Powershell to clear allowed IP list and allow all IPs

Powershell to clear allowed IP list and allow all IPs

I found a few posts on setting specific IPs that are allowed through the ESXi Firewall for services such as SSH and Web Access for instance. What I lacked was a way to manipulate those when I realized I'd made a typo. I had inconsistent settings starting to develop and I wanted to script a way to reset to a blank page again!

The script below achieves that. I've also come up with an audit script to verify any rogue servers that have different settings from the default for two services sshServer and webAccess, the ones I was interested in. With lockdown mode it's probably a bit overkill but we get admins leaving things in an unconfigured way and having some extra insurance was desired.

If you have 80-100 hosts, this can save a lot of time picking through the gui!

This script removes the two subnets and returns the firewall to allow all IPs:

$Services = "webAccess","sshServer"
$remoteIP1 = "192.168.1.0/24"
$remoteIP2 = "10.1.1.0/24"
foreach($esx in Get-VMHost){
    $esxcli = Get-EsxCli -VMHost $esx
    foreach($service in $services){
        $esxcli.network.firewall.ruleset.allowedip.remove($remoteIP1,$service)
$esxcli.network.firewall.ruleset.allowedip.remove($remoteIP2,$service)
        }
    }
foreach($esx in Get-VMHost){
    $esxcli = Get-EsxCli -VMHost $esx
    foreach($service in $services){
        $esxcli.network.firewall.ruleset.set($true,$true,$service)
        }
    }

This scripts audits for these two services to sohow if they allow all IPs and reports any deviation:

$Services = "webAccess","sshServer"
foreach($esx in Get-VMHost){
    $esxcli = Get-EsxCli -VMHost $esx
$esx       
$esxcli.network.firewall.ruleset.allowedip.list('sshServer')
        $esxcli.network.firewall.ruleset.allowedip.list('webAccess')
    }

That should give you the name of the host that still lists IPs and doesn't list {All}:

Name                 ConnectionState PowerState NumCpu CpuUsageMhz CpuTotalMhz   MemoryUsageGB   MemoryTotalGB Version
----                 --------------- ---------- ------ ----------- -----------   -------------   ------------- -------
labesx01            ... Connected       PoweredOn      32         291       95760          12.188         255.654   6.7.0

AllowedIPAddresses : {All}
Ruleset            : sshServer


AllowedIPAddresses : {All}
Ruleset            : webAccess

vRealize Operations - %CSTP View

vRealize Operations - %CSTP View

I was asked to check a cluster to ensure the %CSTP value was looking ok. I didn't fancy logging in with putty onto 40 ESXi Hosts and wondered about an easier way. We had an older version of vRealize Operations Manager in play but I could see any articles on Google about creating a custom report or view specifically for this value. It had been a few months since I played with this product so this post is a refresher for myself in case I need to do this anywhere else in the future! It also might be useful for someone else at some point!

Prior to version 7.5 I wasn't really a fan. Since then they've really improved the built in views and reports and made it a much better product. That said, coming back to it after a period of time requires patience to figure out where everything is. The key thing we need is a view that selects a host and grabs the %CSTP value. Then we can use this is a dashboard or report for multiple hosts.

I'm using the Hands On Labs below - any of the "What's new in vROPS" will work fine for you if you want to try this. There are only two hosts and limited historical data due to the frozen nature of the lab itself but it should allow you to see some information before you try it in Production!

Start by selecting Dashboards and Views from the left

Select a New View and give it a name

 We want a trend as we want to see more than a single average value. Note: Increase the maximum plot lines to more than the potential number of hosts you may want to run this against. 25 is the default. I updated mine to 50 just in case.

Subjects is going to be found under the vCenter Adapter

Find and select Host System in the list

Under Data, select CPU and Select Co-Stop (ms)

Drag it over to the right hand side

DeSelect the Trend of the historical data and Forecast options. I'm just investigating specific incidents in the past

Select time settings and choose the period of time you want to show - 7 days is the default

Click Save

You now have your new view. 

I have a specific cluster I need to keep an eye on so a Dashboard with a fixed target would make life easier than having to keep selecting the same cluster all the time. 

Under Actions, choose Create Dashboard

Toggle the button down the bottom right to select "Views" and drag the Trend View into the main dashboard

Click on the pencil icon on the top right of the widget view to edit it. Change Self Provider to On and select the Cluster you want to report on. Select the %CSTP View on the right and Click Save. 

Now you will see each host in the cluster and the %CSTP value over the last week with a different colour for each Host. You can hover over the graph to pick out any host that is experiencing high %CSTP to identify it. 

The same view can also be used in a report that can be exported to PDF or CSV as follows:

Go to the Report View

Create a New Report

Select the View you created earlier and drag it over to the right

Accept all the remaining defaults

When you execute the report you can choose where to focus it. Sect vSphere Host and Clusters to be shown the Datacenter views so you can choose a specific cluster or host. 

You will get a PDF report like this:

If you have a lot of hosts it will make the legend disappear off page. I would scope the report more carefully than the dashboard which is more interactive. 

That's it! Hope this helps someone else out there!