Documenting the NSX-v DFW with PowerNSX

Documenting firewall configuration is challenging at the best of times, in most enterprise networks there are tens of thousands of lines of ACLs that have been added organically over time to any number of firewalls. Documentation of said policy is normally the actual configuration that you see on the console in front of you, which is great but depending on the vendor it may be difficult to extract that data into a more usable format.

In any case, with the Distributed Firewall in NSX-v you have the same challenge, configuration exists in NSX Manager, viewed via the vSphere Web Client, but an export of the policy is to XML format only. Now this presents a challenge, as I would optimally like to have to the policy in a format which I can use in tools such as MS Excel.

I could always document the policy manually, but that would be monotonous and I’d rather be playing Basketball on my weekends 😉 So when I started looking into a mechanism to create the documentation, I originally thought about using Python to make a REST call to the NSX-v API, grab the data and then spit it out into an Excel workbook using an existing Excel/Python module. However, at around the same time, Nick Bradford had just released PowerNSX, which is a Powershell module for working with NSX-v, so I figured why not give that a go and get some Powershell chops at the same time.

If you head over to my GitHub repository, you can find the script along with some instructions on how to run it, but for the curious, here’s a link to the sample Excel Workbook that gets created (keep in mind your workbook would most likely be much more verbose).

Where to find more information on PowerNSX

Firstly, the PowerNSX GitHub Repository should be your first port of call to find more information, but I also recommend checking out Anthony Burke’s Blog as well.

Screen Grab of Sample Excel Workbook

Please download latest sample Excel Workbook for an up to date preview.

4 thoughts on “Documenting the NSX-v DFW with PowerNSX”

  1. Looks very useful. One thing I’d like to see added to future versions is the inclusion of the object value (i.e., ipset-12). Having that information in the table makes it easier to quickly make API calls or run central CLI commands as you have the needed information in the spreadsheet.

  2. This this is an fantastic idea and this capability is very much needed in NSX where it is not possible to easily review all rules with a “show access-list” command. However, after reading through your script comments/remarks, I have a few questions.

    Will the script …

    1.) Document VMs which are statically added to a security group? If not, why?

    2.) Document firewall rules which were defined using service composer? If not, why?

    Thanks and keep up the good work!

  3. Hi Iain,

    Thanks, yes that was precisely the idea 🙂

    1. Statically added VM’s are not documented yet, I will try and add this functionality in the near future.
    2. If Service Composer is used to create policy and that security policy is applied to a security group, then a new section is created in the DFW Rule table. Which means it is documented by the script. However, the security policy on it’s own in service composer is not documented.

    If you have any ideas that you would like added to the script, please visit the Github page and add it to the issues page and I’ll be able to track my progress against it.

    Thanks 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s