Showing posts from 2019

Discovering NSX IPSets that Contain an IP Address

As you can tell by the kinds of posts that I've been making recently, I've had the chance to do a fair amount of work with NSX!  Within NSX, you can define IPSets to allow you to control the way non-NSX objects (such as physical devices) can interact with your VMs.  If you need to figure out which existing IPSet contains a given IP Address, you can run an easy VRNI query (ipset where ip address = <IP Address>)... but you don't always have access to VRNI!  So, I put together a PowerNSX script to check on it for me!

Using this script is pretty simple: get-appliedNSXIPsets -ipAddr <IP Address in Question>.  It will return a table with three columns (NSXSecurityGroup, NSXIPSet, and IPAddress) and one row per unique Security Group / IPSet combination.  The script understands IPSets that list multiple objects, but only if they are whole subnets (defined with CIDR notation) or individual IP Addresses.  The script does not support ranges of IP Addresses (like 192.168.1…

Useful VRNI Queries

I've been working with a large customer for a while, and one of the things that we've done here is to thoroughly integrate vRealize Network Insight into their environment.  I'm not sure that I can go back to using just plain vCenter after this, because vRNI gives me such a cool perspective on the environment!  As I've worked on various situations, I've found myself using a few queries over and over again, so I figured that I'd share some of my favorites!
Queries for Troubleshooting Network Communications Between VMsFlows where VM = <VM Name>Flows where Firewall Action = DenyFlows where Security Tag = <Security Tag Name>VM <VM Name> to VM <Other VM Name> These queries (and permutations thereof) are incredibly useful when troubleshooting communication issues between VMs.  Depending on how precisely the application owner can describe their issue, I might use any one (or combination) of these.
For example, if an application owner tells me th…

Summarizing NSX Security Policy Firewall Rules

I've been working with one of my customers to implement the NSX Distribtued Firewall via Security Policies instead of hand-crafted rules.  For auditing and reporting purposes, we needed to be able to display all of the policies that have been created and the DFW rules within each one.  Ideally, we'd need to be able to generate this report on demand, with real-time data... and since the NSX GUI doesn't make that easily visible, I figured that I should put together a script to do it for me!

Enter the summarize-NSXSecurityPolicy.ps1 script.  This script uses PowerNSX to get all of the defined Security Policies in the environment, then builds a table with one row per DFW Rule.  Each row contains several columns, including one for the policy that defines the rule, so we can easily filter the table to show what's going on with specific policies or we can easily search it to find a policy that involves specific traffic.  That later use case is almost certainly more important,…

Speeding Up Scripts: Sorting and Selecting Unique

I often find myself working with large collections of objects, and one challenge that frequently comes up is to distill that collection to a set of unique items.  For example, I'm working on a project that involves analyzing a lot of network flow data that I receive with parameters for Source, Destination, Protocol, and Port.  For a part of this project, I need to create a bunch of computer objects, with parameters for InboundTCPPorts, InboundUDPPorts, InboundOtherPorts, OutboundTCPPorts, OutboundUDPPorts, and OutboundOtherPorts. 

To make these computer objects, I need to start by getting all of the unique computers from my input data's Source and Destination fields.  That's pretty simple.  I start by combining the source and destination fields into a single array:

$computers = $data.source + $data.destination

That gives me a single list of all computers that are involved in these network flows, but that list is going to have a ton of duplication in it (since each computer…

Changing your Windows Password in Nested RDP Sessions

Due to some strict security requirements, I often find myself working inside of an RDP session that's nested inside of another RDP session (that is occasionally nested inside of a Virtual Desktop).  Generally speaking, this works really well... except for when I need to change my password.  When you're buried that deeply in nested RDP sessions, neither ctrl-alt-del nor ctrl-alt-end are going to do the trick for you.  Fortunately, Serge Pavlov, deep in the comments of a technet article, had the solution!  I'm mostly writing about it here to make it easier for me to find it again when I need to go through this process 30 days from now ;)

In a PowerShell window, run this command: (New-Object -COM Shell.Application).WindowsSecurity()
That'll open the Windows Security Center (the same thing that pops up when you hit ctrl-alt-del normally).  From there, you can just click "change password" and be on your merry way!  I like this because, since it's initiated fro…

PowerNSX and Security Group Membership Exclusions

Hey everyone - I've been helping a customer implement their NSX Distributed Firewall recently.  I'm not a big fan of the GUI, but I can do just about everything that I need to do through PowerNSX, which I've found much faster and easier to manage... until I started working with Security Group membership exclusions.

NSX follows a fairly sophisticated process for determining what objects are members of a given Security Group.  First, it checks the rules in that Security Group's Dynamic Membership section and adds all of the specified objects to the list (this can be a computationally expensive process, so you probably don't want to use a lot of dynamic membership rules).  Next, it checks the list in that Security Group's Static Include section and adds all of the specified objects to the list (this is a cheaper operation and should be the go-to group membership method).  Finally, it checks the list in the Exclude section and removes those objects from the list.  …

Using PowerVRNI to Register Applications

One of my customers wants to use VRNI to better understand their environment.  They've been fairly disciplined about putting VMs into folders based on the application that the VM serves.  Unfortunately, they've been a little too good about putting the VMs in folders, as each application is broken up into several subfolders.  This causes a bit of a problem when we want to use VRNI to analyze an application's traffic, as the query flows where folder like *application* certainly works based on the VM folder... but it only looks at the immediate folder for the VM, rather than the whole path.  Since we had everything broken up into subfolders, that query doesn't do us much good here.

So, I put together a quick script that can scrape a vCenter inventory to register VRNI applications for each folder that it finds.  Those applications are named based on the absolute path of the VM folder, so that you can run queries like flows where application like *application* to find all n…