There are times when an administrator will need to determine if a specific address or set of address are covered by a Firewall rule. This can occur when provisioning a new workload or troubleshooting connectivity. Example 8-AB below demonstrates finding a specific address in the destination parameter of Get-NsxFirewallRule.

Find Address used in a Distributed Firewall Rule

PS /> Get-NsxFirewallRule -Destination "" | select name name ---- Internet Access Default Rule NDP Default Rule DHCP Default Rule

The IP Address has been detected in the destination field of four rules. The Firewall Rule Internet Access is an IPSet that has three subnets defined from RFC1918. The returned rules based on the –Destination “” are found within explicitly defined IP Addresses, IP ranges, or VM objects.
It is also possible to use the parameter –source or –both alongside –destination to further control or scope this lookup. These parameters can take input from a string such as an IP address or subnet and even handle a Virtual Machine object or vNIC.

This is one of many feature enhancements in the upcoming v3 release of PowerNSX. The master development branch includes this feature along with a raft of new functionality if you cannot wait for the v3 release.

Visit the GitHub repo to get started.

One thought on “Searching Firewall rules with PowerNSX

Leave a Reply

Your email address will not be published. Required fields are marked *