VMware vShield PowerShell Module

A while back I was asked if we could automate some areas of vShield, VMware Security suite of products.  I was asked to do this for a demo which was to be used at VMworld, having never touched vShield before I was thrown into the world of security at the deep end.  The first thing I found on my quest was the vShield API, there is a great document by VMware which explains the vShield proprietary Web-RPC API (Based on Rest API) and all the calls you would ever need to make to work with the vShield products.

Now I had the API details I knew I could easily write some PowerShell code in the form of an advanced function to work with the API, the first piece of code I wrote was a generic function which allowed me to GET, PUT, DELETE and POST to a proprietary Web-RPC based Restful API. I know PowerShell v3 will include cmdlets for this but I didn’t want to wait or add a dependency on something which wasn’t available as yet.

With this completed the rest of the advanced functions were easily created, it was just a case of sending the correct parameter to my function and the correct URL and my results would be returned.

So why would we want to do this ?

Automation is a powerful tool, with automation we can not only make our lives as administrators easier and less cumbersome but also enable products to do things automagically that they never could do before.

I will add more and more posts for this module to show you what I mean but first things first I just wanted to get the module out here and available for feedback and general usage.

Don’t forget my other posts around automating vShield here:

Requirements

  • PowerShell v2
  • PowerCLI (Latest Version)
  • vShield Module (See Downloads area on this page)
  • vShield Manager 5.0
  • vCenter

Download

You can download the module here and contribute changes via github here.

Install and Usage

The below video will take you through the install and give you enough to get started:

Feedback

If there is anything you have ever wanted to automate with vShield but didn’t know how then please let me know, the cmdlets are easily adjusted.

31 thoughts on “VMware vShield PowerShell Module”

  1. Hi Alan,

    The get-vshieldsecuritygroup cmdlet appears to only return Security Groups that are set at the Datacenter level and not those that can be defined lower down the hierarchy (e.g. at the Port Group level). Is it possible to achieve this?

    Thanks,
    Jon

  2. Thanks for updating the download link. It does seem that the module is significantly different from and smaller than the version demonstrated in your video. For example it is missing the ‘Get-vShieldCommand’ function. Is this by design? Thanks!

  3. Could you please share the commands / powerl cli script to install vshiled Edge Installation. We need to automate the Vshiled Edge Installation on Port Group.

  4. Hi Alan, I’m new to the PoweCLI/Powershell. I installed the vShield module and I’m trying to connect to vShield server but I’m getting SSL/TLS trust relationship exception. Could you please let me know how will I be able to make it ignore the certificate authentication?

    1. Alan, I could do it using “[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}”.

  5. Hi Alan, great article!
    I’m not confident about vShield Manager backup solution because doesn’t allow backup/restore specific vShield Edge/App configuration.
    Imagine one network admin modifies incorrectly one vshield Edge firewall rule and another network admin modifies another vshield edge. If we have to do a restore, both configurations are restored…
    I’m looking for a powecli script that allows export/import vshield edge / app configuration. Could you help me?

    Thanks in advance!

    EFD

  6. Hi Alan, great stuff. What about pre and post backup scripts disabling and enabling rate limits on vShield Edges? It would be helpfull when you have (like me) to do an application level backup of some customer’s VMs behind a Edge on vCloud where a rate limit is set.

    thanks

    Sergio

  7. I would give my eye teeth for the ability to export vSE firewall rules from one appliance, and import them to another…

  8. Oh, and I’m afraid I’m using vShield 4.1 (build 310451) … hopefully the REST APIs are compatible between v41 & v5 of vShield for Edge?

    JD

  9. Alan,

    Great work once again … and very timely for me. I’m in the middle of setting up ~110 vShield Edge appliances with NAT rules (we’re not using App or Endpoint just yet) and setting these up manually is driving me insane! I dream of automation. Can your PowerShell modules be tweaked to assist?

    Yours optimistically….

    JD

      1. Hello Alan! Amazing stuff here! I also am interested in automating vShield Edge. Were you able to get something together for Jason D. back in Jan, and if so would you mind sharing?

        Thanks a million,
        Aaron

Leave a Reply