Manage Windows Firewall with Powershell 3

Windows Firewall is the default built in solution for packet and connection filtering in the Windows OS families. With the introduction of the new PowerShell version, they shipped a couple of commands to effectively manage this component.

Windows firewall with advanced security
Windows firewall with advanced security

Retrieve the commands

Let’s start a Powershell console with administrative privileges and try to query all commands which might help us to manage the firewall. My attempt was to try all commands which contain the noun “firewall”:

Get-Command *-*firewall*

or

Get-Command -Noun “*firewall*”

Both outputs the following functions:

Copy-NetFirewallRule
Disable-NetFirewallRule
Enable-NetFirewallRule
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
New-NetFirewallRule
Remove-NetFirewallRule
Rename-NetFirewallRule
Set-NetFirewallAddressFilter
Set-NetFirewallApplicationFilter
Set-NetFirewallInterfaceFilter
Set-NetFirewallInterfaceTypeFilter
Set-NetFirewallPortFilter
Set-NetFirewallProfile
Set-NetFirewallRule
Set-NetFirewallSecurityFilter
Set-NetFirewallServiceFilter
Set-NetFirewallSetting
Show-NetFirewallRule

Commands to manage the firewall
Commands to manage the firewall

Working with profiles

To get information about profiles, use Get-NetFirewallProfile

Get-NetFirewallProfile | fl *

Note: fl is an alias for Format-List, to display information in a list view, and I use the star to include everything.

Use the name parameter to specify a profile name, you can use wildcard characters here.

Get-NetFirewallProfile -name private

Get-NetFirewallProfile
Get-NetFirewallProfile

To modify settings use the set pair of this command: Set-NetFirewallProfile

To enable or disable the firewall with a profile, first specify the name, then set the Enabled parameter to false, or true (as strings) respectively.

Set-NetFirewallProfile -name domain -Enabled “false”

Enable/Disable firewall profile
Enable/Disable firewall profile

To work with multiple profiles, use a more generic name. For example turning it off in all profiles:

Set-NetFirewallProfile -name * -Enabled “false”

If you want something to configure in all profiles, use the All switch, and omit the name parameter.

Set-NetFirewallProfile -All -Enabled “true”

To modify the default behavior when a connection does not match a rule, use the DefaultInboundAction and the DefaultOutboundAction parameters. Specify Block or Allow as a value.

Set-NetFirewallProfile -name domain -DefaultInboundAction Block -DefaultOutboundAction Block

DefaultInboundAction and DefaultOutboundAction parameters
DefaultInboundAction and DefaultOutboundAction parameters

You can also exclude interfaces in a profile, just specify the interface’s name after DisabledInterfaceAliases.

Set-NetFirewallProfile -name domain -DisabledInterfaceAliases Ethernet

Protected network connections
Protected network connections

To reset this back to the original state, when all interfaces are selected, use the NotConfigured string.

Set-NetFirewallProfile -name domain -DisabledInterfaceAliases NotConfigured

The options under Specify settings that control Windows Firewall behavior, can be modified with the following command

Set-NetFirewallProfile -name domain -AllowUnicastResponseToMulticast false -NotifyOnListen false

Use

  • NotifyOnListen: to display a notification or not
  • AllowUnicastResponseToMulticast: unicast response to broadcast traffic enabled or disabled
Display notification, allow unicast response
Display notification, allow unicast response

Manage the logfile

Managing the logfile is quite useful, for instance, changing the default location of the logfile, logging behavior or the file size.

Default log settings
Default log settings

LogFileName is a self-explanatory option, just specify the path with the filename at the end (don’t forget to create the folder and configure permissions for the firewall service account)

Set-NetFirewallProfile -name domain -LogFileName “D:\FWLOG\domain.log”

Logfile path and filename
Logfile path and filename

Configure bigger file size, specified in kilobytes:

Set-NetFirewallProfile -name domain -LogMaxSizeKilobytes 10240

And enable logging of the dropped packets and successful connections:

Set-NetFirewallProfile -name domain -LogAllowed true -LogBlocked true

File size and log options
File size and log options

Working with individual rules

To query the rules, use the Get-NetFirewallRule command. This will dump all firewall rules on the system. To count them use pipe and Measure-Object

Get-NetFirewallRule | measure

Count firewall rules
Count firewall rules

You can filter them by group, name, action, profile, current status, etc. For example, to list all blocking, enabled rules use this command:

Get-NetFirewallRule -Enabled true -Action block

To list rules with specific name use the displayname parameter, wildcards are permitted.

Get-NetFirewallRule -Displayname “*IE*”

Another important thing is to manipulate or create rules in the firewall.

  • New-NetFirewallRule: to create new rules
  • Set-NetFirewallRule: to manipulate existing rules

Let’s create a couple of new rules, which is based on the Program rule type (see selection on the GUI)

New firewall rule
New firewall rule

To specify a program, use the Program parameter, and specify the full path and filename.

-Program “C:\Program Files\Internet Explorer\iexplore.exe”

Firewall rule for a specific program
Firewall rule for a specific program

Control the behavior with the Action parameter, possible values are Block and Allow

-Action Block

Firewall action
Firewall action

Select profiles with the Profile parameter. To select all use Any, otherwise Domain, Private, Public strings are acceptable. Separate them with comma if you submit multiple ones but not all.

-Profile Domain, Private

Specify firewall profiles
Specify firewall profiles

Finally submit a name and description with DisplayName and Description parameters

-DisplayName “Block IE” -Description “Demonstration”

Firewall rule name and description
Firewall rule name and description

Last thing but very important is to specify the direction, this happens when you right click on the appropriate Inbound or Outbound rules container. Use Direction parameter with Inbound or Outbound as a string value:

-Direction Outbound

Now, let’s put these together to create a rule matching the screenshots above:

New-NetFirewallRule -Program “C:\Program Files\Internet Explorer\iexplore.exe” -Action Block -Profile Domain, Private -DisplayName “Block IE” -Description “Demonstration” -Direction Outbound

New-NetFirewallRule
New-NetFirewallRule

Working with the scope tab, use RemoteAddress and LocalAddress parameters. Specify individual address, range (see example) or subnet as a string. Any is the keyword, to set it back to Any IP address option.

Set-NetFirewallRule -DisplayName “block ie” -RemoteAddress “192.168.1.1-192.168.1.10” -LocalAddress “192.168.1.101”

Firewall rule scope
Firewall rule scope

Settings related to the protocols and ports tab can be configured using Protocol, LocalPort, RemotePort parameters. Example:

Set-NetFirewallRule -DisplayName “block ie” -Protocol TCP -RemotePort 80

Firewall rule protocol and ports
Firewall rule protocol and ports

Conclusion

I think managing Windows Firewall with Powershell 3 is very straightforward. If you stuck, don’t forget to check the help with Get-Help <yourcommandhere> -full

For a start I recommend using the Show-Command commandlet, which gives a hand in exploring functions.

Show-Command Get-NetFirewallRule

Show-Command
Show-Command

13 thoughts on “Manage Windows Firewall with Powershell 3”

  1. Pingback: Top 10 Firewall for Windows « Tech Freak
  3. Pingback: Windows Advanced Firewall | about:email

  4. Dear Sir,

    Some commands are not working and showing red error. Do we need to import PowerShell NetSecurity module by using the following command?

    Import-Module NetSecurity

    Thanks a lot for the wonderful tutorials

    Chennai MCSE

    Reply

    1. Hi Chennai,
      it depends what the red error is 🙂 You need to start the PS window as an administrator, you don’t need to import anything on Windows 8 or Server 2012. If you can get the firewall commands and you can use some of them, the module is not the issue.

      Reply

  5. Dear Sir,

    Working perfect now. 😀 As you said, no need to import any PowerShell module.

    I have deleted the partition and re-installed Windows Server 2012.

    Not sure what happened that day. 😀

    Thanks a lot for your kind help,

    Chennai MCSE

    Reply
  6. Pingback: how do I disable the firewall on a single interface in Windows 7? - Just just easy answers
  7. Pingback: Windows Advanced Firewall « prgmr.io
  8. Pingback: 使用PowerShell管理Windows防火墙 | PowerShell 中文博客

  9. Hey man, and thanks for the tutorial 🙂 I got a little issue when I’m trying to enable/disable firewall rules on specific profiles.

    Example (pseudo of what I’m trying to do):
    Set-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Name-In)” -Profile Public -Enabled False
    Set-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Name-In)” -Profile Private -Enabled False
    Set-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Name-In)” -Profile Domain -Enabled True

    In the example above I’m trying to enable the Domain profile, and disable the Private/Public profile. The problem however is that any of these commands affect all of the profiles.

    Do you have any suggestions on how to do this?

    Cheers,
    Simen

    Reply
  10. Pingback: How to manage you Windows Firewall with PowerShell | SMAGEE
  11. Pingback: Windows firewall 101 | Jacques DALBERA's IT world

Leave a comment