Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Managing the Windows Firewall with PowerShell

By - Source: Toms IT Pro

PowerShell has cmdlets for controlling the Windows firewall, as part of the NetSecurity PowerShell module.

Clicking around in a Windows GUI to add, remove and change firewall rules doesn't sound like a fun time. Perhaps if you're configuring a single computer or server it might not be so bad, but who does that anymore in IT? We have lots of machines that require standard configurations settings. We need a way to apply a standard firewall configuration across many different computers at once. Once a single PowerShell script is written, we can then easily deploy this script to as many machines at once with little fuss.

Introduced with Windows Server 2012R2 and Windows 8.1, PowerShell now has cmdlets for controlling the Windows firewall as part of the NetSecurity PowerShell module. This module contains dozens of cmdlets to manage the Windows firewall. These cmdlets are not only aware of opening and closing ports, but they are also aware of Windows' three profiles; Domain, Public and Private. Using these cmdlets allows you to fully manage just about any part of the Windows Firewall that's possible in the GUI.

MORE: Windows 10 Professional vs. Enterprise: What’s Best for Business?

The Windows Firewall cmdlets can be found by using Get-Command -Noun *NetFirewall*. By using any of the Get cmdlets, you can immediately put together what the state of your Windows firewall looks like. We know that the firewall doesn't always come with the configuration you'll need so we've also got various Set and New cmdlets as well. For example, perhaps we have a requirement to open up RDP (TCP/3389) to everyone in the Private network profile. I could first see if a rule already exists by using Get-NetFirewallRule.

PS> Get-NetFirewallRule -DisplayName '*Remote Desktop*'

Name                      : RemoteDesktop-UserMode-In-UDP

DisplayName           : Remote Desktop - User Mode (UDP-In)

Description              : Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389]

DisplayGroup           : Remote Desktop

Group                     : @FirewallAPI.dll,-28752

Enabled                   : True

Profile                     : Any

Platform                  : {}

Direction                 : Inbound

Action                     : Block

EdgeTraversalPolicy  : Block

LooseSourceMapping : False

LocalOnlyMapping     : False

Owner                     :

PrimaryStatus          : OK

Status                     : The rule was parsed successfully from the store. (65536)

EnforcementStatus   : NotApplicable

PolicyStoreSource    : PersistentStore

PolicyStoreSourceType : Local

Once found, I can see that it is Enabled, it's direction is Inbound and it's Action is blocked but I can't be sure it's about the right port. To dig deeper, I can use the Get-NetFirewallPortFilter command. This shows me the specific TCP and UDP ports along with source and destination that are applied to that rule.

Get-NetFirewallRule -DisplayName '*Remote Desktop*' | Get-NetFirewallPortFilter

Protocol      : UDP

LocalPort     : 3389

RemotePort    : Any

IcmpType      : Any

DynamicTarget : Any

Protocol      : TCP

LocalPort     : 3389

RemotePort    : Any

IcmpType      : Any

DynamicTarget : Any

Protocol      : TCP

LocalPort     : Any

RemotePort    : Any

IcmpType      : Any

DynamicTarget : Any

Now that I know I'm working with the right rule, I need to open this up. To change existing firewall rules, I can use the Set-NetFirewallRule command. Using PowerShell's pipeline ability, I'll just need to pipe the result of Get-NetFirewallRule directly to Set-NetFirewallRule and set the Action to Allow.

Get-NetFirewallRule -DisplayName '*Remote Desktop*' | Set-NetFirewallRule -Action Block

Another useful cmdlet is called Show-NetFirewallRule. Recall that we could not see all of the details when using Get-NetFirewallRule earlier. Using Show-NetFirewallRule, we're able to instantly see everything that's involved with one or all firewall rules.

PS> Show-NetFirewallRule

Name                       : vm-monitoring-icmpv6

DisplayName                : Virtual Machine Monitoring (Echo Request - ICMPv6-In)

Description                : Echo Request messages are sent as ping requests to other nodes.

DisplayGroup               : Virtual Machine Monitoring

Group                      : @icsvc.dll,-700

Enabled                    : False

Profile                    : Any

Platform                   :

Direction                  :
Action                     : Allow

EdgeTraversalPolicy        : Block

LooseSourceMapping         : False

LocalOnlyMapping           : False

Owner                      :

PrimaryStatus              : OK

Status                     : The rule was parsed successfully from the store. (65536)

EnforcementStatus          : NotApplicable

PolicyStoreSource          : PersistentStore

PolicyStoreSourceType      : Local

$_ | Get-NetFirewallAddressFilter

     LocalAddress          : Any

     RemoteAddress         : Any

$_ | Get-NetFirewallServiceFilter

     Service               : Any

$_ | Get-NetFirewallApplicationFilter

    Program               : Any

     Package               :

$_ | Get-NetFirewallInterfaceFilter

     InterfaceAlias        : Any

$_ | Get-NetFirewallInterfaceTypeFilter

     InterfaceType         : Any


By using these cmdlets inside of a script, you can now build a standard configuration that can be applied to many systems. No more clicking around in that GUI.