A while back I was asked if we could automate some areas of vShield, VMware Security suite of products. I was asked to do this for a demo which was to be used at VMworld, having never touched vShield before I was thrown into the world of security at the deep end. The first thing I found on my quest was the vShield API, there is a great document by VMware which explains the vShield proprietary Web-RPC API (Based on Rest API) and all the calls you would ever need to make to work with the vShield products.
Now I had the API details I knew I could easily write some PowerShell code in the form of an advanced function to work with the API, the first piece of code I wrote was a generic function which allowed me to GET, PUT, DELETE and POST to a proprietary Web-RPC based Restful API. I know PowerShell v3 will include cmdlets for this but I didn’t want to wait or add a dependency on something which wasn’t available as yet.
With this completed the rest of the advanced functions were easily created, it was just a case of sending the correct parameter to my function and the correct URL and my results would be returned.
So why would we want to do this ?
Automation is a powerful tool, with automation we can not only make our lives as administrators easier and less cumbersome but also enable products to do things automagically that they never could do before.
I will add more and more posts for this module to show you what I mean but first things first I just wanted to get the module out here and available for feedback and general usage.
Don’t forget my other posts around automating vShield here:
Requirements
- PowerShell v2
- PowerCLI (Latest Version)
- vShield Module (See Downloads area on this page)
- vShield Manager 5.0
- vCenter
Download
You can download the module here and contribute changes via github here.
Install and Usage
The below video will take you through the install and give you enough to get started:
Feedback
If there is anything you have ever wanted to automate with vShield but didn’t know how then please let me know, the cmdlets are easily adjusted.
Pingback: vCloud API and PowerCLI – Import/Export vShield Edge FW Rules – user's Blog!
Pingback: VMware vShield PowerShell Module – Phasmid LLC
Pingback: vCloud API and PowerCLI – Import/Export vShield Edge FW Rules | Dave's Notepad
Been looking through the commands – is there one to export the App firewall rules?
Is it possible to install only the vShield Endpoint without the vShield App?
Hi Alan,
The get-vshieldsecuritygroup cmdlet appears to only return Security Groups that are set at the Datacenter level and not those that can be defined lower down the hierarchy (e.g. at the Port Group level). Is it possible to achieve this?
Thanks,
Jon
Ok, updated the github project with the latest commands, must have uploaded an old version.
Hmmm, perhaps i uploaded an older version, let me take a look and update.
Thanks for updating the download link. It does seem that the module is significantly different from and smaller than the version demonstrated in your video. For example it is missing the ‘Get-vShieldCommand’ function. Is this by design? Thanks!
Done, also added to Github so we can update as a community 🙂
Done, also added to Github so we can update as a community 🙂
Module link is missing. Can you update?
It appears the download link is missing. Is this still available?
Could you please share the commands / powerl cli script to install vshiled Edge Installation. We need to automate the Vshiled Edge Installation on Port Group.
How can i edit a object library ( Vshield — Setings and reports — OBJECT LIBRARY )
Hi Alan,
Could you help me understand how to I query the version of vShield Server? Thanks in advance.
Alan, I could do it using “[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}”.
Hi Alan, I’m new to the PoweCLI/Powershell. I installed the vShield module and I’m trying to connect to vShield server but I’m getting SSL/TLS trust relationship exception. Could you please let me know how will I be able to make it ignore the certificate authentication?
Pingback: Exploring the vCloud Networking & Security API Using Ruby | virtuallyGhetto
Hi Alan, great article!
I’m not confident about vShield Manager backup solution because doesn’t allow backup/restore specific vShield Edge/App configuration.
Imagine one network admin modifies incorrectly one vshield Edge firewall rule and another network admin modifies another vshield edge. If we have to do a restore, both configurations are restored…
I’m looking for a powecli script that allows export/import vshield edge / app configuration. Could you help me?
Thanks in advance!
EFD
Hi Alan, great stuff. What about pre and post backup scripts disabling and enabling rate limits on vShield Edges? It would be helpfull when you have (like me) to do an application level backup of some customer’s VMs behind a Edge on vCloud where a rate limit is set.
thanks
Sergio
Hello Alan! Amazing stuff here! I also am interested in automating vShield Edge. Were you able to get something together for Jason D. back in Jan, and if so would you mind sharing?
Thanks a million,
Aaron
Pingback: vCloud Director: Regaining your Edge (Redeploying from a command line) | SOSTech
Awesome. Thanks a lot!
Pingback: vCloud Director: Regaining your Edge (Redeploying from a command line) | SOS tech
Alex, how much are your eye teeth worth and are they in good condition ?
I would give my eye teeth for the ability to export vSE firewall rules from one appliance, and import them to another…
Pingback: IT Secure Site » Blog Archive » vShield Automation
Oh, and I’m afraid I’m using vShield 4.1 (build 310451) … hopefully the REST APIs are compatible between v41 & v5 of vShield for Edge?
JD
Absolutely, I will drop you an email for more details and then update the module.
Alan,
Great work once again … and very timely for me. I’m in the middle of setting up ~110 vShield Edge appliances with NAT rules (we’re not using App or Endpoint just yet) and setting these up manually is driving me insane! I dream of automation. Can your PowerShell modules be tweaked to assist?
Yours optimistically….
JD