers) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() + $esxcliargs.ipaddress = $myNTP + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Ip address already exist.") { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + } + } + ## Get New NTP Client Firewall Rule AllowedIP + "Get New NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" + + + } } From 4af6de8e1d5b00fb9d13fe051f97c68648a4bae3 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Thu, 28 May 2020 20:58:53 +0200 Subject: [PATCH 07/14] Add MetaData --- Scripts/Set-VMHostSecureNTP.ps1 | 51 +++++++++++++++++++++++++++++---- 1 file changed, 46 insertions(+), 5 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 9fa4f44..2ad6771 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -1,4 +1,48 @@ function Set-VMHostSecureNTP { +<# + .NOTES + =========================================================================== + Created by: Markus Kraus + =========================================================================== + Changelog: + 2020.05 ver 1.0 Base Release + =========================================================================== + External Code Sources: + - + =========================================================================== + Tested Against Environment: + vSphere Version: vSphere 6.7 U3 + PowerCLI Version: PowerCLI 11.5 + PowerShell Version: 5.1 + OS Version: Windows 10 + Keyword: ESXi, NTP, Hardening, Security, Firewall + =========================================================================== + + .DESCRIPTION + This function sets new NTP Servers on given ESXi Hosts and configures the host firewall to only accept NTP connections from this servers. + + .Example + Get-VMHost | Set-VMHostSecureNTP -Secure + + .Example + Get-VMHost | Set-VMHostSecureNTP -Type SetSecure -NTP 10.100.1.1, 192.168.2.1 + + .PARAMETER VMHost + Specifies the hosts to configure + + .PARAMETER SetSecure + Execute Set and Secure operation for new NTP Servers + + .PARAMETER NTP + Specifies a Array of NTP Servers + + .PARAMETER Secure + Execute Secure operation for exitsting NTP Servers + +#Requires PS -Version 5.1 +#Requires -Modules VMware.VimAutomation.Core, @{ModuleName="VMware.VimAutomation.Core";ModuleVersion="11.5.0.0"} +#> + [CmdletBinding()] param( [Parameter(Mandatory=$True, ValueFromPipeline=$True, HelpMessage = "Specifies the hosts to configure.")] @@ -6,7 +50,7 @@ function Set-VMHostSecureNTP { [VMware.VimAutomation.Types.VMHost[]] $VMHost, [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Set and Secure operation for new NTP Servers")] [Switch] $SetSecure, - [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Array of NTP Serbers")] + [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Specifies a Array of NTP Servers")] [ValidateNotNullorEmpty()] [Array] $NTP, [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="Secure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] @@ -268,8 +312,5 @@ function Set-VMHostSecureNTP { } } - - end { - - } + } \ No newline at end of file From 4d1436b857e7a79b5ec14138cfe5e09b07cedaf6 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Thu, 28 May 2020 21:01:09 +0200 Subject: [PATCH 08/14] Fix Var Naming --- Scripts/Set-VMHostSecureNTP.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 2ad6771..1b5464e 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -197,7 +197,7 @@ function Set-VMHostSecureNTP { } - function Secure ($myhost) { + function Secure ($MyHost) { ## Get NTP Servers "Get NTP Servers ..." [Array]$CurrentNTPServers = $MyHost | Get-VMHostNtpServer From dd4bb2f415216e993d5a89fafc39f2628ddd8fbd Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Thu, 28 May 2020 21:06:40 +0200 Subject: [PATCH 09/14] fix Typos --- Scripts/Set-VMHostSecureNTP.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 1b5464e..e6fb2b0 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -19,7 +19,7 @@ function Set-VMHostSecureNTP { =========================================================================== .DESCRIPTION - This function sets new NTP Servers on given ESXi Hosts and configures the host firewall to only accept NTP connections from this servers. + This function sets new NTP Servers on given ESXi Hosts and configures the host firewall to only accept NTP connections from these servers. .Example Get-VMHost | Set-VMHostSecureNTP -Secure @@ -74,8 +74,8 @@ function Set-VMHostSecureNTP { if($NTPService.Policy -ne "on"){ Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null } - ## Remove all existiing NTP Servers - "Remove all existiing NTP Servers ..." + ## Remove all existing NTP Servers + "Remove all existing NTP Servers ..." try { foreach ($OldNtpServer in ($MyHost | Get-VMHostNtpServer)) { $MyHost | Remove-VMHostNtpServer -NtpServer $OldNtpServer -Confirm:$false From 91053171e738441b8021e4c95c6246a22d915d75 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Fri, 29 May 2020 19:17:01 +0200 Subject: [PATCH 10/14] Add Parameter Position --- Scripts/Set-VMHostSecureNTP.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index e6fb2b0..3b386fd 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -45,7 +45,7 @@ function Set-VMHostSecureNTP { [CmdletBinding()] param( - [Parameter(Mandatory=$True, ValueFromPipeline=$True, HelpMessage = "Specifies the hosts to configure.")] + [Parameter(Mandatory=$True, ValueFromPipeline=$True, Position=0, HelpMessage = "Specifies the hosts to configure.")] [ValidateNotNullorEmpty()] [VMware.VimAutomation.Types.VMHost[]] $VMHost, [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Set and Secure operation for new NTP Servers")] From 7ecfd1309dc5b3b81b5b7c93e6e4c4a8ae3c268a Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Sat, 30 May 2020 20:48:19 +0200 Subject: [PATCH 11/14] ReOrg the inline function --- Scripts/Set-VMHostSecureNTP.ps1 | 109 +++----------------------------- 1 file changed, 9 insertions(+), 100 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 3b386fd..2fd2dcd 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -60,7 +60,7 @@ function Set-VMHostSecureNTP { begin { - function SetSecure ($MyHost) { + function SetNTP ($MyHost) { ## Get NTP Service "Get NTP Service from VMHost ..." $NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"} @@ -96,100 +96,6 @@ function Set-VMHostSecureNTP { ## Start NTP Service "Start NTP Service ..." Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null - ## Get ESXCLI -V2 - $esxcli = Get-ESXCLI -VMHost $MyHost -v2 - ## Get NTP Client Firewall - "Get NTP Client Firewall ..." - try { - $FirewallGet = $esxcli.network.firewall.get.Invoke() - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } - "`tLoded: $($FirewallGet.Loaded)" - "`tEnabled: $($FirewallGet.Enabled)" - "`tDefaultAction: $($FirewallGet.DefaultAction)" - ## Get NTP Client Firewall Rule - "Get NTP Client Firewall RuleSet ..." - $esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" - try { - $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } - "`tEnabled: $($FirewallRuleList.Enabled)" - ## Set NTP Client Firewall Rule - "Set NTP Client Firewall Rule ..." - $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() - $esxcliargs.enabled = "true" - $esxcliargs.allowedall = "false" - $esxcliargs.rulesetid = "ntpClient" - try { - $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) - } - catch [System.Exception] { - $ErrorMessage = $_.Exception.Message - if ($ErrorMessage -ne "Already use allowed ip list") { - Write-Warning "Error during Rule Set. See latest errors..." - - } - - } - "Get NTP Client Firewall Rule AllowedIP ..." - $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" - try { - $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } - "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" - ## Remove Existing IP from firewall rule - "Remove Existing IP from firewall rule ..." - if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { - foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { - $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" - $esxcliargs.ipaddress = $IP - try { - $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during AllowedIP remove. See latest errors..." - } - } - - } - ## Set NTP Client Firewall Rule AllowedIP - "Set NTP Client Firewall Rule AllowedIP ..." - foreach ($myNTP in $NTP) { - $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() - $esxcliargs.ipaddress = $myNTP - $esxcliargs.rulesetid = "ntpClient" - try { - $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) - } - catch [System.Exception] { - $ErrorMessage = $_.Exception.Message - if ($ErrorMessage -ne "Ip address already exist.") { - Write-Warning "Error during AllowedIP remove. See latest errors..." - } - } - } - ## Get New NTP Client Firewall Rule AllowedIP - "Get New NTP Client Firewall Rule AllowedIP ..." - $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" - try { - $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } - "`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" ## Get New NTP Servers "Get New NTP Servers ..." $NewNTPServers = $MyHost | Get-VMHostNtpServer @@ -197,11 +103,13 @@ function Set-VMHostSecureNTP { } - function Secure ($MyHost) { + function SecureNTP ($MyHost) { ## Get NTP Servers - "Get NTP Servers ..." + "Get NTP Servers to Secure ..." [Array]$CurrentNTPServers = $MyHost | Get-VMHostNtpServer - "`tNTP Servers: $($NewNTPServers -join ", ")" + "`tNTP Servers: $($CurrentNTPServers -join ", ")" + ## Get ESXCLI -V2 + $esxcli = Get-ESXCLI -VMHost $MyHost -v2 ## Get NTP Client Firewall "Get NTP Client Firewall ..." try { @@ -304,11 +212,12 @@ function Set-VMHostSecureNTP { if ($SetSecure) { "Execute Set and Secure operation for new NTP Servers ..." - $VMHost | Foreach-Object { Write-Output (SetSecure $_) } + $VMHost | Foreach-Object { Write-Output (SetNTP $_) } + $VMHost | Foreach-Object { Write-Output (SecureNTP $_) } } if ($Secure) { "Execute Secure operation for exitsting NTP Servers ..." - $VMHost | Foreach-Object { Write-Output (Secure $_) } + $VMHost | Foreach-Object { Write-Output (SecureNTP $_) } } } From 8de58854370e1a7663d9d08ceb6e58cb8bbd8ee2 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Sat, 30 May 2020 20:51:00 +0200 Subject: [PATCH 12/14] Change NTP input to type ipaddress --- Scripts/Set-VMHostSecureNTP.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 2fd2dcd..c491331 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -52,7 +52,7 @@ function Set-VMHostSecureNTP { [Switch] $SetSecure, [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Specifies a Array of NTP Servers")] [ValidateNotNullorEmpty()] - [Array] $NTP, + [ipaddress[]] $NTP, [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="Secure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] [Switch] $Secure From d2544c9418135da410670f0d5f2e89ea71c9f347 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Sat, 30 May 2020 20:59:57 +0200 Subject: [PATCH 13/14] Other loop for "Remove all existing NTP Servers" --- Scripts/Set-VMHostSecureNTP.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index c491331..773e016 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -77,8 +77,8 @@ function Set-VMHostSecureNTP { ## Remove all existing NTP Servers "Remove all existing NTP Servers ..." try { - foreach ($OldNtpServer in ($MyHost | Get-VMHostNtpServer)) { - $MyHost | Remove-VMHostNtpServer -NtpServer $OldNtpServer -Confirm:$false + $MyHost | Get-VMHostNtpServer | Foreach-Object { + Remove-VMHostNtpServer -VMHost $MyHost -NtpServer $_ -Confirm:$false } } catch [System.Exception] { From b0dcb843aa15de12bc2c4fe1c52be3e73059b471 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Sat, 30 May 2020 21:02:25 +0200 Subject: [PATCH 14/14] Fix tab alignments --- Scripts/Set-VMHostSecureNTP.ps1 | 54 ++++++++++++++++----------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 773e016..42e1885 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -114,10 +114,10 @@ function Set-VMHostSecureNTP { "Get NTP Client Firewall ..." try { $FirewallGet = $esxcli.network.firewall.get.Invoke() - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } "`tLoded: $($FirewallGet.Loaded)" "`tEnabled: $($FirewallGet.Enabled)" "`tDefaultAction: $($FirewallGet.DefaultAction)" @@ -127,10 +127,10 @@ function Set-VMHostSecureNTP { $esxcliargs.rulesetid = "ntpClient" try { $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } "`tEnabled: $($FirewallRuleList.Enabled)" ## Set NTP Client Firewall Rule "Set NTP Client Firewall Rule ..." @@ -140,24 +140,24 @@ function Set-VMHostSecureNTP { $esxcliargs.rulesetid = "ntpClient" try { $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) - } - catch [System.Exception] { - $ErrorMessage = $_.Exception.Message - if ($ErrorMessage -ne "Already use allowed ip list") { - Write-Warning "Error during Rule Set. See latest errors..." - - } + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Already use allowed ip list") { + Write-Warning "Error during Rule Set. See latest errors..." } + + } "Get NTP Client Firewall Rule AllowedIP ..." $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() $esxcliargs.rulesetid = "ntpClient" try { $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" ## Remove Existing IP from firewall rule "Remove Existing IP from firewall rule ..." @@ -168,10 +168,10 @@ function Set-VMHostSecureNTP { $esxcliargs.ipaddress = $IP try { $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during AllowedIP remove. See latest errors..." - } + } + catch [System.Exception] { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } } } @@ -197,10 +197,10 @@ function Set-VMHostSecureNTP { $esxcliargs.rulesetid = "ntpClient" try { $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) - } - catch [System.Exception] { - Write-Warning "Error during Rule List. See latest errors..." - } + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } "`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")"