There are times when an administrator will need to determine if a specific address or set of address are covered by a Firewall rule. This can occur when provisioning a new workload or troubleshooting connectivity. Example 8-AB below demonstrates finding a specific address in the destination parameter of
Find Address used in a Distributed Firewall Rule
PS /> Get-NsxFirewallRule -Destination "192.168.103.100" | select name name ---- Internet Access Default Rule NDP Default Rule DHCP Default Rule
The IP Address has been detected in the destination field of four rules. The Firewall Rule Internet Access is an IPSet that has three subnets defined from RFC1918. The returned rules based on the
–Destination “192.168.103.100” are found within explicitly defined IP Addresses, IP ranges, or VM objects.
It is also possible to use the parameter
–destination to further control or scope this lookup. These parameters can take input from a string such as an IP address or subnet and even handle a Virtual Machine object or vNIC.
This is one of many feature enhancements in the upcoming
v3 release of PowerNSX. The master development branch includes this feature along with a raft of new functionality if you cannot wait for the
Visit the GitHub repo to get started.