Last active
July 9, 2021 18:57
-
-
Save Zsoldier/0e0cf1a1e3d18cd29417be0fe1934ca7 to your computer and use it in GitHub Desktop.
Example on how to change segment discovery, qos, and security profiles enmasse.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Change Segment Profiles | |
$Credential = Get-Credential | |
$skipcertcheck = $true | |
$AuthMethod = “Basic” | |
$NSXMgr=”IPorDNSName” | |
$policyapi = "/policy/api/v1" | |
$base_url = ("https://" + $NSXMgr + $policyapi) | |
#Change these to the name of the various profiles you want to remap all your segments to. | |
$TargetIPDPName = "default-ip-discovery-profile" | |
$TargetMacDPName = "default-mac-discovery-profile" | |
$TargetQoSDPName = "" # This doesn't typically exist unless created so it is omitted from script. | |
$TargetSGName = "default-spoofguard-profile" | |
$targetSecName = "default-segment-security-profile" | |
#Get Segment List to loop through. | |
$SegmentEndPoint = "/infra/segments" | |
$Segments = Invoke-restmethod -Uri ($base_url + $segmentendpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
#I would check to see what segments are returned before modifying to make sure you are hitting only the segments you want. | |
#You can do this by simply calling $segments.results | |
$segments.results | select id, display_name | |
#IP, Mac, QoS, SpoofGuard, Security, Discovery Profiles | |
$IPDPs = Invoke-restmethod -Uri ($base_url + "/infra/ip-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
$MacDPs = Invoke-restmethod -Uri ($base_url + "/infra/mac-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
$QoSPs = Invoke-restmethod -Uri ($base_url + "/infra/qos-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
$SGPs = Invoke-restmethod -Uri ($base_url + "/infra/spoofguard-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
$SecPs = Invoke-restmethod -Uri ($base_url + "/infra/segment-security-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
#Target Segment Profiles that you want. | |
$TargetIPDP = $IPDPs.results | Where-Object {$_.display_name -eq $TargetIPDPName} | |
$TargetMacDP = $MacDPs.results | Where-Object {$_.display_name -eq $TargetMacDPName} | |
$TargetQoSP = $QoSPs.results | Where-Object {$_.display_name -eq $TargetQoSDPName} | |
$TargetSGP = $SGPs.results | Where-Object {$_.display_name -eq $TargetSGName} | |
$TargetSecP = $SecPs.results | Where-Object {$_.display_name -eq $TargetSecName} | |
#I have a where statement here because I only want to change my HCX-Uplink segment. Remove it if you want to work against everything in $segments.results. | |
Foreach ($Segment in ($Segments.results | Where-object {$_.display_name -match "HCX-Uplink"})) | |
{ | |
#Sets the Discovery Segment Profiles if mac or ip don't match what you've defined. | |
$endpoint = "/segment-discovery-profile-binding-maps" | |
$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
If ($Binding.Result_count -eq 0 ){ | |
$MapGuid = New-Guid | |
$Body = ('{ "resource_type":"SegmentDiscoveryProfileBindingMap","mac_discovery_profile_path":"' + $TargetMacDP.path + '","ip_discovery_profile_path":"' + $targetIPDP.path +'"}') | |
Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json" | |
} | |
If ($Binding.results.ip_discovery_profile_path -ne $TargetIPDP.path -or $Binding.results.mac_discovery_profile_path -ne $TargetMacDP.path) | |
{ | |
$Body = ('{ "resource_type":"SegmentDiscoveryProfileBindingMap","mac_discovery_profile_path":"' + $TargetMacDP.path + '","ip_discovery_profile_path":"' + $targetIPDP.path +'"}') | |
Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json" | |
} | |
#Sets QoS profile if one found, otherwise skips | |
$endpoint= "/segment-qos-profile-binding-maps" | |
If (![string]::IsNullorEmpty($TargetQoSP)) | |
{ | |
$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
If ($Binding.Result_count -eq 0 ){ | |
$MapGuid = New-Guid | |
$Body = ('{ "resource_type":"SegmentQoSProfileBindingMap","qos_profile_path":"' + $TargetQoSP.path + '"}') | |
Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json" | |
} | |
ElseIf ($Binding.results.qos_profile_path -ne $TargetQoS.path) | |
{ | |
$Body = ('{ "resource_type":"SegmentQoSProfileBindingMap","qos_profile_path":"' + $TargetQoSP.path + '"}') | |
Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json" | |
} | |
} | |
#Sets spoofguard or security profiles if they don't match what's defined. Creates new security profile binding map if one does not exist. | |
$endpoint= "/segment-security-profile-binding-maps" | |
$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method Get -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod | |
If ($Binding.Result_count -eq 0 ){ | |
$MapGuid = New-Guid | |
$Body = ('{ "resource_type":"SegmentSecurityProfileBindingMap","segment_security_profile_path":"' + $TargetSecP.path + '","spoofguard_profile_path":"' + $TargetSGP.path +'"}') | |
Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint + "/" + $MapGuid.guid) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json" | |
} | |
ElseIf ($Binding.results.spoofguard_profile_path -ne $TargetSGP.path -or $Binding.results.segment_security_profile_path -ne $TargetSecP.path) | |
{ | |
$Body = ('{ "resource_type":"SegmentSecurityProfileBindingMap","segment_security_profile_path":"' + $TargetSecP.path + '","spoofguard_profile_path":"' + $TargetSGP.path +'"}') | |
Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment