tonysangha / powernsx-dfw2excel Goto Github PK
View Code? Open in Web Editor NEWExport the NSX for vSphere Distributed Firewall to MS Excel
License: MIT License
Export the NSX for vSphere Distributed Firewall to MS Excel
License: MIT License
Perform validation that NSX is returning content with status code 200, otherwise skip worksheet population.
invoke-nsxwebrequest : Invoke-NsxWebRequest : The NSX API response received indicates a failure. 400 : Bad Request : Response Body:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Would you like to continue collection of VM IP Addresses (Default: N) Y/N?: : n
WARNING: Collection of IP Addresses Disabled
Retrieving Services configured in NSX-v.
Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary: 'Horizon 6 Connection Server to vCenter server communication' Key being added: 'Horizon 6 Connection Server to vCenter Server
communication'"
At C:\temp\PowerNSX-DFW2Excel\DFW2Excel.ps1:540 char:9
$service_links.Add($svc.name, $row)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
True
Retrieving Service Groups configured in NSX-v.
True
Retrieving MACSETS configured in NSX-v.
True
Retrieving IPSETS configured in NSX-v.
True
Retrieving Security Groups configured in NSX-v.
True
Retrieving Security Tags configured in NSX-v.
True
Retrieving VMs in DFW Exclusion List
True
Retrieving DFW Layer 3 FW Rules
True
Currently when you run the script, in the Security Groups tab, the MOID/Name of VMs in each SG is automatically listed. This is okay for small environments but in large environments with 1000s of VMs this can become really huge.
Is it possible to make this translation optional just like VM_addressing?
Is it possible to add an area in the Security Groups tab which lists how many VMs are becoming part of a SG and how many IPs its translating into? This can be really useful when looking at large environments and identifying where the large groups are.
For ex:
Name. ID Translated VMs Translated IPs
===== == =============. ============
SG.App1 securitygroup-11 50 105
https://x.x.x.x/api/2.0/services/securitygroup/securitygroup-11/translation/virtualmachines
https://x.x.x.x/api/2.0/services/securitygroup/securitygroup-11/translation/ipaddresses
If security tags are configured and do not have a VM assignment, the script raises an exceptions and does not continue.
Resolution:
Place if
statement to check if the variable is not null.
$tag_assign = $ST | Get-NsxSecurityTagAssignment
if ($tag_assign -ne $null){...}
Populate Excluded field with true or false values
Document IPSETS/MACSETS and other static inclusions/exclusions of security groups
It does not appear you can use the Auditor role to run this. We run scripts with a user that has Read only to vCenter, and Auditor to NSX.
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): r
Name RetrievingType DeclaringType Value
VMIPAddress VirtualMachine VirtualMachine Summary.Guest.IPAddress
Unable to retrieve role details from NSX. Invoke-NsxRestMethod : The NSX API response received indicates a failure.
403 : Forbidden : Response Body:
throw "Unable to retrieve role details from NSX. $_"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Need to place error handling into script in the event certain parameters are not found
I am new to powernsx , I followed the instruction to connect to vcenter and nsx using sso credentials as below.
PS /> Connect-NsxServer -vCenterServer vc-01a.corp.local
Entered the SSO credential's and can retrieve the range of different information from powercli. But I tried documenting DFW rules and it throws the following error.
Hi Tony,
First, great product! Keep up the great work :)
Issue: I get this error every time I run .\DFW2Excel.ps1
When I looked at the code (I'm not sure where's 'admin' coming from):
$nsx_mgr = Read-Host "`nIP or FQDN of NSX Manager? "
Connect-NSXServer $nsx_mgr -Credential admin
but if I change the code to this it works great for me...
$nsxManagerCred = Get-Credential -Message "NSX Manager Credentail" -UserName "admin"
$vCenterCred = Get-Credential -Message "vCenter Credentail" -UserName "administrator@"
Connect-NsxServer -Server $nsx_mgr -Credential $nsxManagerCred -VICred $vCenterCred -ViWarningAction "Ignore"
please check if above code make sense to you and feel free to change your code. :)
Following is the detailed error:
IP or FQDN of NSX Manager? : 192.168.110.42
Connect-NsxServer : Cannot process argument transformation on parameter 'Credential'. Cannot convert the "admin" value of type "System.String" to type
"System.Management.Automation.PSCredential".
At C:\temp\PowerNSX-DFW2Excel\DFW2Excel.ps1:743 char:40
- Connect-NSXServer $nsx_mgr -Credential admin
+ CategoryInfo : InvalidData: (:) [Connect-NsxServer], ParameterBindingArgumentTransformationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Connect-NsxServer
The variable '$defaultNSXConnection' cannot be retrieved because it has not been set.
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:5543 char:41
[PSCustomObject]$Connection=$defaultNSXConnection
+ CategoryInfo : InvalidOperation: (defaultNSXConnection:String) [], RuntimeException + FullyQualifiedErrorId : VariableIsUndefined
Create a hyperlink from a service in a service group to the service definition in the services worksheet
Security Tag worksheet with VM membership
When a service in NSX is defined with multiple ports, they are separated by a comma. This data is being treated as a single number in Excel, rather than text.
Suggestion: set the column that contains the service ports to Text, or place each port/value on a different line within the same cell (helps in readability)
I was using the script today with a customer and the workflow was such that they had rules to allow ports in and out of cloud env. When a new request comes in, they have to find out if the requested port is already part of the service group configured in the existing rule or they need to add a new one.
When using the DFW2Excel, we can click on the Layer 3 Firewall --> Click on Service Group. It takes us to the Service_Group and list the Service Members. Now if you have a number of Service Members then you see a list of names but no numbers. You then need to click on each Service Member to find the actual port number.
I was thinking, if we could add a column next to service member with the numerical number of the port, it would make it much consumable.
Not sure if its possible but from customer workflow perspective they would really appreciate it.
When I tried to get DFW Rules to Excel following errors occured
Get-NSXSecurityGroupEffectiveMembers : The term 'Get-NSXSecurityGroupEffectiveMembers' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or
if a path was included, verify that the path is correct and try again.
At C:\Users\hakkurth\Downloads\NSX-PowerOps-master-80a8d3cff9b44c9e921166480e9251d4247abb10\PowerNSX-DFW2Excel\DFW2Excel.ps1:439 char:30
$members = $member | Get-NSXSecurityGroupEffectiveMembers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using PowerCLI, list first IPv4 Address associated to the virtual machine.
Command is:
Get-VM | Select Name, @{N="IP Address";E={@($_.guest.IPAddress[0])}}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.