Manage Windows Firewall with PowerShell

Windows Firewall is the default built in solution for packet and connection filtering in the Windows OS families. With the introduction of the new PowerShell version, they shipped a couple of commands to effectively manage this component.

Let’s start a PowerShell console with administrative privileges and try to query all commands which might help us to manage the firewall. My attempt was to try all commands which contain the noun “firewall.”

Retrieve the commands:

Get-Command *-*firewall*

or

Get-Command -Noun "*firewall*"

Both outputs the following functions:

Copy-NetFirewallRule
Disable-NetFirewallRule
Enable-NetFirewallRule
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
New-NetFirewallRule
Remove-NetFirewallRule
Rename-NetFirewallRule
Set-NetFirewallAddressFilter
Set-NetFirewallApplicationFilter
Set-NetFirewallInterfaceFilter
Set-NetFirewallInterfaceTypeFilter
Set-NetFirewallPortFilter
Set-NetFirewallProfile
Set-NetFirewallRule
Set-NetFirewallSecurityFilter
Set-NetFirewallServiceFilter
Set-NetFirewallSetting
Show-NetFirewallRule

Working with profiles

To get information about profiles, use Get-NetFirewallProfile:

Get-NetFirewallProfile | fl *

Note: fl is an alias for Format-List, to display information in a list view, and I use the star to include everything.

Use the name parameter to specify a profile name, you can use wildcard characters here:

Get-NetFirewallProfile -name private

To modify settings use the set pair of this command:

Set-NetFirewallProfile

To enable or disable the firewall with a profile, first specify the name, then set the Enabled parameter to false, or true (as strings) respectively.

Set-NetFirewallProfile -name domain -Enabled "false"

To work with multiple profiles, use a more generic name. For example turning it off in all profiles:

Set-NetFirewallProfile -name * -Enabled "false"

If you want something to configure in all profiles, use the All switch, and omit the name parameter:

Set-NetFirewallProfile -All -Enabled "true"

To modify the default behavior when a connection does not match a rule, use the DefaultInboundAction and the DefaultOutboundAction parameters. Specify Block or Allow as a value:

Set-NetFirewallProfile -name domain -DefaultInboundAction Block -DefaultOutboundAction Block

You can also exclude interfaces in a profile, just specify the interface’s name after DisabledInterfaceAliases.

Set-NetFirewallProfile -name domain -DisabledInterfaceAliases Ethernet

To reset this back to the original state, when all interfaces are selected, use the NotConfigured string:

Set-NetFirewallProfile -name domain -DisabledInterfaceAliases NotConfigured

The options under Specify settings that control Windows Firewall behavior, can be modified with the following command:

Set-NetFirewallProfile -name domain -AllowUnicastResponseToMulticast false -NotifyOnListen false

Use

  • NotifyOnListen: to display a notification or not
  • AllowUnicastResponseToMulticast: unicast response to broadcast traffic enabled or disabled

Manage the logfile

Managing the logfile is quite useful, for instance, changing the default location of the logfile, logging behavior or the file size.

LogFileName is a self-explanatory option, just specify the path with the filename at the end (don’t forget to create the folder and configure permissions for the firewall service account)

Set-NetFirewallProfile -name domain -LogFileName "C:\FWLOG\domain.log"

Configure bigger file size, specified in kilobytes:

Set-NetFirewallProfile -name domain -LogMaxSizeKilobytes 10240

And enable logging of the dropped packets and successful connections:

Set-NetFirewallProfile -name domain -LogAllowed true -LogBlocked true

Working with individual rules

To query the rules, use the Get-NetFirewallRule command. This will dump all firewall rules on the system. To count them use pipe and Measure-Object

Get-NetFirewallRule | measure

You can filter them by group, name, action, profile, current status, etc. For example, to list all blocking, enabled rules use this command:

Get-NetFirewallRule -Enabled true -Action block

To list rules with specific name use the displayname parameter, wildcards are permitted.

Get-NetFirewallRule -Displayname "*IE*"

Another important thing is to manipulate or create rules in the firewall.

  • New-NetFirewallRule: to create new rules
  • Set-NetFirewallRule: to manipulate existing rules

Let’s create a couple of new rules, which is based on the Program rule type (see selection on the GUI)

To specify a program, use the Program parameter, and specify the full path and filename.

-Program "C:\Program Files\Internet Explorer\iexplore.exe"

Control the behavior with the Action parameter, possible values are Block and Allow

-Action Block

Select profiles with the Profile parameter. To select all use Any, otherwise Domain, Private, Public strings are acceptable. Separate them with comma if you submit multiple ones but not all.

-Profile Domain, Private

Finally submit a name and description with DisplayName and Description parameters

-DisplayName "Block IE" -Description "Demonstration"

Last thing but very important is to specify the direction, this happens when you right click on the appropriate Inbound or Outbound rules container. Use Direction parameter with Inbound or Outbound as a string value:

-Direction Outbound

Now, let’s put these together to create a rule matching the screenshots above:

New-NetFirewallRule -Program "C:\Program Files\Internet Explorer\iexplore.exe" -Action Block -Profile Domain, Private -DisplayName "Block IE" -Description "Demonstration" -Direction Outbound

Working with the scope tab, use RemoteAddress and LocalAddress parameters. Specify individual address, range (see example) or subnet as a string. Any is the keyword, to set it back to Any IP address option.

Set-NetFirewallRule -DisplayName "block ie" -RemoteAddress "192.168.2.1-192.168.2.10" -LocalAddress "192.168.1.101"

Settings related to the protocols and ports tab can be configured using Protocol, LocalPort, RemotePort parameters. Example:

Set-NetFirewallRule -DisplayName "block ie" -Protocol TCP -RemotePort 80

 

For a good start I recommend using the Show-Command commandlet, which gives a hand in exploring functions.

Show-Command Get-NetFirewallRule

Conclusion

Managing Windows Firewall with PowerShell is very straightforward. If you stuck, don’t forget to check the help with Get-Help -Full.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s