Skip to content

Instantly share code, notes, and snippets.

@virtuallywired

virtuallywired/Modify-ESXi-FW.ps1

Last active April 5, 2024 04:04
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save virtuallywired/5240beebbb943a47e8f24626862b1236 to your computer and use it in GitHub Desktop.
Save virtuallywired/5240beebbb943a47e8f24626862b1236 to your computer and use it in GitHub Desktop.
Download ZIP
Modify ESXi Firewall
Raw
Modify-ESXi-FW.ps1
$Services = 'faultTolerance','fdm','dhcp'
$clusterName = 'VSAN-Cluster'
$csv = Import-csv "C:\scripts\allowedipmaster.csv"
$VIHosts = (Get-Cluster -Name $clusterName | Get-VMHost)
foreach ($VIHost in $VIHosts){
$esxcli = Get-EsxCli -VMHost $VIHost
# -------- Disable ESXi Firewall --------
$FirewallDisable = $esxcli.network.firewall.set($null,$false)
Write-Host -ForegroundColor Yellow "Firewall disabled on host: $VIHost returned: $FirewallDisable"
Start-Sleep -Seconds 2
# --------- (Optional - The next 2 lines would Grab Host Services that are not Set to All --------
#$modServices = $esxcli.network.firewall.ruleset.allowedip.list() | Where-Object{$_.AllowedIPAddresses -ne 'All'} | Select Ruleset
#$Services = $modServices.Ruleset
# -------- Remove Allow All From Service --------
foreach ($Service in $Services) {
$AllowOpt = $esxcli.network.firewall.ruleset.allowedip.list($service)
if($AllowOpt.AllowedIPAddresses -eq 'All'){
$ServiceResult = $esxcli.network.firewall.ruleset.set($false,$true,$Service)
Write-Host -ForegroundColor Yellow "Removing allow all from service: $Service returned: $ServiceResult on host: $VIHost"
Start-Sleep -Milliseconds 100
}
else
{
Write-Host -ForegroundColor Gray "$Service on $VIHost Already Set to Restrict to Allowed IP Addresses"
$null
}
Start-Sleep -Seconds 2
$ServiceIPlist = $esxcli.network.firewall.ruleset.allowedip.list() | where ruleset -eq $Service |
select -ExpandProperty AllowedIpAddresses | Select @{N='AllowedIPAddress';E={$_}}
IF([string]::IsNullOrEmpty($ServiceIPlist)){
Echo "Allowed IP Addresses do not exist on $VIHost for $Service"
$addIP = $csv.AllowedIpAddress
}
else
{
Write-Host -ForegroundColor Cyan "Comparing Allowed IP Addresses on $VIHost for $Service Against the Masterlist"
$IPAddressDiff = Compare-Object -ReferenceObject $csv -DifferenceObject $ServiceIPlist -Property AllowedIpAddress
$addIP = $IPAddressDiff | ?{$_.SideIndicator -eq '<='} | select AllowedIPAddress
$delIP = $IPAddressDiff | ?{$_.SideIndicator -eq '=>'} | select AllowedIPAddress
}
# -------- Add Allowed IP to Service --------
foreach ($IPAddress in $addIP.AllowedIpAddress){
$AddResult = $esxcli.network.firewall.ruleset.allowedip.add($IPAddress,$Service)
Write-Host -ForegroundColor DarkCyan "Adding $IPAddress to Allowed list for service: $Service returned: $AddResult on host: $VIHost"
Start-Sleep -Milliseconds 500
}
# -------- Remove Allowed IP from Service --------
foreach ($IPAddress in $delIP.AllowedIpAddress){
$DelResult = $esxcli.network.firewall.ruleset.allowedip.remove($IPAddress,$Service)
Write-Host -ForegroundColor DarkGray "Removing $IPAddress from Allowed list for service: $Service returned: $DelResult on host: $VIHost"
Start-Sleep -Milliseconds 500
}
}
# -------- Enable ESXi Firewall --------
Write-Host -ForegroundColor Gray 'Sleeping 5 seconds'
Start-Sleep -Seconds 5
$FirewallEnable = $esxcli.network.firewall.set($null,$true)
Write-Host -ForegroundColor DarkYellow "$VIHost Firewall Restricted Returned: $firewallEnable"
Start-Sleep -Seconds 1
$Refresh = $esxcli.network.firewall.refresh()
Write-Host -ForegroundColor DarkYellow "$VIHost Firewall Refreshed Returned: $Refresh"
Write-Host 'Sleeping 2 seconds'
Start-Sleep -Seconds 2
}
Write-Host -ForegroundColor Green "Script Complete, ESXi host firewall on Cluster: $ClusterName are Set to Restrict IPs"
Disconnect-VIServer * -Force -Confirm:$false
Remove-Variable * -Force -ErrorAction SilentlyContinue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment