TechQA.

Add firewall rules to a vApp Network with PowerCli 5.1

1.1k views Asked by At

I am trying to add firewall rules to a vApp Network in vCloud Director 5.1 with PowerCli 5.1. This script appears to update, with no errors, but a refresh of the firewall setting reveals no change.

Connect-CIServer -Server server.domain.local -Org org01 -User administrator -Password xxxxxx -WarningAction SilentlyContinue
$vAppNet = Get-CIVAPP 111 | get-civappnetwork vApp_Network
$vApp = Get-CIVAPP 111
$networkConfigSection = (Get-CIVapp 111).extensiondata.GetNetworkConfigSection()
$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
$fwService.DefaultAction = "drop"
$fwService.LogDefaultAction = $false
$fwService.IsEnabled = $true
$fwService.FirewallRule = New-Object vmware.vimautomation.cloud.views.firewallrule
$fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule
$fwService.FirewallRule[0].isenabled = $true
$fwService.FirewallRule[0].description = "TS from TSG"
$fwService.FirewallRule[0].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
$fwService.FirewallRule[0].protocols.tcp = $true
$fwService.FirewallRule[0].policy = "allow"
$fwService.FirewallRule[0].port = "3389"
$fwService.FirewallRule[0].destinationIp = "Any"
$fwService.FirewallRule[0].sourceport = "3389"
$fwService.FirewallRule[0].sourceip = "192.168.1.81-192.168.1.89"
$fwService.FirewallRule[0].direction = "in"
$vAppNet.extensiondata.configuration.features += $fwService
$networkConfigSection.UpdateServerData()

when I run $vAppNet.extensiondata.configuration.features to check to see if it was added, I see it on the 3rd section below after the NAT entry...

PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI for Tenants> $vAppNet.extensiondata.configuration.features

DefaultAction    : drop
LogDefaultAction : False
FirewallRule     :
IsEnabled        : True
AnyAttr          :
VCloudExtension  :

NatType         : ipTranslation
Policy          : allowTrafficIn
NatRule         :
ExternalIp      :
IsEnabled       : True
AnyAttr         :
VCloudExtension :

DefaultAction    : drop
LogDefaultAction : False
FirewallRule     : {, }
IsEnabled        : True
AnyAttr          :
VCloudExtension  :

-------------------------------------------------------------------------------------------Changing the script a little produces an error during the update.................

Connect-CIServer -Server server.domain.local -Org org01 -User administrator -Password  xxxxxx -WarningAction SilentlyContinue
$vAppNet = get-civappnetwork vApp_Network
$vApp = Get-CIVAPP 111
$networkConfigSection = (Get-CIVapp 111).extensiondata.GetNetworkConfigSection()
$vAppNetwork = $networkConfigSection.NetworkConfig | where {$_.networkName -eq "vApp_Network"}
$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
$fwService.DefaultAction = "drop"
$fwService.LogDefaultAction = $false
$fwService.IsEnabled = $false 
$fwService.FirewallRule = New-Object vmware.vimautomation.cloud.views.firewallrule
$fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule  
$fwService.FirewallRule[0].isenabled = $false
$fwService.FirewallRule[0].description = "TS from TSG"
$fwService.FirewallRule[0].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
$fwService.FirewallRule[0].protocols.tcp = $true
$fwService.FirewallRule[0].policy = "allow"
$fwService.FirewallRule[0].port = "3389"
$fwService.FirewallRule[0].destinationIp = "Any"
$fwService.FirewallRule[0].sourceport = "3389"
$fwService.FirewallRule[0].sourceip = "192.168.1.81-192.168.1.89"
$fwService.FirewallRule[0].direction = "in"
$vAppNetwork.Configuration.Features = $vAppNetwork.Configuration.Features | where {!($_ -is [vmware.vimautomation.cloud.views.firewallservice])}
$vAppNetwork.configuration.features += $fwService
$networkConfigSection.UpdateServerData()

Error

Exception calling "UpdateServerData" with "0" argument(s): "Bad request - Unexpected JAXB Exception - cvc-complex-type.2.4.b: The content of element 'FirewallRule' is not complete. One of '{"xxxx://xxx. vmware.com/vcloud/v1.5":VCloudExtension, "xxxx://xxx.vmware.com/vcloud/v1.5":Id, "xxxx://xxx.vmware.com/vcloud/v1.5":IsEnabled, "xxx://xxxx.vmware.com/vcloud/v1.5":MatchOnTranslate, "xxxx://www.vmware.com /vcloud/v1.5":Description, "xxxx://xxx.vmware.com/vcloud/v1.5":Policy, "xxxx://xxx.vmware.com/vcloud/v1.5":Protocols, "xxxx://xxx.vmware.com/vcloud/v1.5":IcmpSubType, "http://xxx.vmware.com/vcloud/v1.5":P ort, "xxxx://xxx.vmware.com/vcloud/v1.5":DestinationPortRange, "xxxx://xxx.vmware.com/vcloud/v1.5":DestinationIp, "xxxx://xxx.vmware.com/vcloud/v1.5":DestinationVm}' is expected." At line:1 char:39 + $networkConfigSection.UpdateServerData <<<< () + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException

I have not been able to figure out how to update successfully. Please, any help would be greatly appreciated.

powershell powercli vcloud-director-rest-api
Original Q&A
1

There are 1 answers

0
user2679698 On

I found the answer, here is is for anyone else who needs it.

$vAppNet = Get-CIVAPP 111 | Get-CIVAppNetwork vApp_Network
$vApp = Get-CIVAPP 111
$networkConfigSection = (Get-CIVapp 111).extensiondata.GetNetworkConfigSection()
$vAppNetwork = $networkConfigSection.NetworkConfig | where {$_.networkName -eq "vApp_Network"}

$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
$fwService.DefaultAction = "drop"
$fwService.LogDefaultAction = $false
$fwService.IsEnabled = $true
$fwService.FirewallRule = New-Object vmware.vimautomation.cloud.views.firewallrule
$fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule 

#First Rule 
$fwService.FirewallRule[0].isenabled = $true
$fwService.FirewallRule[0].description = "Allow all outgoing traffic"
$fwService.FirewallRule[0].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
$fwService.FirewallRule[0].protocols.ANY = $true
$fwService.FirewallRule[0].policy = "allow"
$fwService.FirewallRule[0].destinationIp = "external"
$fwService.FirewallRule[0].sourceip = "internal"

#Second Rule 
$fwService.FirewallRule[1].isenabled = $true
$fwService.FirewallRule[1].description = "TS from TSG"
$fwService.FirewallRule[1].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
$fwService.FirewallRule[1].protocols.tcp = $true
$fwService.FirewallRule[1].policy = "allow"
$fwService.FirewallRule[1].port = "3389"
$fwService.FirewallRule[1].destinationIp = "Any"
$fwService.FirewallRule[1].sourceport = "3389"
$fwService.FirewallRule[1].sourceip = "192.168.1.81-192.168.1.89"

$vAppNetwork.Configuration.Features = $vAppNetwork.Configuration.Features | where {!($_ -is [vmware.vimautomation.cloud.views.firewallservice])}
$vAppNetwork.configuration.features += $fwService
$networkConfigSection.UpdateServerData()

Related Questions in POWERSHELL

Related Questions in POWERCLI

Related Questions in VCLOUD-DIRECTOR-REST-API

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions