< Back
New-NsxSecurityPolicyFirewallRuleSpec
Post
NAME New-NsxSecurityPolicyFirewallRuleSpec
SYNOPSIS
Creates a Security Policy Firewall Rule spec approriate for use in
New-NsxSecurityPolicy or Add-NsxSecurityPolicyRule.
SYNTAX
New-NsxSecurityPolicyFirewallRuleSpec -Name <String> [-Description <String>] [-Disabled] [-Source <Object[]>]
[-Destination <Object[]>] [-Service <Object[]>] [-EnableLogging] [-Action <String>] [<CommonParameters>]
New-NsxSecurityPolicyFirewallRuleSpec -Name <String> [-Description <String>] [-Disabled] [-SecurityGroup
<Object[]>] -Direction <String> [-Service <Object[]>] [-EnableLogging] [-Action <String>] [<CommonParameters>]
DESCRIPTION
This cmdlet does not actually communicate with the NSX API, but merely
constructs the appropriate XML element to define a single firewall rule
that can subsequently be used in the New-NsxSecurityPolicy and
Add-NsxSecurityPolicyRule cmdlets.
It can operate in one of two modes.
Mode 1 will be familiar to typical NSX administrators that are familiar with
the concept of 'Policies Security Group' and the role it plays when defining
a Security Policy Firewall Rule. It requires specification of both source
and destination of the rule, at least one of which (and potentially both)
must be Policies Security Group. The other can be 'Any', or a specific
Security Group.
Mode 2 reflects the way the API represents the firewall rule definition, and
is arguably clearer than the way Security Policy Rules are modeled in the
UI. It requires specification of a direction (inbound outbound or intra)
and for inbound/outbound directions, a specific securitygroup may be
specified. If no Security Group is specified, the source/destination is
'Any'.
The two modes are equivalent in operation. Users familiar with the NSX UI
and related concepts should use Mode 1.
PARAMETERS
-Name <String>
Name of the newly created firewall rule
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Description <String>
Description of the newly created firewall rule
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Disabled [<SwitchParameter>]
Specify -disabled to create a rule as disabled. Rules default to enabled.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-SecurityGroup <Object[]>
Security Group that defines the source or destination of the rule (depending on -Direction). Security Group
is mandatory if direction is Inbound or Outbound.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Direction <String>
Direction that dictates if the specified security group is the source or destination of the rule. Inbound :
Security Group defines the source. Outbound : Security Group defines the destination.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Source <Object[]>
Source of the rule. Can be 'Any', 'PoliciesSecurityGroup', or a valid PowerNSX securitygroup object. At
least one of source or destination MUST be 'PoliciesSecurityGroup'. Defaults to 'PoliciesSecurityGroup'
Required? false
Position? named
Default value PoliciesSecurityGroup
Accept pipeline input? false
Accept wildcard characters? false
-Destination <Object[]>
Destination of the rule. Can be 'Any', 'PoliciesSecurityGroup', or a valid PowerNSX securitygroup object. At
least one of source or destination MUST be 'PoliciesSecurityGroup'. Defaults to 'PoliciesSecurityGroup'
Required? false
Position? named
Default value PoliciesSecurityGroup
Accept pipeline input? false
Accept wildcard characters? false
-Service <Object[]>
Service defined by the rule. Defaults to 'any'. Can be any valid PowerNSX Service object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-EnableLogging [<SwitchParameter>]
Enable logging. Defaults to disabled.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Action <String>
Rule action. Defaults to Allow
Required? false
Position? named
Default value Allow
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All" `
-Description "Allow all inbound traffic" `
-Action allow
Defines an enabled rule allowing traffic sourced from "Any" to
"Policies Security Group".
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "SG App Servers"
PS C:\\> $http = Get-NsxService HTTP
PS C:\\> $https = Get-NsxService HTTPS
PS C:\\> New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Web to Demo VM" `
-Description "Allow inbound web traffic" `
-Service $http,$https -Source $sg1 -EnableLogging -Action allow
Defines an enabled rule allowing traffic sourced from Security Group "SG App
Servers" to "Policies Security Group" on port 80/443 with logging enabled.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "SG App Servers"
PS C:\\> $http = Get-NsxService HTTP
PS C:\\> $https = Get-NsxService HTTPS
PS C:\\> New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Web to Demo VM"
-Description "Allow Inbound Web traffic"
-Service $http,$https
-securityGroup $sg1
-Direction inbound -EnableLogging -Action allow
Defines an enabled rule allowing traffic sourced from Security Group "SG App
Servers" to "Policies Security Group" on port 80/443 with logging enabled.
This results in an identical rule to Example 2
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All Intra Group Traffic" `
-Description "Allow all traffic within PSG" `
-Action allow
Defines an enabled rule allowing traffic sourced from "Policies Security
Group" to "Policies Security Group" with logging enabled. Source and
Destination default to "Policies Security Group".
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All Intra Group Traffic" `
-Description "Allow all traffic within PSG" `
-Direction Intra -Action allow
Defines an enabled rule allowing traffic sourced from "Policies Security
Group" to "Policies Security Group" with logging enabled. Security Group
defaults to 'Any'.
RELATED LINKS
SYNOPSIS
Creates a Security Policy Firewall Rule spec approriate for use in
New-NsxSecurityPolicy or Add-NsxSecurityPolicyRule.
SYNTAX
New-NsxSecurityPolicyFirewallRuleSpec -Name <String> [-Description <String>] [-Disabled] [-Source <Object[]>]
[-Destination <Object[]>] [-Service <Object[]>] [-EnableLogging] [-Action <String>] [<CommonParameters>]
New-NsxSecurityPolicyFirewallRuleSpec -Name <String> [-Description <String>] [-Disabled] [-SecurityGroup
<Object[]>] -Direction <String> [-Service <Object[]>] [-EnableLogging] [-Action <String>] [<CommonParameters>]
DESCRIPTION
This cmdlet does not actually communicate with the NSX API, but merely
constructs the appropriate XML element to define a single firewall rule
that can subsequently be used in the New-NsxSecurityPolicy and
Add-NsxSecurityPolicyRule cmdlets.
It can operate in one of two modes.
Mode 1 will be familiar to typical NSX administrators that are familiar with
the concept of 'Policies Security Group' and the role it plays when defining
a Security Policy Firewall Rule. It requires specification of both source
and destination of the rule, at least one of which (and potentially both)
must be Policies Security Group. The other can be 'Any', or a specific
Security Group.
Mode 2 reflects the way the API represents the firewall rule definition, and
is arguably clearer than the way Security Policy Rules are modeled in the
UI. It requires specification of a direction (inbound outbound or intra)
and for inbound/outbound directions, a specific securitygroup may be
specified. If no Security Group is specified, the source/destination is
'Any'.
The two modes are equivalent in operation. Users familiar with the NSX UI
and related concepts should use Mode 1.
PARAMETERS
-Name <String>
Name of the newly created firewall rule
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Description <String>
Description of the newly created firewall rule
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Disabled [<SwitchParameter>]
Specify -disabled to create a rule as disabled. Rules default to enabled.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-SecurityGroup <Object[]>
Security Group that defines the source or destination of the rule (depending on -Direction). Security Group
is mandatory if direction is Inbound or Outbound.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Direction <String>
Direction that dictates if the specified security group is the source or destination of the rule. Inbound :
Security Group defines the source. Outbound : Security Group defines the destination.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Source <Object[]>
Source of the rule. Can be 'Any', 'PoliciesSecurityGroup', or a valid PowerNSX securitygroup object. At
least one of source or destination MUST be 'PoliciesSecurityGroup'. Defaults to 'PoliciesSecurityGroup'
Required? false
Position? named
Default value PoliciesSecurityGroup
Accept pipeline input? false
Accept wildcard characters? false
-Destination <Object[]>
Destination of the rule. Can be 'Any', 'PoliciesSecurityGroup', or a valid PowerNSX securitygroup object. At
least one of source or destination MUST be 'PoliciesSecurityGroup'. Defaults to 'PoliciesSecurityGroup'
Required? false
Position? named
Default value PoliciesSecurityGroup
Accept pipeline input? false
Accept wildcard characters? false
-Service <Object[]>
Service defined by the rule. Defaults to 'any'. Can be any valid PowerNSX Service object.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-EnableLogging [<SwitchParameter>]
Enable logging. Defaults to disabled.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Action <String>
Rule action. Defaults to Allow
Required? false
Position? named
Default value Allow
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All" `
-Description "Allow all inbound traffic" `
-Action allow
Defines an enabled rule allowing traffic sourced from "Any" to
"Policies Security Group".
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "SG App Servers"
PS C:\\> $http = Get-NsxService HTTP
PS C:\\> $https = Get-NsxService HTTPS
PS C:\\> New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Web to Demo VM" `
-Description "Allow inbound web traffic" `
-Service $http,$https -Source $sg1 -EnableLogging -Action allow
Defines an enabled rule allowing traffic sourced from Security Group "SG App
Servers" to "Policies Security Group" on port 80/443 with logging enabled.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>$sg1 = Get-NsxSecurityGroup "SG App Servers"
PS C:\\> $http = Get-NsxService HTTP
PS C:\\> $https = Get-NsxService HTTPS
PS C:\\> New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Web to Demo VM"
-Description "Allow Inbound Web traffic"
-Service $http,$https
-securityGroup $sg1
-Direction inbound -EnableLogging -Action allow
Defines an enabled rule allowing traffic sourced from Security Group "SG App
Servers" to "Policies Security Group" on port 80/443 with logging enabled.
This results in an identical rule to Example 2
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All Intra Group Traffic" `
-Description "Allow all traffic within PSG" `
-Action allow
Defines an enabled rule allowing traffic sourced from "Policies Security
Group" to "Policies Security Group" with logging enabled. Source and
Destination default to "Policies Security Group".
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All Intra Group Traffic" `
-Description "Allow all traffic within PSG" `
-Direction Intra -Action allow
Defines an enabled rule allowing traffic sourced from "Policies Security
Group" to "Policies Security Group" with logging enabled. Security Group
defaults to 'Any'.
RELATED LINKS