tonysangha / powernsx-dfw2excel Goto Github PK

I was using the script today with a customer and the workflow was such that they had rules to allow ports in and out of cloud env. When a new request comes in, they have to find out if the requested port is already part of the service group configured in the existing rule or they need to add a new one.

When using the DFW2Excel, we can click on the Layer 3 Firewall --> Click on Service Group. It takes us to the Service_Group and list the Service Members. Now if you have a number of Service Members then you see a list of names but no numbers. You then need to click on each Service Member to find the actual port number.

I was thinking, if we could add a column next to service member with the numerical number of the port, it would make it much consumable.

Not sure if its possible but from customer workflow perspective they would really appreciate it.

It does not appear you can use the Auditor role to run this. We run scripts with a user that has Read only to vCenter, and Auditor to NSX.

[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): r

Name RetrievingType DeclaringType Value

VMIPAddress VirtualMachine VirtualMachine Summary.Guest.IPAddress
Unable to retrieve role details from NSX. Invoke-NsxRestMethod : The NSX API response received indicates a failure.
403 : Forbidden : Response Body:

•         throw "Unable to retrieve role details from NSX.  $_"
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (Unable to retri...leName>:String) [], RuntimeException
  • FullyQualifiedErrorId : Unable to retrieve role details from NSX. Invoke-NsxRestMethod : The NSX API response r
    eceived indicates a failure. 403 : Forbidden : Response Body:
    
    User is not authorized to access object globalroot-0 and feature urm.object_access_control, please
    check object access scope and feature permissions for the user.
    254co
    re-services

Need to place error handling into script in the event certain parameters are not found

Hi Tony,

First, great product! Keep up the great work :)

Issue: I get this error every time I run .\DFW2Excel.ps1
When I looked at the code (I'm not sure where's 'admin' coming from):

$nsx_mgr = Read-Host "`nIP or FQDN of NSX Manager? "
Connect-NSXServer $nsx_mgr -Credential admin

but if I change the code to this it works great for me...

$nsxManagerCred = Get-Credential -Message "NSX Manager Credentail" -UserName "admin"
$vCenterCred = Get-Credential -Message "vCenter Credentail" -UserName "administrator@"
Connect-NsxServer -Server $nsx_mgr -Credential $nsxManagerCred -VICred $vCenterCred -ViWarningAction "Ignore"

please check if above code make sense to you and feel free to change your code. :)

Following is the detailed error:

IP or FQDN of NSX Manager? : 192.168.110.42
Connect-NsxServer : Cannot process argument transformation on parameter 'Credential'. Cannot convert the "admin" value of type "System.String" to type
"System.Management.Automation.PSCredential".
At C:\temp\PowerNSX-DFW2Excel\DFW2Excel.ps1:743 char:40

• Connect-NSXServer $nsx_mgr -Credential admin

+ CategoryInfo          : InvalidData: (:) [Connect-NsxServer], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Connect-NsxServer

The variable '$defaultNSXConnection' cannot be retrieved because it has not been set.
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\PowerNSX\PowerNSX.psm1:5543 char:41

•         [PSCustomObject]$Connection=$defaultNSXConnection
  

+ CategoryInfo          : InvalidOperation: (defaultNSXConnection:String) [], RuntimeException
+ FullyQualifiedErrorId : VariableIsUndefined

invoke-nsxwebrequest : Invoke-NsxWebRequest : The NSX API response received indicates a failure. 400 : Bad Request : Response Body:

• ... $response = invoke-nsxwebrequest -method "get" -uri $URI -connection ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidResult: (Invoke-NsxWebRequest:String) [Invoke-NsxWebRequest], InternalNsxApiException
  • FullyQualifiedErrorId : NsxAPIFailureResult,Invoke-NsxWebRequest

When I tried to get DFW Rules to Excel following errors occured

Get-NSXSecurityGroupEffectiveMembers : The term 'Get-NSXSecurityGroupEffectiveMembers' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or
if a path was included, verify that the path is correct and try again.
At C:\Users\hakkurth\Downloads\NSX-PowerOps-master-80a8d3cff9b44c9e921166480e9251d4247abb10\PowerNSX-DFW2Excel\DFW2Excel.ps1:439 char:30

•     $members = $member | Get-NSXSecurityGroupEffectiveMembers
  

•                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Get-NSXSecurityGroupEffectiveMembers:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Currently when you run the script, in the Security Groups tab, the MOID/Name of VMs in each SG is automatically listed. This is okay for small environments but in large environments with 1000s of VMs this can become really huge.

Is it possible to make this translation optional just like VM_addressing?

Create a hyperlink from a service in a service group to the service definition in the services worksheet

Populate Excluded field with true or false values

Get-NSXSecurityGroupEffectiveMembers is not the correct command. The correct one is Get-NSXSecurityGroupEffectiveMember without the 's' at the end.

Security Tag worksheet with VM membership

When a service in NSX is defined with multiple ports, they are separated by a comma. This data is being treated as a single number in Excel, rather than text.

Suggestion: set the column that contains the service ports to Text, or place each port/value on a different line within the same cell (helps in readability)

I am new to powernsx , I followed the instruction to connect to vcenter and nsx using sso credentials as below.
PS /> Connect-NsxServer -vCenterServer vc-01a.corp.local

Entered the SSO credential's and can retrieve the range of different information from powercli. But I tried documenting DFW rules and it throws the following error.

Does anyone knows what's going or what I am doing wrong.

Document IPSETS/MACSETS and other static inclusions/exclusions of security groups

Would you like to continue collection of VM IP Addresses (Default: N) Y/N?: : n
WARNING: Collection of IP Addresses Disabled

Retrieving Services configured in NSX-v.
Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary: 'Horizon 6 Connection Server to vCenter server communication' Key being added: 'Horizon 6 Connection Server to vCenter Server
communication'"
At C:\temp\PowerNSX-DFW2Excel\DFW2Excel.ps1:540 char:9

•     $service_links.Add($svc.name, $row)
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : ArgumentException

True

Retrieving Service Groups configured in NSX-v.
True

Retrieving MACSETS configured in NSX-v.
True

Retrieving IPSETS configured in NSX-v.
True

Retrieving Security Groups configured in NSX-v.
True

Retrieving Security Tags configured in NSX-v.
True

Retrieving VMs in DFW Exclusion List
True

Retrieving DFW Layer 3 FW Rules
True

If security tags are configured and do not have a VM assignment, the script raises an exceptions and does not continue.

Resolution:

Place if statement to check if the variable is not null.

$tag_assign = $ST | Get-NsxSecurityTagAssignment
if ($tag_assign -ne $null){...}

Using PowerCLI, list first IPv4 Address associated to the virtual machine.

Command is:

Get-VM | Select Name, @{N="IP Address";E={@($_.guest.IPAddress[0])}}

Perform validation that NSX is returning content with status code 200, otherwise skip worksheet population.

Is it possible to add an area in the Security Groups tab which lists how many VMs are becoming part of a SG and how many IPs its translating into? This can be really useful when looking at large environments and identifying where the large groups are.

For ex:

Name. ID Translated VMs Translated IPs
===== == =============. ============
SG.App1 securitygroup-11 50 105

https://x.x.x.x/api/2.0/services/securitygroup/securitygroup-11/translation/virtualmachines

https://x.x.x.x/api/2.0/services/securitygroup/securitygroup-11/translation/ipaddresses