Summarizing NSX Security Policy Firewall Rules
I've been working with one of my customers to implement the NSX Distribtued Firewall via Security Policies instead of hand-crafted rules. For auditing and reporting purposes, we needed to be able to display all of the policies that have been created and the DFW rules within each one. Ideally, we'd need to be able to generate this report on demand, with real-time data... and since the NSX GUI doesn't make that easily visible, I figured that I should put together a script to do it for me!
Enter the summarize-NSXSecurityPolicy.ps1 script. This script uses PowerNSX to get all of the defined Security Policies in the environment, then builds a table with one row per DFW Rule. Each row contains several columns, including one for the policy that defines the rule, so we can easily filter the table to show what's going on with specific policies or we can easily search it to find a policy that involves specific traffic. That later use case is almost certainly more important, as it will help us to reduce (or even eliminate!) policy creep by helping our operators to find and use existing policies rather than creating redundant ones.
To use the script, you need to have the PowerNSX module imported and an active connection to your NSX Server (via the Connect-NSXServer cmdlet). With those things in place, you can just fire off the script and it'll give you back a table with the summary. Now, a table sitting in your PowerShell console is probably not going to do you any good at all, so you'll probably want to either store the script results in a variable ($policies = summarize-NSXSecurityPolicy.ps1) or just save it directly to a file (summarize-NSXSecurityPolicy.ps1 | export-csv myPolicies.csv). Really, you can treat that table however you want, it's your data after all!
Enter the summarize-NSXSecurityPolicy.ps1 script. This script uses PowerNSX to get all of the defined Security Policies in the environment, then builds a table with one row per DFW Rule. Each row contains several columns, including one for the policy that defines the rule, so we can easily filter the table to show what's going on with specific policies or we can easily search it to find a policy that involves specific traffic. That later use case is almost certainly more important, as it will help us to reduce (or even eliminate!) policy creep by helping our operators to find and use existing policies rather than creating redundant ones.
To use the script, you need to have the PowerNSX module imported and an active connection to your NSX Server (via the Connect-NSXServer cmdlet). With those things in place, you can just fire off the script and it'll give you back a table with the summary. Now, a table sitting in your PowerShell console is probably not going to do you any good at all, so you'll probably want to either store the script results in a variable ($policies = summarize-NSXSecurityPolicy.ps1) or just save it directly to a file (summarize-NSXSecurityPolicy.ps1 | export-csv myPolicies.csv). Really, you can treat that table however you want, it's your data after all!
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,