< Back
New-NsxSecurityPolicy
Post
NAME New-NsxSecurityPolicy
SYNOPSIS
Create a new NSX Security Policy.
SYNTAX
New-NsxSecurityPolicy [-Name] <String> [[-Description] <String>] [[-FirewallRuleSpec] <XmlElement[]>]
[[-GuestIntrospectionSpec] <XmlElement[]>] [[-NetworkIntrospectionSpec] <XmlElement[]>] [-ReturnObjectIdOnly]
[[-Precedence] <Int32>] [[-Connection] <PSObject>] [<CommonParameters>]
DESCRIPTION
A security policy is a policy construct that can define one or more rules in
several different categories, that can then be applied to an arbitrary
number of Security Groups in order to enforce the defined policy.
The three categories of rules that can be included in a Security Policy are:
- Guest Introspection - data security, anti-virus, and vulnerability
management and rules based on third party Guest Introspection capability.
- Firewall rules - creates appropriate distributed firewall rules when
the policy is applied to a security group.
- Network introspection services - Thirdparty firewall, IPS/IDS etc.
New-NsxSecurityPolicy enables creation of a security policy that includes
rules from any of the three categories.
For Network Introspection, and some Guest Introspection rules, the
appropriate service defintion and service policies must already be defined
within NSX to allow this.
PARAMETERS
-Name <String>
The name of the newly created policy
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Description <String>
The description of the newly created policy
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-FirewallRuleSpec <XmlElement[]>
Security Policy Firewall Rule Spec as created by New-NsxSecurityPolicyFirewallRuleSpec
Required? false
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? false
-GuestIntrospectionSpec <XmlElement[]>
Guest Introspection Rule Spec as created by New-NsxSecurityPolicyGuestIntrospectionSpec
Required? false
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NetworkIntrospectionSpec <XmlElement[]>
Network Introspection Rule Spec as created by New-NsxSecurityPolicyNetworkIntrospectionSpec
Required? false
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ReturnObjectIdOnly [<SwitchParameter>]
Return only the objectId of the newly create policy (avoids an aditional get to the API to retrieve the newly
created object)
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Precedence <Int32>
Manually define the precedence number of the newly created policy. This defaults to the highest currently
inuse precedence + 1000 (like the UI)
Required? false
Position? 6
Default value 0
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? 7
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-NsxSecurityPolicy -Name EmptyPolicy
Creates an empty Security Policy with no rules.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "All Management Servers"
PS C:\\> $http = Get-NsxService -Localonly | Where { $_.name -eq 'HTTP' }
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $ssh = Get-NsxService -Localonly | Where { $_.name -eq 'SSH' }
PS C:\\> $inboundwebrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Inbound Web" `
-Description "Allow inbound web traffic" `
-Service $http,$https -Source Any -EnableLogging -Action allow
PS C:\\> $inboundsshrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow SSH from Management" `
-Description "Allow inbound ssh traffic from management servers" `
-Service $ssh -Source $sg1 -EnableLogging -Action allow
PS C:\\> New-NsxSecurityPolicy -Name WebServers -Description "Generic Web Server Policy" `
-FirewallRuleSpec $inboundwebrule, $inboundsshrule
Creates a security policy called WebServers that defines two firewall rules.
The specific steps to accomplish this are as follows:
- Retrieves an existing security group that represents management servers
from which SSH traffic will originate.
- Retrieves existing NSX services defining HTTP, HTTPS and SSH and stores
them in appropriate variables.
- Creates two FirewallRule Specs that use the group and services collected
above and stores them in appropriate variables.
- Creates a Security Policy using the two precreated firewall rule specs.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyFirewall"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "FirewallProfile"
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $RedirectRule = New-NsxSecurityPolicyNetworkIntrospectionSpec -Name "MyThirdPartyRedirectRule" `
-ServiceProfile $ServicePolicy -Service $https -source Any
PS C:\\> New-NsxSecurityPolicy -Name HTTPSRedirect -Description "Redirect HTTPS to ThirdParty Firewall" `
-NetworkIntrospectionSpec $RedirectRule
Creates a security policy called ThirdPartyRedirect that defines a single
network introspection rule to redirect traffic to a thirdparty firewall
service.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party firewall production integration with NSX.
- Retrieves an existing NSX service defining HTTPS and stores it in an
appropriate variable.
- Creates a Network Introspection rule spec that uses the policy collected
above, that matches HTTPS traffic from any source and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated network introspection rule
spec.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyEndpoint"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "Profile1"
PS C:\\> $Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-ServiceDefinition $ServiceDefinition -ServiceProfile $ServicePolicy
PS C:\\> New-NsxSecurityPolicy -Name ThirdPartyEndpoint -Description "Apply ThirdParty Introspection" `
-GuestIntrospection $EndpointRule
Creates a security policy called ThirdPartyEndpoint that defines a single
guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party endpoint integration with NSX.
- Creates a Guest Introspection rule spec that uses the policy collected
above and stores it in an appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype AntiVirus
PS C:\\> New-NsxSecurityPolicy -Name AntiVirusEndpoint -Description "Antivirus Endpoint" `
-GuestIntrospection $EndpointRule
Creates a security policy called AntiVirusEndpoint that defines a single
AntiVirus guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection AntiVirus rule spec and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
-------------------------- EXAMPLE 6 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype FileIntegrityMonitoring
PS C:\\> New-NsxSecurityPolicy -Name FileIntegrityEndpoint -Description "FileIntegrity Endpoint" `
-GuestIntrospection $EndpointRule
Creates a security policy called FileIntegrityEndpoint that defines a single
FileIntegrity guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection FileIntegrity rule spec and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
-------------------------- EXAMPLE 7 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype VulnerabilityManagement
PS C:\\> New-NsxSecurityPolicy -Name VulnerabilityMgmtEndpoint -Description "VulnMgmt Endpoint" `
-GuestIntrospection $EndpointRule
Creates a security policy called VulnerabilityMgmtEndpoint that defines a single
VulnerabilityManagementt guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection VulnerabilityManagement rule spec and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
RELATED LINKS
SYNOPSIS
Create a new NSX Security Policy.
SYNTAX
New-NsxSecurityPolicy [-Name] <String> [[-Description] <String>] [[-FirewallRuleSpec] <XmlElement[]>]
[[-GuestIntrospectionSpec] <XmlElement[]>] [[-NetworkIntrospectionSpec] <XmlElement[]>] [-ReturnObjectIdOnly]
[[-Precedence] <Int32>] [[-Connection] <PSObject>] [<CommonParameters>]
DESCRIPTION
A security policy is a policy construct that can define one or more rules in
several different categories, that can then be applied to an arbitrary
number of Security Groups in order to enforce the defined policy.
The three categories of rules that can be included in a Security Policy are:
- Guest Introspection - data security, anti-virus, and vulnerability
management and rules based on third party Guest Introspection capability.
- Firewall rules - creates appropriate distributed firewall rules when
the policy is applied to a security group.
- Network introspection services - Thirdparty firewall, IPS/IDS etc.
New-NsxSecurityPolicy enables creation of a security policy that includes
rules from any of the three categories.
For Network Introspection, and some Guest Introspection rules, the
appropriate service defintion and service policies must already be defined
within NSX to allow this.
PARAMETERS
-Name <String>
The name of the newly created policy
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Description <String>
The description of the newly created policy
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-FirewallRuleSpec <XmlElement[]>
Security Policy Firewall Rule Spec as created by New-NsxSecurityPolicyFirewallRuleSpec
Required? false
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? false
-GuestIntrospectionSpec <XmlElement[]>
Guest Introspection Rule Spec as created by New-NsxSecurityPolicyGuestIntrospectionSpec
Required? false
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NetworkIntrospectionSpec <XmlElement[]>
Network Introspection Rule Spec as created by New-NsxSecurityPolicyNetworkIntrospectionSpec
Required? false
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ReturnObjectIdOnly [<SwitchParameter>]
Return only the objectId of the newly create policy (avoids an aditional get to the API to retrieve the newly
created object)
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Precedence <Int32>
Manually define the precedence number of the newly created policy. This defaults to the highest currently
inuse precedence + 1000 (like the UI)
Required? false
Position? 6
Default value 0
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? 7
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-NsxSecurityPolicy -Name EmptyPolicy
Creates an empty Security Policy with no rules.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "All Management Servers"
PS C:\\> $http = Get-NsxService -Localonly | Where { $_.name -eq 'HTTP' }
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $ssh = Get-NsxService -Localonly | Where { $_.name -eq 'SSH' }
PS C:\\> $inboundwebrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Inbound Web" `
-Description "Allow inbound web traffic" `
-Service $http,$https -Source Any -EnableLogging -Action allow
PS C:\\> $inboundsshrule = New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow SSH from Management" `
-Description "Allow inbound ssh traffic from management servers" `
-Service $ssh -Source $sg1 -EnableLogging -Action allow
PS C:\\> New-NsxSecurityPolicy -Name WebServers -Description "Generic Web Server Policy" `
-FirewallRuleSpec $inboundwebrule, $inboundsshrule
Creates a security policy called WebServers that defines two firewall rules.
The specific steps to accomplish this are as follows:
- Retrieves an existing security group that represents management servers
from which SSH traffic will originate.
- Retrieves existing NSX services defining HTTP, HTTPS and SSH and stores
them in appropriate variables.
- Creates two FirewallRule Specs that use the group and services collected
above and stores them in appropriate variables.
- Creates a Security Policy using the two precreated firewall rule specs.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyFirewall"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "FirewallProfile"
PS C:\\> $https = Get-NsxService -Localonly | Where { $_.name -eq 'HTTPS' }
PS C:\\> $RedirectRule = New-NsxSecurityPolicyNetworkIntrospectionSpec -Name "MyThirdPartyRedirectRule" `
-ServiceProfile $ServicePolicy -Service $https -source Any
PS C:\\> New-NsxSecurityPolicy -Name HTTPSRedirect -Description "Redirect HTTPS to ThirdParty Firewall" `
-NetworkIntrospectionSpec $RedirectRule
Creates a security policy called ThirdPartyRedirect that defines a single
network introspection rule to redirect traffic to a thirdparty firewall
service.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party firewall production integration with NSX.
- Retrieves an existing NSX service defining HTTPS and stores it in an
appropriate variable.
- Creates a Network Introspection rule spec that uses the policy collected
above, that matches HTTPS traffic from any source and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated network introspection rule
spec.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$ServiceDefinition = Get-NsxServiceDefinition -Name "MyThirdPartyEndpoint"
PS C:\\> $ServicePolicy = $ServiceDefinition | Get-NsxServiceProfile "Profile1"
PS C:\\> $Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-ServiceDefinition $ServiceDefinition -ServiceProfile $ServicePolicy
PS C:\\> New-NsxSecurityPolicy -Name ThirdPartyEndpoint -Description "Apply ThirdParty Introspection" `
-GuestIntrospection $EndpointRule
Creates a security policy called ThirdPartyEndpoint that defines a single
guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Retrieves an existing Service Policy that is defined as part of the third
party endpoint integration with NSX.
- Creates a Guest Introspection rule spec that uses the policy collected
above and stores it in an appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype AntiVirus
PS C:\\> New-NsxSecurityPolicy -Name AntiVirusEndpoint -Description "Antivirus Endpoint" `
-GuestIntrospection $EndpointRule
Creates a security policy called AntiVirusEndpoint that defines a single
AntiVirus guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection AntiVirus rule spec and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
-------------------------- EXAMPLE 6 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype FileIntegrityMonitoring
PS C:\\> New-NsxSecurityPolicy -Name FileIntegrityEndpoint -Description "FileIntegrity Endpoint" `
-GuestIntrospection $EndpointRule
Creates a security policy called FileIntegrityEndpoint that defines a single
FileIntegrity guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection FileIntegrity rule spec and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
-------------------------- EXAMPLE 7 --------------------------
PS C:\\>$Endpointrule = New-NsxSecurityPolicyGuestIntrospectionSpec -Name "MyThirdPartyEndpointRule" `
-Servicetype VulnerabilityManagement
PS C:\\> New-NsxSecurityPolicy -Name VulnerabilityMgmtEndpoint -Description "VulnMgmt Endpoint" `
-GuestIntrospection $EndpointRule
Creates a security policy called VulnerabilityMgmtEndpoint that defines a single
VulnerabilityManagementt guest introspection rule to apply.
The specific steps to accomplish this are as follows:
- Creates a Guest Introspection VulnerabilityManagement rule spec and stores it in an
appropriate variable.
- Creates a Security Policy using the precreated guest introspection rule
spec.
RELATED LINKS