< Back
Add-NsxSecurityPolicyRule
Post
NAME Add-NsxSecurityPolicyRule
SYNOPSIS
Adds a new NSX Security Policy Rule to an existing policy.
SYNTAX
Add-NsxSecurityPolicyRule [-SecurityPolicy] <XmlElement> [[-FirewallRuleSpec] <XmlElement[]>]
[[-GuestIntrospectionSpec] <XmlElement[]>] [[-NetworkIntrospectionSpec] <XmlElement[]>] [[-Connection] <PSObject>]
[<CommonParameters>]
DESCRIPTION
A security policy is a policy construct that can define one or more rules in
several different categories, that can then be applied to an arbitrary
number of Security Groups in order to enforce the defined policy.
The three categories of rules that can be included in a Security Policy are:
- Guest Introspection - data security, anti-virus, and vulnerability
management and rules based on third party Guest Introspection capability.
- Firewall rules - creates appropriate distributed firewall rules when
the policy is applied to a security group.
- Network introspection services - Thirdparty firewall, IPS/IDS etc.
Add-NsxSecurityPolicyRule allows the addition of a new rule to an existing
security policy.
For Network Introspection, and some Guest Introspection rules, the
appropriate service defintion and service policies must already be defined
within NSX to allow this.
PARAMETERS
-SecurityPolicy <XmlElement>
Security Policy to retrieve rules from.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-FirewallRuleSpec <XmlElement[]>
Security Policy Firewall Rule Spec as created by New-NsxSecurityPolicyFirewallRuleSpec
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-GuestIntrospectionSpec <XmlElement[]>
Guest Introspection Rule Spec as created by New-NsxSecurityPolicyGuestIntrospectionSpec
Required? false
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NetworkIntrospectionSpec <XmlElement[]>
Network Introspection Rule Spec as created by New-NsxSecurityPolicyNetworkIntrospectionSpec
Required? false
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? 5
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "All Management Servers"
PS C:\\> $http = Get-NsxService -Localonly | Where { $_.name -eq 'HTTP' }
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $ssh = Get-NsxService -Localonly | Where { $_.name -eq 'SSH' }
PS C:\\> $inboundwebrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Inbound Web" `
-Description "Allow inbound web traffic" `
-Service $http,$https -Source Any -EnableLogging -Action allow
PS C:\\> $inboundsshrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow SSH from Management" `
-Description "Allow inbound ssh traffic from management servers" `
-Service $ssh -Source $sg1 -EnableLogging -Action allow
PS C:\\> Get-NsxSecurityPolicy -Name WebServers | Add-NsxSecurityPolicyRule `
-FirewallRuleSpec $inboundwebrule, $inboundsshrule
Gets a security policy called WebServers and addes two firewall rules to it.
The specific steps to accomplish this are as follows:
- Retrieves an existing security group that represents management servers
from which SSH traffic will originate.
- Retrieves existing NSX services defining HTTP, HTTPS and SSH and stores
them in appropriate variables.
- Creates two FirewallRule Specs that use the group and services collected
above and stores them in appropriate variables.
- Retrieves a Security Policy using its name and adds the two precreated
firewall rules.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyFirewall"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "FirewallProfile"
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $RedirectRule = New-NsxSecurityPolicyNetworkIntrospectionSpec -Name "MyThirdPartyRedirectRule" `
-ServiceProfile $ServicePolicy -Service $https -source Any
PS C:\\> Get-NsxSecurityPolicy -Name ThirdPartyRedirect | Add-NsxSecurityPolicyRule `
-NetworkIntrospectionSpec $RedirectRule
Retrieves a security policy called ThirdPartyRedirect and adds a single
network introspection rule to redirect traffic to a thirdparty firewall
service.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party firewall production integration with NSX.
- Retrieves an existing NSX service defining HTTPS and stores it in an
appropriate variable.
- Creates a Network Introspection rule spec that uses the policy collected
above, that matches HTTPS traffic from any source and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the precreated network
introspection rule.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyEndpoint"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "Profile1"
PS C:\\> $Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-ServiceDefinition $ServiceDefinition -ServiceProfile $ServicePolicy
PS C:\\> Get-NsxSecurityPolicy -Name ThirdPartyEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retrieves a security policy called ThirdPartyEndpoint and adds a single
guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party endpoint integration with NSX.
- Creates a Guest Introspection rule spec that uses the policy collected
above and stores it in an appropriate variable.
- Retrieves a Security Policy and adds the precreated guest introspection rule.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype AntiVirus
PS C:\\> Get-NsxSecurityPolicy -Name AntiVirusEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retieves a security policy called AntiVirusEndpoint and adds a single
AntiVirus guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection AntiVirus rule spec and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the precreated guest introspection rule.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype FileIntegrityMonitoring
PS C:\\> Get-NsxSecurityPolicy -Name FileIntegrityEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retrieves a security policy called FileIntegrityEndpoint and adds a single
FileIntegrity guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection FileIntegrity rule spec and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the guest introspection rule.
-------------------------- EXAMPLE 6 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype VulnerabilityManagement
PS C:\\> Get-NsxSecurityPolicy -Name VulnerabilityMgmtEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retrieves a security policy called VulnerabilityMgmtEndpoint and adds a single
VulnerabilityManagement guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection VulnerabilityManagement rule spec and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the precreated guest introspection rule.
RELATED LINKS
SYNOPSIS
Adds a new NSX Security Policy Rule to an existing policy.
SYNTAX
Add-NsxSecurityPolicyRule [-SecurityPolicy] <XmlElement> [[-FirewallRuleSpec] <XmlElement[]>]
[[-GuestIntrospectionSpec] <XmlElement[]>] [[-NetworkIntrospectionSpec] <XmlElement[]>] [[-Connection] <PSObject>]
[<CommonParameters>]
DESCRIPTION
A security policy is a policy construct that can define one or more rules in
several different categories, that can then be applied to an arbitrary
number of Security Groups in order to enforce the defined policy.
The three categories of rules that can be included in a Security Policy are:
- Guest Introspection - data security, anti-virus, and vulnerability
management and rules based on third party Guest Introspection capability.
- Firewall rules - creates appropriate distributed firewall rules when
the policy is applied to a security group.
- Network introspection services - Thirdparty firewall, IPS/IDS etc.
Add-NsxSecurityPolicyRule allows the addition of a new rule to an existing
security policy.
For Network Introspection, and some Guest Introspection rules, the
appropriate service defintion and service policies must already be defined
within NSX to allow this.
PARAMETERS
-SecurityPolicy <XmlElement>
Security Policy to retrieve rules from.
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-FirewallRuleSpec <XmlElement[]>
Security Policy Firewall Rule Spec as created by New-NsxSecurityPolicyFirewallRuleSpec
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-GuestIntrospectionSpec <XmlElement[]>
Guest Introspection Rule Spec as created by New-NsxSecurityPolicyGuestIntrospectionSpec
Required? false
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NetworkIntrospectionSpec <XmlElement[]>
Network Introspection Rule Spec as created by New-NsxSecurityPolicyNetworkIntrospectionSpec
Required? false
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? 5
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "All Management Servers"
PS C:\\> $http = Get-NsxService -Localonly | Where { $_.name -eq 'HTTP' }
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $ssh = Get-NsxService -Localonly | Where { $_.name -eq 'SSH' }
PS C:\\> $inboundwebrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Inbound Web" `
-Description "Allow inbound web traffic" `
-Service $http,$https -Source Any -EnableLogging -Action allow
PS C:\\> $inboundsshrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow SSH from Management" `
-Description "Allow inbound ssh traffic from management servers" `
-Service $ssh -Source $sg1 -EnableLogging -Action allow
PS C:\\> Get-NsxSecurityPolicy -Name WebServers | Add-NsxSecurityPolicyRule `
-FirewallRuleSpec $inboundwebrule, $inboundsshrule
Gets a security policy called WebServers and addes two firewall rules to it.
The specific steps to accomplish this are as follows:
- Retrieves an existing security group that represents management servers
from which SSH traffic will originate.
- Retrieves existing NSX services defining HTTP, HTTPS and SSH and stores
them in appropriate variables.
- Creates two FirewallRule Specs that use the group and services collected
above and stores them in appropriate variables.
- Retrieves a Security Policy using its name and adds the two precreated
firewall rules.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyFirewall"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "FirewallProfile"
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $RedirectRule = New-NsxSecurityPolicyNetworkIntrospectionSpec -Name "MyThirdPartyRedirectRule" `
-ServiceProfile $ServicePolicy -Service $https -source Any
PS C:\\> Get-NsxSecurityPolicy -Name ThirdPartyRedirect | Add-NsxSecurityPolicyRule `
-NetworkIntrospectionSpec $RedirectRule
Retrieves a security policy called ThirdPartyRedirect and adds a single
network introspection rule to redirect traffic to a thirdparty firewall
service.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party firewall production integration with NSX.
- Retrieves an existing NSX service defining HTTPS and stores it in an
appropriate variable.
- Creates a Network Introspection rule spec that uses the policy collected
above, that matches HTTPS traffic from any source and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the precreated network
introspection rule.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyEndpoint"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "Profile1"
PS C:\\> $Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-ServiceDefinition $ServiceDefinition -ServiceProfile $ServicePolicy
PS C:\\> Get-NsxSecurityPolicy -Name ThirdPartyEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retrieves a security policy called ThirdPartyEndpoint and adds a single
guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party endpoint integration with NSX.
- Creates a Guest Introspection rule spec that uses the policy collected
above and stores it in an appropriate variable.
- Retrieves a Security Policy and adds the precreated guest introspection rule.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype AntiVirus
PS C:\\> Get-NsxSecurityPolicy -Name AntiVirusEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retieves a security policy called AntiVirusEndpoint and adds a single
AntiVirus guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection AntiVirus rule spec and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the precreated guest introspection rule.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype FileIntegrityMonitoring
PS C:\\> Get-NsxSecurityPolicy -Name FileIntegrityEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retrieves a security policy called FileIntegrityEndpoint and adds a single
FileIntegrity guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection FileIntegrity rule spec and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the guest introspection rule.
-------------------------- EXAMPLE 6 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype VulnerabilityManagement
PS C:\\> Get-NsxSecurityPolicy -Name VulnerabilityMgmtEndpoint | Add-NsxSecurityPolicyRule `
-GuestIntrospection $EndpointRule
Retrieves a security policy called VulnerabilityMgmtEndpoint and adds a single
VulnerabilityManagement guest introspection rule to it.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection VulnerabilityManagement rule spec and stores it in an
appropriate variable.
- Retrieves a Security Policy using its name and adds the precreated guest introspection rule.
RELATED LINKS