It is well known that you can manage the Windows Firewall with the MMC snap-in and the command line tool netsh.exe. PowerShell offers a few cmdlets that allow you in many cases to analyze and modify rules faster than the two other tools.

In general, the MMC-based Window Firewall with Advanced Security is a powerful tool for managing existing rules and creating new ones. It also offers a few predefined filters that can help you to get a better overview of the large number of rules. On the other hand, netsh.exe suffers from its unintuitive syntax.

Filtering rules with Get-NetFirewallRule

PowerShell offers more flexible filters than the GUI and is easier to use than netsh.exe. The most important cmdlet for the analysis of existing rules is the Get-NetFirewallRule cmdlet. If you run it without parameters, you will receive a list of all rules with some of their properties.

For example, if you want to find out if the firewall blocks communication with a remote computer, you'll want to limit the output to those rules that could cause the problem.

For this purpose, a couple of parameters allow you to filter the list according to the most important properties, such as rule name and group name (Name, DisplayName, Group, DisplayGroup):

Get-NetFirewallRule -DisplayGroup Remote*

The wildcard "*" ensures that all group names that start with "Remote" are in the list, e.g. Remote Management and Remote Desktop.

Inbound/outbound and allow/block

Other important parameters are Action, Enabled, and Direction. Action accepts the values Allowand Block, Direction supports Inbound and Outbound, and Enabled expects True or False.

Get-NetFirewallRule -Action Block -Enabled True -Direction Inbound

This command displays all inbound rules that are enabled and block the corresponding connection.

The next example will refine the filter even further and limit the output to rule groups starting with "Network":

Get-NetFirewallRule -Action Allow -Enabled False -Direction Inbound -DisplayGroup Network* | select DisplayName, DisplayGroup
Displaying firewall rules with Get NetFirewallRule

Displaying firewall rules with Get NetFirewallRule

Displaying programs in rules

In most cases the kind of information you receive this way is insufficient because you don't see to which programs the rules apply. If the name or the rule description doesn't contain a hint, you can to pipe the output of Get-NetFirewallRule to Get-NetFirewallApplicationFilter to display more details:

Get-NetFirewallRule -Action Block -Enabled True | %{$_.Name; $_ | Get-NetFirewallApplicationFilter}

Distinguishing network profiles

An important feature of the Windows Firewall is its ability to distinguish between network profiles (Private, Public, and Domain). For instance, if you want find the rules in a domain environment that block a certain application, you can ignore all rules which apply to the profiles "private" and "public".

Displaying firewall rules of the network profile Domain

Displaying firewall rules of the network profile Domain

Theoretically, you could define a filter using Where-Object that examines the Profile property. However, this method is a bit cumbersome because the property will have the value Any if a rule is enabled for all profiles. Using Get-NetFirewallProfile is more straightforward here:

Get-NetFirewallProfile -Name Domain | Get-NetFirewallRule | ? DisplayName ‑like File*

This command shows you all rules for the Domainprofile where DisplayName begins with File*. You will get the default properties output by Get-NetFirewallRule.

Disabling, enabling, and deleting rules

If you want to disable rules because they block a required connection, the Disable-NetFirewallRule cmdlet is what you need. In most cases you will pass the name of a single rule you want to disable. Alternatively, with the help of the Action, Enabled, and Directionparameters, you can filter the rules you want to deactivate:

Disable-NetFirewallRule -Action Block -Enabled True -Direction Inbound

Because such a command can have undesirable side effects, I recommend that you first execute it with the additional parameter WhatIf. This will give you an overview of the affected rules.

The Disable-NetFirewallRule cmdlet only disables firewall rules and doesn't change their configuration. If needed, you can enable these rules again with its counterpart Enable-NetFirewallRule.

Subscribe to 4sysops newsletter!

By contrast, Remove-NetFirewallRule deletes rules, and you have to recreate them in case you need them again. All three cmdlets support the same parameters as Get-NetFirewallRule to limit rules.

avataravataravatar
2 Comments
  1. b2 2 years ago

    what ps command would you use to allow only IPs in "myfile.txt" and block/deny all others inbound and/or outbound?  thanks

    avatar
    • Leos Marek (Rank 4) 2 years ago

      Something like this, you need to modify it according to your needs. 

      New-NetFirewallRule -DisplayName myrule -Profile any -Name myrule -Direction Inbound -RemoteAddress (get-content c:\temp\myfile.txt) -Action Allow -Enabled true

      In general, you dont need to explicitely block a traffic. If there is no rule, the traffic is not allowed.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account