< Back
New-NsxFirewallRule
Post
NAME New-NsxFirewallRule
SYNOPSIS
Creates a new NSX Distributed Firewall Rule.
SYNTAX
New-NsxFirewallRule -Section <XmlElement> -Name <String> -Action <String> [-Direction <String>] [-Source
<Object[]>] [-NegateSource] [-Destination <Object[]>] [-NegateDestination] [-Service <Object[]>] [-Comment
<String>] [-Disabled] [-EnableLogging] [-AppliedTo <Object[]>] [-ApplyToDfw] [-ApplyToAllEdges] [-RuleType
<String>] [-Position <String>] [-anchorId <String>] [-Tag <String>] [-ScopeId <String>] [-ReturnRule] [-Connection
<PSObject>] [<CommonParameters>]
DESCRIPTION
An NSX Distributed Firewall Rule defines a typical 5 tuple rule and is
enforced on each hypervisor at the point where the VMs NIC connects to the
portgroup or logical switch.
Additionally, the 'applied to' field allows flexibility about
where (as in VMs, networks, hosts etc) the rule is actually applied.
This cmdlet creates the specified NSX Distributed Firewall Rule. The section
in which to create the rule is mandatory.
PARAMETERS
-Section <XmlElement>
Section in which the new rule should be created
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Name <String>
Name of the new rule
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Action <String>
Action of the rule - allow, deny or reject.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Direction <String>
Direction of traffic to hit the rule - in, out or inout (Default inout)
Required? false
Position? named
Default value inout
Accept pipeline input? false
Accept wildcard characters? false
-Source <Object[]>
Source(s) of traffic to hit the rule. IP4/6 members are specified as string, any other member as the
appropriate VI or PowerNSX object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NegateSource [<SwitchParameter>]
Negate the list of sources hit by the rule
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Destination <Object[]>
Destination(s) of traffic to hit the rule. IP4/6 members are specified as string, any other member as the
appropriate VI or PowerNSX object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NegateDestination [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Service <Object[]>
Negate the list of destinations hit by the rule
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Comment <String>
Comment string for the new rule
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Disabled [<SwitchParameter>]
Rule is created as disabled
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-EnableLogging [<SwitchParameter>]
Rule logging is enabled
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AppliedTo <Object[]>
Specific Object(s) to which the rule will be applied.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ApplyToDfw [<SwitchParameter>]
Enable application of the rule to 'DISTRIBUTED_FIREWALL' (ie, to all VNICs present on NSX prepared
hypervisors. This does NOT include NSX Edges)
Required? false
Position? named
Default value True
Accept pipeline input? false
Accept wildcard characters? false
-ApplyToAllEdges [<SwitchParameter>]
Enable application of the rule to all NSX edges
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-RuleType <String>
Rule type
Required? false
Position? named
Default value layer3sections
Accept pipeline input? false
Accept wildcard characters? false
-Position <String>
Create the new rule at the specified position of the section (Top or Bottom, Default - Top)
Required? false
Position? named
Default value Top
Accept pipeline input? false
Accept wildcard characters? false
-anchorId <String>
ID of an existing rule to use as an anchor for the new rule.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Tag <String>
Tag to be configured on the new rule. Tag is an arbitrary string attached to the rule that does not affect
application of the rule, but is included in logged output of rule hits if logging is enabled for the rule.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ScopeId <String>
Scope of the created rule.
Required? false
Position? named
Default value globalroot-0
Accept pipeline input? false
Accept wildcard characters? false
-ReturnRule [<SwitchParameter>]
Specifies that New-NsxFirewall rule will return the actual rule that was created rather than the deprecated
behaviour of returning the complete containing section
This option exists to allow existing scripts that use this function to be easily updated to set it to $false
and continue working (For now!).
This option is deprecated and will be removed in a future version.
Required? false
Position? named
Default value True
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? named
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing Rule Creation"
Add a new Layer 3 rule to the section called TestSection. By default, the
rule will be inserted at the top of the section.
-------------------------- EXAMPLE 2 --------------------------
PS>Get-NsxFirewallSection TestL2Section |
New-NsxFirewallRule -Name TestRule -Source $VM1 -Destination $VM1
-Action allow
-AppliedTo $VM1 -EnableLogging -Comment "Testing L2 Rule Creation"
Add a new Layer 2 rule to the section called TestL2Section. By default, the
rule will be inserted at the top of the section.
-------------------------- EXAMPLE 3 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a disabled rule"
-DisableRule
Add a new Layer 3 disabled rule to the section called TestSection
-------------------------- EXAMPLE 4 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a rule at the bottom of the section"
-Position bottom
Add a new Layer 3 rule to the bottom of the section called TestSection
-------------------------- EXAMPLE 5 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a rule before an existing rule"
-Position before -anchorId 1024
Add a new Layer 3 rule immediatley before rule id 1024 in the section called
TestSection
-------------------------- EXAMPLE 6 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a rule after an existing rule"
-Position after -anchorId 1024
Add a new Layer 3 rule immediatley after rule id 1024 in the section called
TestSection
RELATED LINKS
SYNOPSIS
Creates a new NSX Distributed Firewall Rule.
SYNTAX
New-NsxFirewallRule -Section <XmlElement> -Name <String> -Action <String> [-Direction <String>] [-Source
<Object[]>] [-NegateSource] [-Destination <Object[]>] [-NegateDestination] [-Service <Object[]>] [-Comment
<String>] [-Disabled] [-EnableLogging] [-AppliedTo <Object[]>] [-ApplyToDfw] [-ApplyToAllEdges] [-RuleType
<String>] [-Position <String>] [-anchorId <String>] [-Tag <String>] [-ScopeId <String>] [-ReturnRule] [-Connection
<PSObject>] [<CommonParameters>]
DESCRIPTION
An NSX Distributed Firewall Rule defines a typical 5 tuple rule and is
enforced on each hypervisor at the point where the VMs NIC connects to the
portgroup or logical switch.
Additionally, the 'applied to' field allows flexibility about
where (as in VMs, networks, hosts etc) the rule is actually applied.
This cmdlet creates the specified NSX Distributed Firewall Rule. The section
in which to create the rule is mandatory.
PARAMETERS
-Section <XmlElement>
Section in which the new rule should be created
Required? true
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Name <String>
Name of the new rule
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Action <String>
Action of the rule - allow, deny or reject.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Direction <String>
Direction of traffic to hit the rule - in, out or inout (Default inout)
Required? false
Position? named
Default value inout
Accept pipeline input? false
Accept wildcard characters? false
-Source <Object[]>
Source(s) of traffic to hit the rule. IP4/6 members are specified as string, any other member as the
appropriate VI or PowerNSX object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NegateSource [<SwitchParameter>]
Negate the list of sources hit by the rule
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Destination <Object[]>
Destination(s) of traffic to hit the rule. IP4/6 members are specified as string, any other member as the
appropriate VI or PowerNSX object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NegateDestination [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Service <Object[]>
Negate the list of destinations hit by the rule
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Comment <String>
Comment string for the new rule
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Disabled [<SwitchParameter>]
Rule is created as disabled
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-EnableLogging [<SwitchParameter>]
Rule logging is enabled
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AppliedTo <Object[]>
Specific Object(s) to which the rule will be applied.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ApplyToDfw [<SwitchParameter>]
Enable application of the rule to 'DISTRIBUTED_FIREWALL' (ie, to all VNICs present on NSX prepared
hypervisors. This does NOT include NSX Edges)
Required? false
Position? named
Default value True
Accept pipeline input? false
Accept wildcard characters? false
-ApplyToAllEdges [<SwitchParameter>]
Enable application of the rule to all NSX edges
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-RuleType <String>
Rule type
Required? false
Position? named
Default value layer3sections
Accept pipeline input? false
Accept wildcard characters? false
-Position <String>
Create the new rule at the specified position of the section (Top or Bottom, Default - Top)
Required? false
Position? named
Default value Top
Accept pipeline input? false
Accept wildcard characters? false
-anchorId <String>
ID of an existing rule to use as an anchor for the new rule.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Tag <String>
Tag to be configured on the new rule. Tag is an arbitrary string attached to the rule that does not affect
application of the rule, but is included in logged output of rule hits if logging is enabled for the rule.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ScopeId <String>
Scope of the created rule.
Required? false
Position? named
Default value globalroot-0
Accept pipeline input? false
Accept wildcard characters? false
-ReturnRule [<SwitchParameter>]
Specifies that New-NsxFirewall rule will return the actual rule that was created rather than the deprecated
behaviour of returning the complete containing section
This option exists to allow existing scripts that use this function to be easily updated to set it to $false
and continue working (For now!).
This option is deprecated and will be removed in a future version.
Required? false
Position? named
Default value True
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? named
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing Rule Creation"
Add a new Layer 3 rule to the section called TestSection. By default, the
rule will be inserted at the top of the section.
-------------------------- EXAMPLE 2 --------------------------
PS>Get-NsxFirewallSection TestL2Section |
New-NsxFirewallRule -Name TestRule -Source $VM1 -Destination $VM1
-Action allow
-AppliedTo $VM1 -EnableLogging -Comment "Testing L2 Rule Creation"
Add a new Layer 2 rule to the section called TestL2Section. By default, the
rule will be inserted at the top of the section.
-------------------------- EXAMPLE 3 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a disabled rule"
-DisableRule
Add a new Layer 3 disabled rule to the section called TestSection
-------------------------- EXAMPLE 4 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a rule at the bottom of the section"
-Position bottom
Add a new Layer 3 rule to the bottom of the section called TestSection
-------------------------- EXAMPLE 5 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a rule before an existing rule"
-Position before -anchorId 1024
Add a new Layer 3 rule immediatley before rule id 1024 in the section called
TestSection
-------------------------- EXAMPLE 6 --------------------------
PS>Get-NsxFirewallSection TestSection |
New-NsxFirewallRule -Name TestRule -Source $LS1 -Destination $LS1
-Action allow
-service (Get-NsxService HTTP) -AppliedTo $LS1 -EnableLogging -Comment
"Testing creating a rule after an existing rule"
-Position after -anchorId 1024
Add a new Layer 3 rule immediatley after rule id 1024 in the section called
TestSection
RELATED LINKS