< Back
Remove-NsxSecurityPolicyRuleGroup
Post
NAME Remove-NsxSecurityPolicyRuleGroup
SYNOPSIS
Modifies the configuration of an existing Security Policy Firewall or
Network Introspection Rule to remove a source or destination group.
Note: If the group to be removed is the last one defined, then the source or
destination of the rule becomes ANY.
SYNTAX
Remove-NsxSecurityPolicyRuleGroup [-Rule] <XmlElement> [-SecurityGroup] <XmlElement[]> [-NoConfirm]
[-NoConfirmOnLastGroupRemoval] [[-Connection] <PSObject>] [<CommonParameters>]
DESCRIPTION
A security policy is a policy construct that can define one or more rules in
several different categories, that can then be applied to an arbitrary
number of Security Groups in order to enforce the defined policy.
The three categories of rules that can be included in a Security Policy are:
- Guest Introspection - data security, anti-virus, and vulnerability
management and rules based on third party Guest Introspection capability.
- Firewall rules - creates appropriate distributed firewall rules when
the policy is applied to a security group.
- Network introspection services - Thirdparty firewall, IPS/IDS etc.
Remove-NsxSecurityPolicyRuleGroup modifies the configuration of an existing
Security Policy Firewall or Network Introspection Rule to add a source or
destination group.
Note:
Whether the group is removed from the source or destination of a rule is a
function of its configured direction.
It is only meaningful to modify the source groups of a rule whose direction
is 'inbound' (Destination = 'Policies Security Group'), or the destination
groups of a rule whose direction is 'outbound' (Source = 'Policies Security
Group'), and it is never meaningful to modify the source or destination
groups of a rule whose direction is 'intra' (Source and Destination =
'Policies Security Group').
You can use Set-NsxSecurityPolicyRule to change the direction of a rule if
necessary.
Refer to Get-Help documentation in New-NsxSecurityPolicyFirewallRuleSpec for
more information on direction as it relates to 'Policies Security Group'.
Adding a security group to an existing rule whose current source/destination
is 'any' makes the rule MORE restrictive in what traffic it applies to than
it currently is, but adding subsequent groups to a rule whose current source
or destination already specifies a group makes it LESS restrictive.
As Dale would say... 'Think about it Kohei!'
PARAMETERS
-Rule <XmlElement>
Security Policy Rule to reconfigure
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-SecurityGroup <XmlElement[]>
Group(s) to be added to source or destination of specified rule. Depends on currently configured direction of
the rule.
Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NoConfirm [<SwitchParameter>]
Disable confirmation prompt
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-NoConfirmOnLastGroupRemoval [<SwitchParameter>]
Disable confirmation prompt for removal of last group - effectively converting rule to match ANY in the
configured source or destination.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? 3
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>$grp = New-NsxSecurityGroup MySpecialServers -IncludeMember (Get-VM specialvm*)
Get-NsxSecurityPolicy SecPol01 | Get-NsxSecurityPolicyRule -RuleType Firewall -Name AdminSsh |
Add-NsxSecurityPolicyRuleGroup -Group $grp
Creates a new group called MySpecialServers with static membership of any vm whose name starts with the string
'specialvm' and adds it to the source or destination of the Firewall rule AdminSsh within the Security Policy
SecPol01
RELATED LINKS
SYNOPSIS
Modifies the configuration of an existing Security Policy Firewall or
Network Introspection Rule to remove a source or destination group.
Note: If the group to be removed is the last one defined, then the source or
destination of the rule becomes ANY.
SYNTAX
Remove-NsxSecurityPolicyRuleGroup [-Rule] <XmlElement> [-SecurityGroup] <XmlElement[]> [-NoConfirm]
[-NoConfirmOnLastGroupRemoval] [[-Connection] <PSObject>] [<CommonParameters>]
DESCRIPTION
A security policy is a policy construct that can define one or more rules in
several different categories, that can then be applied to an arbitrary
number of Security Groups in order to enforce the defined policy.
The three categories of rules that can be included in a Security Policy are:
- Guest Introspection - data security, anti-virus, and vulnerability
management and rules based on third party Guest Introspection capability.
- Firewall rules - creates appropriate distributed firewall rules when
the policy is applied to a security group.
- Network introspection services - Thirdparty firewall, IPS/IDS etc.
Remove-NsxSecurityPolicyRuleGroup modifies the configuration of an existing
Security Policy Firewall or Network Introspection Rule to add a source or
destination group.
Note:
Whether the group is removed from the source or destination of a rule is a
function of its configured direction.
It is only meaningful to modify the source groups of a rule whose direction
is 'inbound' (Destination = 'Policies Security Group'), or the destination
groups of a rule whose direction is 'outbound' (Source = 'Policies Security
Group'), and it is never meaningful to modify the source or destination
groups of a rule whose direction is 'intra' (Source and Destination =
'Policies Security Group').
You can use Set-NsxSecurityPolicyRule to change the direction of a rule if
necessary.
Refer to Get-Help documentation in New-NsxSecurityPolicyFirewallRuleSpec for
more information on direction as it relates to 'Policies Security Group'.
Adding a security group to an existing rule whose current source/destination
is 'any' makes the rule MORE restrictive in what traffic it applies to than
it currently is, but adding subsequent groups to a rule whose current source
or destination already specifies a group makes it LESS restrictive.
As Dale would say... 'Think about it Kohei!'
PARAMETERS
-Rule <XmlElement>
Security Policy Rule to reconfigure
Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-SecurityGroup <XmlElement[]>
Group(s) to be added to source or destination of specified rule. Depends on currently configured direction of
the rule.
Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-NoConfirm [<SwitchParameter>]
Disable confirmation prompt
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-NoConfirmOnLastGroupRemoval [<SwitchParameter>]
Disable confirmation prompt for removal of last group - effectively converting rule to match ANY in the
configured source or destination.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Connection <PSObject>
PowerNSX Connection object
Required? false
Position? 3
Default value $defaultNSXConnection
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>$grp = New-NsxSecurityGroup MySpecialServers -IncludeMember (Get-VM specialvm*)
Get-NsxSecurityPolicy SecPol01 | Get-NsxSecurityPolicyRule -RuleType Firewall -Name AdminSsh |
Add-NsxSecurityPolicyRuleGroup -Group $grp
Creates a new group called MySpecialServers with static membership of any vm whose name starts with the string
'specialvm' and adds it to the source or destination of the Firewall rule AdminSsh within the Security Policy
SecPol01
RELATED LINKS