VMware vShield PowerShell Module

A while back I was asked if we could automate some areas of vShield, VMware Security suite of products.  I was asked to do this for a demo which was to be used at VMworld, having never touched vShield before I was thrown into the world of security at the deep end.  The first thing I found on my quest was the vShield API, there is a great document by VMware which explains the vShield proprietary Web-RPC API (Based on Rest API) and all the calls you would ever need to make to work with the vShield products.

Now I had the API details I knew I could easily write some PowerShell code in the form of an advanced function to work with the API, the first piece of code I wrote was a generic function which allowed me to GET, PUT, DELETE and POST to a proprietary Web-RPC based Restful API. I know PowerShell v3 will include cmdlets for this but I didn’t want to wait or add a dependency on something which wasn’t available as yet.

With this completed the rest of the advanced functions were easily created, it was just a case of sending the correct parameter to my function and the correct URL and my results would be returned.

So why would we want to do this ?

Automation is a powerful tool, with automation we can not only make our lives as administrators easier and less cumbersome but also enable products to do things automagically that they never could do before.

I will add more and more posts for this module to show you what I mean but first things first I just wanted to get the module out here and available for feedback and general usage.

Don’t forget my other posts around automating vShield here:

Requirements

  • PowerShell v2
  • PowerCLI (Latest Version)
  • vShield Module (See Downloads area on this page)
  • vShield Manager 5.0
  • vCenter

Download

You can download the module here and contribute changes via github here.

Install and Usage

The below video will take you through the install and give you enough to get started:

Feedback

If there is anything you have ever wanted to automate with vShield but didn’t know how then please let me know, the cmdlets are easily adjusted.

31 thoughts on “VMware vShield PowerShell Module

  1. Pingback: vCloud API and PowerCLI – Import/Export vShield Edge FW Rules – user's Blog!

  2. Pingback: VMware vShield PowerShell Module – Phasmid LLC

  3. Pingback: vCloud API and PowerCLI – Import/Export vShield Edge FW Rules | Dave's Notepad

  4. Larry Van Brunt

    Been looking through the commands – is there one to export the App firewall rules?

  5. Jon

    Hi Alan,

    The get-vshieldsecuritygroup cmdlet appears to only return Security Groups that are set at the Datacenter level and not those that can be defined lower down the hierarchy (e.g. at the Port Group level). Is it possible to achieve this?

    Thanks,
    Jon

  6. Josh

    Thanks for updating the download link. It does seem that the module is significantly different from and smaller than the version demonstrated in your video. For example it is missing the ‘Get-vShieldCommand’ function. Is this by design? Thanks!

  7. Sunl I B

    Could you please share the commands / powerl cli script to install vshiled Edge Installation. We need to automate the Vshiled Edge Installation on Port Group.

  8. Shishir

    Hi Alan,

    Could you help me understand how to I query the version of vShield Server? Thanks in advance.

  9. Shishir

    Alan, I could do it using “[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}”.

  10. Shishir

    Hi Alan, I’m new to the PoweCLI/Powershell. I installed the vShield module and I’m trying to connect to vShield server but I’m getting SSL/TLS trust relationship exception. Could you please let me know how will I be able to make it ignore the certificate authentication?

  11. Pingback: Exploring the vCloud Networking & Security API Using Ruby | virtuallyGhetto

  12. Eduard

    Hi Alan, great article!
    I’m not confident about vShield Manager backup solution because doesn’t allow backup/restore specific vShield Edge/App configuration.
    Imagine one network admin modifies incorrectly one vshield Edge firewall rule and another network admin modifies another vshield edge. If we have to do a restore, both configurations are restored…
    I’m looking for a powecli script that allows export/import vshield edge / app configuration. Could you help me?

    Thanks in advance!

    EFD

  13. Sergio

    Hi Alan, great stuff. What about pre and post backup scripts disabling and enabling rate limits on vShield Edges? It would be helpfull when you have (like me) to do an application level backup of some customer’s VMs behind a Edge on vCloud where a rate limit is set.

    thanks

    Sergio

  14. Aaron Gore

    Hello Alan! Amazing stuff here! I also am interested in automating vShield Edge. Were you able to get something together for Jason D. back in Jan, and if so would you mind sharing?

    Thanks a million,
    Aaron

  15. Pingback: vCloud Director: Regaining your Edge (Redeploying from a command line) | SOSTech

  16. Pingback: vCloud Director: Regaining your Edge (Redeploying from a command line) | SOS tech

  17. Alex

    I would give my eye teeth for the ability to export vSE firewall rules from one appliance, and import them to another…

  18. Pingback: IT Secure Site » Blog Archive » vShield Automation

  19. Jason Dinsdale

    Oh, and I’m afraid I’m using vShield 4.1 (build 310451) … hopefully the REST APIs are compatible between v41 & v5 of vShield for Edge?

    JD

  20. Jason Dinsdale

    Alan,

    Great work once again … and very timely for me. I’m in the middle of setting up ~110 vShield Edge appliances with NAT rules (we’re not using App or Endpoint just yet) and setting these up manually is driving me insane! I dream of automation. Can your PowerShell modules be tweaked to assist?

    Yours optimistically….

    JD

Leave a Reply to Alex

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.