There’s been a few occasions where I’ve needed to do either bulk uploads of firewall rules to a vShield Edge or be able to keep the ruleset on two vShield Edges in sync with each other (e.g. for DR purposes). There are a few examples online of doing this against vShield Manager (see Alan Renouf’s vShield Modules) but I needed to be able to do it via the vCloud API. If I was to configure rules via the vShield API, vCloud Director would have no knowledge of the changes and they would be overwritten the next time an update was made through vCloud Director. I also wanted a solution that could be used by tenants/customers so it had to be via the vCloud API.
What follows is the result of conversations/inspiration from the VMTN forums (specifically this thread), lots of reading of the vCloud API spec and copious amount of trial and error. I’m by no means a programmer so I apologise if my code offends anyone, but it did the job for me so hopefully can help someone else.
Run the scripts from a PowerCLI session that is already logged onto the vCloud Director instance you want to work with (i.e. do a “Connect-CIServer -server url“)
Export Script
Run the script passing the following parameters:
•-file or -f = The CSV file to export rules to
•-edge or -e = The Edge Gateway Name
As an example:
./export-vse-fw-rules.ps1 -f myfwrules.csv -e “My vShield Edge”
Import Script
Usage for the import script is the same as the export script. You could easily specify a different vShield Edge to import the rules to or even connect to a different vCloud Director instance first. If you just want to import a load of rules (perhaps the vShield Edge is replacing another FW) you could quite easily make up your own CSV file in the same format and use this script to import it.
Run the script passing the following parameters:
•-file or -f = The CSV file containing the rules to import
•-edge or -e = The Edge Gateway Name
As an example:
./import-vse-fw-rules.ps1 -f myfwrules.csv -e “My vShield Edge”