I have done some posts on using PowerShell actions in vWire and have generally shared scripts that give basic functionality to do things like start and stop a virtual machine and other scripts to help gather more information like returning the contents of a log file, for example. Today’s script that I would like to share is designed to address and resolve the Port Group Network Security Policy Alert. This alert is enabled by default in vWire and this alert informs you if a port group does not have a fully hardened Network Security Policy. If one of the following options is enabled it will trigger this alert:  promiscuous mode, forged transmits, or MAC address changes.

This script has been posted on the vWire contributed content area of the website and you can download the script here to import into your vWire environment.  Below you will also find the code used in the script:

foreach ($vmhost in (Get-VMhost $input)){
foreach ($vswitchName in Get-VirtualSwitch $vmhost){
$hostview = $vmhost | Get-View
$ns = Get-View -Id $hostview.ConfigManager.NetworkSystem
$vsConfig = $hostview.Config.Network.Vswitch | Where-Object { $_.Name -eq $VSwitchName }
$vsSpec = $vsConfig.Spec
$vsSpec.Policy.Security.AllowPromiscuous = $False
$ns.UpdateVirtualSwitch( $VSwitchName, $vsSpec) | % { “Updated vSwitch Portgroup Allow Promiscuous to reject ‘” + $vswitchName + “‘ on host ‘” + $vmhost + “‘”}
$vsSpec.Policy.Security.forgedTransmits = $False
$ns.UpdateVirtualSwitch( $VSwitchName, $vsSpec) | % { “Updated vSwitch Portgroup Forged Transmits to reject  ‘” + $vswitchName + “‘ on host ‘” + $vmhost + “‘”}
$vsSpec.Policy.Security.macChanges = $False
$ns.UpdateVirtualSwitch( $VSwitchName, $vsSpec) | % { “Updated vSwitch Portgroup MacAddress Changes to reject ‘” + $vswitchName + “‘ on host ‘” + $vmhost + “‘”}
}
}

Make sure to take note of the use of the $input variable above to help you in writing your own scripts.  This is the piped information from the vWire server.  This script is written as a host script so the host name is what is piped in from vWire and I am using two foreach loops to get all the VMware ESX hosts and all the vSwitch names.

Until next time, happy scripting!!!

Port Groups, powershell, security, virtualization, vmware

This entry was posted on Thursday, July 2nd, 2009 at 12:34 pm and is filed under Virtual Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.