20 January 2013

Managing the Windows Firewall with PowerShell

Using PowerShell to manage the Windows Advanced Security and Firewall is extremely handy when dealing with a Server Core installations and even more so when you are managing Hyper-V server 2012.

In this article I will cover the following:
  • Checking the current firewall configuration
  • Changing the firewall configuration
  • Managing the firewall remotely
These are the basic thing admins would be performing on machines that do not have their firewalls configured with group policy.

Checking the Current Firewall Configuration_
Before you make any changes to the firewall you should have a look at the current configuration.  There are a few ways of doing this, each with it's own benefits. There are two functions that can be used to get this information:
  • Get-NetFirewallRule
  • Show-NetFirewallRule
Since we will really only be looking at a subset of the properties either of these will work perfectly fine.  The various command have different display options, hopefully this helps to show how everything fit together.

The properties we will be looking for are:
  • DisplayName
  • DisplayGroup
  • Enabled
  • Action

To see just this set of properties run the following command


Get-NetFirewallRule | select-object DisplayName, DisplayGroup,Enabled,Action

To see all of the properties available run the following

Get-NetFirewallRule | select-object *

To filter the output so you only see the rules that are enabled run the following

Get-NetFirewallRule | select-object DisplayName, Enabled, Action | where {$_.enabled -eq "True"} | format-table -AutoSize

This now gives a nice concise list of the rules that are enabled and what they do.


Changing the firewall configuration

There are two function that you would normally use for this
  • Enable-NetFirewallRule
  • Disable-NetFirewallRule
To toggle a rule from Enabled to Disabled just switch the verb around.  Since a lot of the system rules work in groups it is a very convenient to enable all the rules on the group in one go.  The group property we will use is the DisplayGroup.  This is a "simple name" and much easier to work with.

To see the list of rules and display group that are currently disabled run the following

Get-NetFirewallRule | select-object displayName, DisplayGroup,Enabled | where {$_.enabled -eq "False"} | format-table -AutoSize

We will use the output of this command to create the enabling command.  Here you can see that the "Virtual machine Monitoring Group contains 5 individual rules.


To turn all of these on run the following command:

Enable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"

The command does not output a result code so best is to check again with the previous command.  To disable the rules in the group again just switch the verb for the function as follows:

Disable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"

To Enable or Disable individual rules you can use the following commands:

Enable-NetFirewallRule -DisplayName "Virtual Machine Monitoring (RPC)"
Disable-NetFirewallRule -DisplayName "Virtual Machine Monitoring (RPC)"

Managing the Firewall Remotely
There are obvious advantages to running all of these command form a remote computer as opposed to being logged onto the actual console.  The two way this can be done are:

  • PSSession - similar to Telnet / SSH
  • Invoking a command to a remote computer
To be able to enable working remotely the target machine needs to have PSRemoting enable.  To do this simply execute:

Enable-PSRemoting

Form your management machine you can now connect remotely to a session on the server by using:

Enter-PSSession <server-name>

From here you can now run all the commands as shown above.  I would however suggest using the second remote method as it give you more flexibility and power.

From the management machine you will be invoking the command on the target machine.  For the examples below the target machine is named et-lab-fv01.

In it's simplest form it looks as follows

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object DisplayName, DisplayGroup, Enabled, Action}

As you can see the actual command in-between the {} is the same as the first example.  That is what is being run on the remote computer.

One nice feature of doing this is that you can make use of the GridView output option to make thing easier to keep track of and filter.

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object DisplayName, DisplayGroup, Enabled, Action} | Out-GridView

You can see just how useful the GridView is

There is a limit to the amount of columns you can send to the grid view.  For instance of you would like to retrieve all the properties you would use the following.  If you have a look you will a alot more column but the  DisplayGroup column is not listed anywhere.

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object * | Out-GridView

To be able to really get everything and get even more functionality output the result to a csv file and import it into Excel the command to output to a file is as follows

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object *} | Export-Csv c:\firewall.csv

The import into Excel now give you the complete picture.


One other advantage of invoking commands are that they can be preformed on multiple machine at the same time. so you can enable or disable a firewall rule group on multiple machines with a single command. in this case the two machines are called et-lab-hv01 and et-lab-hv02

Invoke-Command -computer et-lab-hv01,et-lab-hv02 {Enable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"}

If you would like to use the MMC console to get a better view on your remote server you will probably have to enable Windows Firewall Remote Management

Enable-NetFirewallRule -Displaygroup "Windows Firewall Remote Management"

No comments:

Post a Comment