Create a Distributed Firewall Policy

You can create a distributed firewall policy for an NSX server system by using the Invoke-PatchSecurityPolicyForDomain cmdlet.

Prerequisites

  • Verify that you are connected to an NSX server system.

Procedure

  1. Create lookup object variables. 
    $serviceList = @("SSH", "HTTP")
$sourceGroups = @("ANY")
$destinationGroups = @("MyGroupName")
  2. Look up groups and services.
    $allServices = Invoke-ListServicesForTenant
$ServicePathList = @()
foreach ($serv in $serviceList) {
    $s = $allServices.Results | where {$_.DisplayName -eq $serv}
    $ServicePathList += $s.Path
}
 
$allGroups = Invoke-ListGroupForDomain -DomainId default
$sourceGroupList = @()
foreach ($gp in $sourceGroups) {
    if ($gp -eq "ANY") {
        $SourceGroupList += "ANY"
    } else {
        $g = $AllGroups.Results | where {$_.DisplayName -eq $gp}
        $SourceGroupList += $g.Path
    }
}
 
$destinationGroupList = @()
foreach ($gp in $destinationGroups) {
    if ($gp -eq "ANY") {
        $DestinationGroupList += "ANY"
    } else {
        $g = $AllGroups.Results | where {$_.DisplayName -eq $gp}
        $DestinationGroupList += $g.Path
    }
}
  3. Prepare the input for the policy rule. 
    $rule = Initialize-Rule -DisplayName $ruleName -Id $ruleName -SourceGroups $sourceGroupList -DestinationGroups $destinationGroupList -Services $servicePathList -Action "ALLOW"
  4. Prepare the input for the security policy.
    $securityPolicy = Initialize-SecurityPolicy -DisplayName $policyName -Rules @($rule)
  5. Invoke the operation.
    Invoke-PatchSecurityPolicyForDomain -DomainId default -SecurityPolicyId $policyName -SecurityPolicy $securityPolicy