I have been testing and validating PowerNSX lately when making the some new cmdlets. These cmdlets have been related to Security Tags. I am a person who wants to ensure I work on a clean environment each time to make sure I get the results I expect and not have spurious results because of a dirty environment.

Here I can see I need to clean up the Security Tags ST-T1-* because I need to re-test the script! I could click each one or issue get-nsxsecuritytag “ST-T1-CONFIDENTIAL” | Remove-NsxSecurityTag -confirm:$false for each tag. That is slow and not idea.

get-nsxsecuritytag | ft name

name
----
Anthony
ST-T1-CONFIDENTIAL
ST-T1-PROTECTED
ST-T1-3TA-DB
ST-T1-TOPSECRET
ST-T1-3TA-APP
ST-T1-NEWAPP-FLAT
ST-T1-SECRET
ST-T1-3TA-WEB
ST.Web
ST.App
ST.Db
ST.Bookstore
VULNERABILITY_MGMT.VulnerabilityFound.threat=high
ANTI_VIRUS.VirusFound.threat=low
ANTI_VIRUS.VirusFound.threat=medium
IDS_IPS.threat=high
DATA_SECURITY.violationsFound
IDS_IPS.threat=low
AntiVirus.virusFound
VULNERABILITY_MGMT.VulnerabilityFound.threat=low
VULNERABILITY_MGMT.VulnerabilityFound.threat=medium
IDS_IPS.threat=medium
ANTI_VIRUS.VirusFound.threat=high

Here we can see a number of default and additional Security Tags. Get-NsxSecurityTag will reveal all know tags. I am piping the name field to format table for easy reading.

Now for a bit of fun. I am using the where is command. What the first pipe is doing is getting the objects from get-nsxsecurity tag. The second pipe is taking the objects from the first pipe and is looking for any match of “ST-T” in the name field. It is then outputting it to a table.

get-nsxsecuritytag | ? {$_.name -match ("ST-T")} | ft name

name
----
ST-T1-CONFIDENTIAL
ST-T1-PROTECTED
ST-T1-3TA-DB
ST-T1-TOPSECRET
ST-T1-3TA-APP
ST-T1-NEWAPP-FLAT
ST-T1-SECRET
ST-T1-3TA-WEB

The reason I run this is to ensure what I am matching by the -match command in the name field is what I am expected. I am performing a destructive action and it is better to check before than have the “resume generating transaction’ occur.

Happy that I am matching exactly what I want it to it is time to pipe the match to Remove-NsxSecurityTag.

get-nsxsecuritytag | ? {$_.name -match ("ST-T")} | Remove-NsxSecurityTag -confirm:$false

This will take all objects retrieved then found matching ST-T and push them through the Remove-NsxSecurityTag command. This will delete them without prompt because I am using -confirm:$false.

Now to run the previous command to get Security Tags matching on name “ST-T”

get-nsxsecuritytag | ? {$_.name -match ("ST-T")} | ft name

No output! Jobs done. You can create a number of these. The scripts that I make and put on this site I am endeavouring to have the relevant tear down! I do this for all sorts of network constructs – Switches, Routers, Edges, Security Groups. Software networking baby – this can be done in your environment now without physical network changes! Wee!