How to Edit Security Policies & Apply them to Security Groups with PowerNSX

In the previous post found here, we discussed how to create security policies with PowerNSX. In this post, I’ll demonstrate how to edit existing security policy firewall rules then apply security policies to security groups with PowerNSX.

The video above demonstrates the cmdlets discussed in this post.

Disclaimer: The code shown in the video is not included in the PowerNSX module. There is still work to be done as I need to write Pester tests for these cmdlets to ensure everything works as expected and doesn’t break anything else. That said all code has been used in a production environment without issue. 

  • Edit-NsxSecurityPolicyFwRule:
    • Edit existing Security Policy firewall rules
      • Parameters: SecurityPolicy, FirewallRule, ExecutionOrder, ReturnObjectIdOnly
  • Add-NsxApplySpToSg:
    • Apply security policy to security group(s)
      • Parameters: SecurityPolicy, SecurityGroup[], ReturnObjectIdOnly

That it! This is a short and sweet post. Stay tuned for the last post in this series where we’ll discuss how to remove NSX security policy objects using PowerNSX:

  1. Remove a specific NSX security policy rule (Remove-NsxSecurityPolicyFwRule)
  2. Remove a security group(s) from an NSX security policy rule (Remove-NsxSgFromSpFwRule)
  3. Remove a service from an NSX security policy rule (Remove-NsxServiceFromSPFwRule)
  4. Remove an applied security policy from a security group(s) (Remove-NsxApplySpFromSg)
  5. Remove entire NSX security policy (a native PowerNSX cmdlet: Remove-NsxSecurityPolicy)

As well as how to properly decommission NSX Security Groups in order to prevent sync issues.

All code used in this demo can be found in my Github repository here.

 

2 comments On How to Edit Security Policies & Apply them to Security Groups with PowerNSX

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.