Windows Firewall is the default built in solution for packet and connection filtering in the Windows OS families. With the introduction of the new PowerShell version, they shipped a couple of commands to effectively manage this component.
Retrieve the commands
Let’s start a Powershell console with administrative privileges and try to query all commands which might help us to manage the firewall. My attempt was to try all commands which contain the noun “firewall”:
Get-Command *-*firewall*
or
Get-Command -Noun “*firewall*”
Both outputs the following functions:
Copy-NetFirewallRule
Disable-NetFirewallRule
Enable-NetFirewallRule
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
New-NetFirewallRule
Remove-NetFirewallRule
Rename-NetFirewallRule
Set-NetFirewallAddressFilter
Set-NetFirewallApplicationFilter
Set-NetFirewallInterfaceFilter
Set-NetFirewallInterfaceTypeFilter
Set-NetFirewallPortFilter
Set-NetFirewallProfile
Set-NetFirewallRule
Set-NetFirewallSecurityFilter
Set-NetFirewallServiceFilter
Set-NetFirewallSetting
Show-NetFirewallRule
Working with profiles
To get information about profiles, use Get-NetFirewallProfile
Get-NetFirewallProfile | fl *
Note: fl is an alias for Format-List, to display information in a list view, and I use the star to include everything.
Use the name parameter to specify a profile name, you can use wildcard characters here.
Get-NetFirewallProfile -name private
To modify settings use the set pair of this command: Set-NetFirewallProfile
To enable or disable the firewall with a profile, first specify the name, then set the Enabled parameter to false, or true (as strings) respectively.
Set-NetFirewallProfile -name domain -Enabled “false”
To work with multiple profiles, use a more generic name. For example turning it off in all profiles:
Set-NetFirewallProfile -name * -Enabled “false”
If you want something to configure in all profiles, use the All switch, and omit the name parameter.
Set-NetFirewallProfile -All -Enabled “true”
To modify the default behavior when a connection does not match a rule, use the DefaultInboundAction and the DefaultOutboundAction parameters. Specify Block or Allow as a value.
Set-NetFirewallProfile -name domain -DefaultInboundAction Block -DefaultOutboundAction Block
You can also exclude interfaces in a profile, just specify the interface’s name after DisabledInterfaceAliases.
Set-NetFirewallProfile -name domain -DisabledInterfaceAliases Ethernet
To reset this back to the original state, when all interfaces are selected, use the NotConfigured string.
Set-NetFirewallProfile -name domain -DisabledInterfaceAliases NotConfigured
The options under Specify settings that control Windows Firewall behavior, can be modified with the following command
Set-NetFirewallProfile -name domain -AllowUnicastResponseToMulticast false -NotifyOnListen false
Use
- NotifyOnListen: to display a notification or not
- AllowUnicastResponseToMulticast: unicast response to broadcast traffic enabled or disabled
Manage the logfile
Managing the logfile is quite useful, for instance, changing the default location of the logfile, logging behavior or the file size.
LogFileName is a self-explanatory option, just specify the path with the filename at the end (don’t forget to create the folder and configure permissions for the firewall service account)
Set-NetFirewallProfile -name domain -LogFileName “D:\FWLOG\domain.log”
Configure bigger file size, specified in kilobytes:
Set-NetFirewallProfile -name domain -LogMaxSizeKilobytes 10240
And enable logging of the dropped packets and successful connections:
Set-NetFirewallProfile -name domain -LogAllowed true -LogBlocked true
Working with individual rules
To query the rules, use the Get-NetFirewallRule command. This will dump all firewall rules on the system. To count them use pipe and Measure-Object
Get-NetFirewallRule | measure
You can filter them by group, name, action, profile, current status, etc. For example, to list all blocking, enabled rules use this command:
Get-NetFirewallRule -Enabled true -Action block
To list rules with specific name use the displayname parameter, wildcards are permitted.
Get-NetFirewallRule -Displayname “*IE*”
Another important thing is to manipulate or create rules in the firewall.
- New-NetFirewallRule: to create new rules
- Set-NetFirewallRule: to manipulate existing rules
Let’s create a couple of new rules, which is based on the Program rule type (see selection on the GUI)
To specify a program, use the Program parameter, and specify the full path and filename.
-Program “C:\Program Files\Internet Explorer\iexplore.exe”
Control the behavior with the Action parameter, possible values are Block and Allow
-Action Block
Select profiles with the Profile parameter. To select all use Any, otherwise Domain, Private, Public strings are acceptable. Separate them with comma if you submit multiple ones but not all.
-Profile Domain, Private
Finally submit a name and description with DisplayName and Description parameters
-DisplayName “Block IE” -Description “Demonstration”
Last thing but very important is to specify the direction, this happens when you right click on the appropriate Inbound or Outbound rules container. Use Direction parameter with Inbound or Outbound as a string value:
-Direction Outbound
Now, let’s put these together to create a rule matching the screenshots above:
New-NetFirewallRule -Program “C:\Program Files\Internet Explorer\iexplore.exe” -Action Block -Profile Domain, Private -DisplayName “Block IE” -Description “Demonstration” -Direction Outbound
Working with the scope tab, use RemoteAddress and LocalAddress parameters. Specify individual address, range (see example) or subnet as a string. Any is the keyword, to set it back to Any IP address option.
Set-NetFirewallRule -DisplayName “block ie” -RemoteAddress “192.168.1.1-192.168.1.10” -LocalAddress “192.168.1.101”
Settings related to the protocols and ports tab can be configured using Protocol, LocalPort, RemotePort parameters. Example:
Set-NetFirewallRule -DisplayName “block ie” -Protocol TCP -RemotePort 80
Conclusion
I think managing Windows Firewall with Powershell 3 is very straightforward. If you stuck, don’t forget to check the help with Get-Help <yourcommandhere> -full
For a start I recommend using the Show-Command commandlet, which gives a hand in exploring functions.
Show-Command Get-NetFirewallRule
What snappin did you import into powershell to have the firewall cmlets available?
br
Bjørn
Hi Bjørn,
These commandlets are available in the NetSecurity module on Windows 8 and Windows Server 2012.
http://technet.microsoft.com/en-us/library/jj554906.aspx
Dear Sir,
Some commands are not working and showing red error. Do we need to import PowerShell NetSecurity module by using the following command?
Import-Module NetSecurity
Thanks a lot for the wonderful tutorials
Chennai MCSE
Hi Chennai,
it depends what the red error is 🙂 You need to start the PS window as an administrator, you don’t need to import anything on Windows 8 or Server 2012. If you can get the firewall commands and you can use some of them, the module is not the issue.
Dear Sir,
Working perfect now. 😀 As you said, no need to import any PowerShell module.
I have deleted the partition and re-installed Windows Server 2012.
Not sure what happened that day. 😀
Thanks a lot for your kind help,
Chennai MCSE
Hey man, and thanks for the tutorial 🙂 I got a little issue when I’m trying to enable/disable firewall rules on specific profiles.
Example (pseudo of what I’m trying to do):
Set-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Name-In)” -Profile Public -Enabled False
Set-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Name-In)” -Profile Private -Enabled False
Set-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Name-In)” -Profile Domain -Enabled True
In the example above I’m trying to enable the Domain profile, and disable the Private/Public profile. The problem however is that any of these commands affect all of the profiles.
Do you have any suggestions on how to do this?
Cheers,
Simen