I have been testing and validating PowerNSX lately when making the some new cmdlets. These cmdlets have been related to Security Tags. I am a person who wants to ensure I work on a clean environment each time to make sure I get the results I expect and not have spurious results because of a dirty environment.
Here I can see I need to clean up the Security Tags ST-T1-* because I need to re-test the script! I could click each one or issue get-nsxsecuritytag “ST-T1-CONFIDENTIAL” | Remove-NsxSecurityTag -confirm:$false for each tag. That is slow and not idea.
get-nsxsecuritytag | ft name name ---- Anthony ST-T1-CONFIDENTIAL ST-T1-PROTECTED ST-T1-3TA-DB ST-T1-TOPSECRET ST-T1-3TA-APP ST-T1-NEWAPP-FLAT ST-T1-SECRET ST-T1-3TA-WEB ST.Web ST.App ST.Db ST.Bookstore VULNERABILITY_MGMT.VulnerabilityFound.threat=high ANTI_VIRUS.VirusFound.threat=low ANTI_VIRUS.VirusFound.threat=medium IDS_IPS.threat=high DATA_SECURITY.violationsFound IDS_IPS.threat=low AntiVirus.virusFound VULNERABILITY_MGMT.VulnerabilityFound.threat=low VULNERABILITY_MGMT.VulnerabilityFound.threat=medium IDS_IPS.threat=medium ANTI_VIRUS.VirusFound.threat=high
Here we can see a number of default and additional Security Tags. Get-NsxSecurityTag will reveal all know tags. I am piping the name field to format table for easy reading.
Now for a bit of fun. I am using the where is command. What the first pipe is doing is getting the objects from get-nsxsecurity tag. The second pipe is taking the objects from the first pipe and is looking for any match of “ST-T” in the name field. It is then outputting it to a table.
get-nsxsecuritytag | ? {$_.name -match ("ST-T")} | ft name
name
----
ST-T1-CONFIDENTIAL
ST-T1-PROTECTED
ST-T1-3TA-DB
ST-T1-TOPSECRET
ST-T1-3TA-APP
ST-T1-NEWAPP-FLAT
ST-T1-SECRET
ST-T1-3TA-WEB
The reason I run this is to ensure what I am matching by the -match command in the name field is what I am expected. I am performing a destructive action and it is better to check before than have the “resume generating transaction’ occur.
Happy that I am matching exactly what I want it to it is time to pipe the match to Remove-NsxSecurityTag.
get-nsxsecuritytag | ? {$_.name -match ("ST-T")} | Remove-NsxSecurityTag -confirm:$false
This will take all objects retrieved then found matching ST-T and push them through the Remove-NsxSecurityTag command. This will delete them without prompt because I am using -confirm:$false.
Now to run the previous command to get Security Tags matching on name “ST-T”
get-nsxsecuritytag | ? {$_.name -match ("ST-T")} | ft name
No output! Jobs done. You can create a number of these. The scripts that I make and put on this site I am endeavouring to have the relevant tear down! I do this for all sorts of network constructs – Switches, Routers, Edges, Security Groups. Software networking baby – this can be done in your environment now without physical network changes! Wee!
When will the securitytag cmdlets included in PowerNSX?
Check branch – Dev. It is in there.
There is a large update inbound very shortly!
Thanks. Do you know when the update will be released?
Have a look at the dev branch. There is a lot of new things in there for now.
-anthony