Last active
April 5, 2024 04:04
-
-
Save virtuallywired/5240beebbb943a47e8f24626862b1236 to your computer and use it in GitHub Desktop.
Modify ESXi Firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Services = 'faultTolerance','fdm','dhcp' | |
$clusterName = 'VSAN-Cluster' | |
$csv = Import-csv "C:\scripts\allowedipmaster.csv" | |
$VIHosts = (Get-Cluster -Name $clusterName | Get-VMHost) | |
foreach ($VIHost in $VIHosts){ | |
$esxcli = Get-EsxCli -VMHost $VIHost | |
# -------- Disable ESXi Firewall -------- | |
$FirewallDisable = $esxcli.network.firewall.set($null,$false) | |
Write-Host -ForegroundColor Yellow "Firewall disabled on host: $VIHost returned: $FirewallDisable" | |
Start-Sleep -Seconds 2 | |
# --------- (Optional - The next 2 lines would Grab Host Services that are not Set to All -------- | |
#$modServices = $esxcli.network.firewall.ruleset.allowedip.list() | Where-Object{$_.AllowedIPAddresses -ne 'All'} | Select Ruleset | |
#$Services = $modServices.Ruleset | |
# -------- Remove Allow All From Service -------- | |
foreach ($Service in $Services) { | |
$AllowOpt = $esxcli.network.firewall.ruleset.allowedip.list($service) | |
if($AllowOpt.AllowedIPAddresses -eq 'All'){ | |
$ServiceResult = $esxcli.network.firewall.ruleset.set($false,$true,$Service) | |
Write-Host -ForegroundColor Yellow "Removing allow all from service: $Service returned: $ServiceResult on host: $VIHost" | |
Start-Sleep -Milliseconds 100 | |
} | |
else | |
{ | |
Write-Host -ForegroundColor Gray "$Service on $VIHost Already Set to Restrict to Allowed IP Addresses" | |
$null | |
} | |
Start-Sleep -Seconds 2 | |
$ServiceIPlist = $esxcli.network.firewall.ruleset.allowedip.list() | where ruleset -eq $Service | | |
select -ExpandProperty AllowedIpAddresses | Select @{N='AllowedIPAddress';E={$_}} | |
IF([string]::IsNullOrEmpty($ServiceIPlist)){ | |
Echo "Allowed IP Addresses do not exist on $VIHost for $Service" | |
$addIP = $csv.AllowedIpAddress | |
} | |
else | |
{ | |
Write-Host -ForegroundColor Cyan "Comparing Allowed IP Addresses on $VIHost for $Service Against the Masterlist" | |
$IPAddressDiff = Compare-Object -ReferenceObject $csv -DifferenceObject $ServiceIPlist -Property AllowedIpAddress | |
$addIP = $IPAddressDiff | ?{$_.SideIndicator -eq '<='} | select AllowedIPAddress | |
$delIP = $IPAddressDiff | ?{$_.SideIndicator -eq '=>'} | select AllowedIPAddress | |
} | |
# -------- Add Allowed IP to Service -------- | |
foreach ($IPAddress in $addIP.AllowedIpAddress){ | |
$AddResult = $esxcli.network.firewall.ruleset.allowedip.add($IPAddress,$Service) | |
Write-Host -ForegroundColor DarkCyan "Adding $IPAddress to Allowed list for service: $Service returned: $AddResult on host: $VIHost" | |
Start-Sleep -Milliseconds 500 | |
} | |
# -------- Remove Allowed IP from Service -------- | |
foreach ($IPAddress in $delIP.AllowedIpAddress){ | |
$DelResult = $esxcli.network.firewall.ruleset.allowedip.remove($IPAddress,$Service) | |
Write-Host -ForegroundColor DarkGray "Removing $IPAddress from Allowed list for service: $Service returned: $DelResult on host: $VIHost" | |
Start-Sleep -Milliseconds 500 | |
} | |
} | |
# -------- Enable ESXi Firewall -------- | |
Write-Host -ForegroundColor Gray 'Sleeping 5 seconds' | |
Start-Sleep -Seconds 5 | |
$FirewallEnable = $esxcli.network.firewall.set($null,$true) | |
Write-Host -ForegroundColor DarkYellow "$VIHost Firewall Restricted Returned: $firewallEnable" | |
Start-Sleep -Seconds 1 | |
$Refresh = $esxcli.network.firewall.refresh() | |
Write-Host -ForegroundColor DarkYellow "$VIHost Firewall Refreshed Returned: $Refresh" | |
Write-Host 'Sleeping 2 seconds' | |
Start-Sleep -Seconds 2 | |
} | |
Write-Host -ForegroundColor Green "Script Complete, ESXi host firewall on Cluster: $ClusterName are Set to Restrict IPs" | |
Disconnect-VIServer * -Force -Confirm:$false | |
Remove-Variable * -Force -ErrorAction SilentlyContinue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment