< Back

New-NsxSecurityPolicyNetworkIntrospectionSpec

Sat Jan 18, 2020 9:19 pm

NAME New-NsxSecurityPolicyNetworkIntrospectionSpec



SYNOPSIS

Creates a Security Policy Network Introspection Rule spec approriate for use

in New-NsxSecurityPolicy or Add-NsxSecurityPolicyRule.





SYNTAX

New-NsxSecurityPolicyNetworkIntrospectionSpec -Name <String> [-Description <String>] [-Disabled] [-Source

<Object[]>] [-Destination <Object[]>] [-Service <Object[]>] -ServiceProfile <XmlElement> [-EnableLogging]

[-DisableRedirection] [<CommonParameters>]



New-NsxSecurityPolicyNetworkIntrospectionSpec -Name <String> [-Description <String>] [-Disabled] [-SecurityGroup

<Object[]>] -Direction <String> [-Service <Object[]>] -ServiceProfile <XmlElement> [-EnableLogging]

[-DisableRedirection] [<CommonParameters>]





DESCRIPTION

This cmdlet does not actually communicate with the NSX API, but merely

constructs the appropriate XML element to define a single rule

that can subsequently be used in the New-NsxSecurityPolicy and

Add-NsxSecurityPolicyRule cmdlets.



It can operate in one of two modes.



Mode 1 will be familiar to typical NSX administrators that are familiar with

the concept of 'Policies Security Group' and the role it plays when defining

a Security Policy Firewall Rule. It requires specification of both source

and destination of the rule, at least one of which (and potentially both)

must be Policies Security Group. The other can be 'Any', or a specific

Security Group.



Mode 2 reflects the way the API represents the rule definition, and

is arguably clearer than the way Security Policy Rules are modeled in the

UI. It requires specification of a direction (inbound outbound or intra)

and for inbound/outbound directions, a specific securitygroup may be

specified. If no Security Group is specified, the source/destination is

'Any'.



The two modes are equivalent in operation. Users familiar with the NSX UI

and related concepts should use Mode 1.





PARAMETERS

-Name <String>

Name of the newly created network introspection rule



Required? true

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-Description <String>

Description of the newly created network introspection rule



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-Disabled [<SwitchParameter>]

Specify -disabled to create a rule as disabled. Rules default to enabled.



Required? false

Position? named

Default value False

Accept pipeline input? false

Accept wildcard characters? false



-SecurityGroup <Object[]>

Security Group that defines the source or destination of the rule (depending on -Direction). Security Group

is mandatory if direction is Inbound or Outbound.



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-Direction <String>

Direction that dictates if the specified security group is the source or destination of the rule. Inbound :

Security Group defines the source. Outbound : Security Group defines the destination.



Required? true

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-Source <Object[]>

Source of the rule. Can be 'Any', 'PoliciesSecurityGroup', or a valid PowerNSX securitygroup object. At

least one of source or destination MUST be 'PoliciesSecurityGroup'. Defaults to 'PoliciesSecurityGroup'



Required? false

Position? named

Default value PoliciesSecurityGroup

Accept pipeline input? false

Accept wildcard characters? false



-Destination <Object[]>

Destination of the rule. Can be 'Any', 'PoliciesSecurityGroup', or a valid PowerNSX securitygroup object. At

least one of source or destination MUST be 'PoliciesSecurityGroup'. Defaults to 'PoliciesSecurityGroup'



Required? false

Position? named

Default value PoliciesSecurityGroup

Accept pipeline input? false

Accept wildcard characters? false



-Service <Object[]>

Service defined by the rule. Defaults to 'any'. Can be any valid PowerNSX Service object.



Required? false

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-ServiceProfile <XmlElement>

Service Profile object as retrieved using Get-NsxServiceProfile (as defined in Service Profile section of a

specific Service Definition in the NSX UI).



Required? true

Position? named

Default value

Accept pipeline input? false

Accept wildcard characters? false



-EnableLogging [<SwitchParameter>]

Enable logging. Defaults to disabled.



Required? false

Position? named

Default value False

Accept pipeline input? false

Accept wildcard characters? false



-DisableRedirection [<SwitchParameter>]

Disable redirection for this rule. Defaults to $false (Rule is created with redirection enabled).



Required? false

Position? named

Default value False

Accept pipeline input? false

Accept wildcard characters? false



<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,

ErrorAction, ErrorVariable, WarningAction, WarningVariable,

OutBuffer, PipelineVariable, and OutVariable. For more information, see

about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).



INPUTS



OUTPUTS



-------------------------- EXAMPLE 1 --------------------------



PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All" `



-Description "Allow all inbound traffic" `

-Action allow



Defines an enabled rule allowing traffic sourced from "Any" to

"Policies Security Group".









-------------------------- EXAMPLE 2 --------------------------



PS C:\\>$sg1 = Get-NsxSecurityGroup "SG App Servers"



PS C:\\> $http = Get-NsxService HTTP

PS C:\\> $https = Get-NsxService HTTPS



PS C:\\> New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Web to Demo VM" `

-Description "Allow inbound web traffic" `

-Service $http,$https -Source $sg1 -EnableLogging -Action allow



Defines an enabled rule allowing traffic sourced from Security Group "SG App

Servers" to "Policies Security Group" on port 80/443 with logging enabled.









-------------------------- EXAMPLE 3 --------------------------



PS C:\\>$sg1 = Get-NsxSecurityGroup "SG App Servers"



PS C:\\> $http = Get-NsxService HTTP

PS C:\\> $https = Get-NsxService HTTPS



PS C:\\> New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow Web to Demo VM"

-Description "Allow Inbound Web traffic"

-Service $http,$https

-securityGroup $sg1

-Direction inbound -EnableLogging -Action allow



Defines an enabled rule allowing traffic sourced from Security Group "SG App

Servers" to "Policies Security Group" on port 80/443 with logging enabled.



This results in an identical rule to Example 2









-------------------------- EXAMPLE 4 --------------------------



PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All Intra Group Traffic" `



-Description "Allow all traffic within PSG" `

-Action allow



Defines an enabled rule allowing traffic sourced from "Policies Security

Group" to "Policies Security Group" with logging enabled. Source and

Destination default to "Policies Security Group".









-------------------------- EXAMPLE 5 --------------------------



PS C:\\>New-NsxSecurityPolicyFirewallRuleSpec -Name "Allow All Intra Group Traffic" `



-Description "Allow all traffic within PSG" `

-Direction Intra -Action allow



Defines an enabled rule allowing traffic sourced from "Policies Security

Group" to "Policies Security Group" with logging enabled. Security Group

defaults to 'Any'.











RELATED LINKS