Scripting – Resetting NSX-v objects

On various engagements I am involved with, I often need to produce some code to add or delete objects from NSX-v. These objects in general are things like IP Sets, MAC Sets, Security Groups, Security Tags, Services, Service Groups, Security Policies and even deleting the FW rulebase itself.

Until recently I was doing this manually as I was dealing with relatively small numbers of objects, however on a previous engagement I was working on a script to import up to 33,000 objects and when testing the script in a dev environment, we needed a way to go through and delete everything we had just imported and set it back to “defaults”.

So the following script was born which essentially “resets” the different NSX-v components to their defaults.

The script is hosted on my GitHub site as I am constantly developing this one.

WARNING: This script is dangerous and has the potential to delete items you may not want deleted. Only use this script in a dev/test environment unless you are 100% sure what you are doing.

To view the options for the script, you can use the following command:

The following are some examples on various objects that can be deleted:

Deleting IP Sets

This will delete all IP Sets configured in NSX-v (excluding hidden/system required objects):

Deleting Services

This will delete all NSX-v services (excluding default configured services):

Deleting Security Groups

This will delete all security groups configured in NSX-v (excluding hidden/system required objects):

Deleting Service Groups

This will delete all NSX-v service groups (excluding default configured services):

Deleting MAC Sets

This will delete all MAC Sets configured in NSX-v (except  hidden/system required objects):

Deleting Security Policies (Service Composer)

This will delete all Service Composer Security Policies configured in NSX-v (except all the hidden/system required objects):

Deleting Security Tags

This will delete all Security Tags configured in NSX-v (except all the hidden/system required objects):

Deleting Firewall Rules

This will delete all firewall rules configured and reset the rulebase to the default rules:

Deleting multiple object types

You can use multiple options to delete multiple object types in the one command like the example below:

Hidden Option (–force)

There are often times where you would like to remove all the default configured services and service groups from NSX-v. Whether it’s because you don’t like what’s configured, or you will be importing your own via some other means, and the default ones will be irrelevant. The command below will delete the services and service groups configured during a default installation, only leaving the following list of service objects as they are required when resetting the firewall rules back to defaults.

  • DHCP-Client
  • DHCP-Server
  • IPv6-ICMP Neighbor Advertisement
  • IPv6-ICMP Neighbor Solicitation




Leave a Reply