Skip to main content
  1. Posts/

Automating distributed firewall rule deployment with PowerNSX

·256 words·2 mins·
NSX blogposts NSX blogposts

As part of a microsegmentation project, we’re also doing the full implementation of the DFW ruleset to isolate and categorize application tiers and inter-tier traffic. Since implementing these rules manually would be very labour-intensive and the risk of manual errors are always lurking, the obvious way would be to automate this. Fortunately the security model lends itself to the minimisation of rules and consistent rulesets.

An example of a few of the scripts used are posted below as a simple reference. Obviously these are samples only to be used for inspiration, and while one could write an entire script to parse a preexisting csv or json to do a fully automated deployment, for now this is my quick and dirty way to get a full DFW deployment done in seconds with PowerNSX.

$secTags = @(
    "DTAP:Develop",
    "DTAP:Test",
    "DTAP:Acceptance",
    "DTAP:Production",
    )

$secTags |% { New-NsxSecurityTag -name $_ }

$secGroups = @(
    "DTAP:Develop",
    "DTAP:Test",
    "DTAP:Acceptance",
    "DTAP:Production",
    )

$secGroups |% { 
  $secTag = get-NSXSecurityTag -Name $_
  $secGroup = New-NsxSecurityGroup -name $_
  if ($secTag) {
     get-NSXSecurityGroup $secGroup | add-NSXSecurityGroupMember -Member $secTag
  }
}




$secGroups = @(
    "DTAP:Develop",
    "DTAP:Test",
    "DTAP:Acceptance",
    "DTAP:Production",
)

$secGroups |% {
    $secGroup = Get-NsxSecurityGroup -name $_
    Get-NsxFirewallSection "DTAP Rules" | New-NsxFirewallRule -Name "Deny all from $_ to NOT $_" -Source $secGroup -Destination $secGroup -NegateDestination -Action reject -EnableLogging -Tag $_
    Get-NsxFirewallSection "DTAP Rules" | New-NsxFirewallRule -Name "Deny all from NOT $_ to $_" -Source $secGroup -Destination $secGroup -NegateSource -Action reject -EnableLogging -Tag $_
}

Future improvements: Creating firewall rules, security groups and its members through a JSON object.