Have a Question?
< All Topics
Print

Manage Windows Firewall with PowerShell

Posted
Updated
ByYongKW

Refer to NetSecurity Module for functionality provided on how to Manage Windows Firewall with PowerShell

Firewall Profile

Windows Firewall Profile is enabled by default on Domain, Private and Public with

  • Outbound Connection = Allow (Default)
  • Inbound Connection = Block (Default) with some of the core networking features allowed, like DHCP
Get-NetFirewallProfile | Select Name, Enabled

Third-party applications will automatically add Additional Rules, like AnyDesk during installation to allow it to function even with Windows Firewall enabled

Get-NetFirewallRule | ? DisplayName -like "AnyDesk" | Select DisplayName, Profile, Enabled

DisplayName Profile Enabled
----------- ------- -------
AnyDesk     Private    True
AnyDesk     Private    True
AnyDesk      Domain    True
AnyDesk      Domain    True

Windows Firewall Profile is applied based on the Network Connection Profile in Network and Sharing Center

Manage Windows Firewall with PowerShell

# List the Active Network Connection Profile
Get-NetConnectionProfile
# List the Active Windows Firewall Profile
netsh advfirewall show currentprofile

Enable / Disable Firewall Profile

#Enable Firewall for all profile 
Set-NetFirewallProfile -Profile Domain,Private, Public -Enabled true
#Disable Firewall for all profile 
Set-NetFirewallProfile -Profile Domain,Private, Public -Enabled false

Predefined Firewall Rules / Groups

Several predefined Firewall Rule is provided by default

![Manage Windows Firewall with PowerShell)(https://res.cloudinary.com/aventistech/image/upload/v1587189295/WINFirewall-02.png)

Check the Firewall Rules included in the default Remote Desktop Group

Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select DisplayName

DisplayName
-----------
Remote Desktop - User Mode (TCP-In)
Remote Desktop - User Mode (UDP-In)
Remote Desktop - Shadow (TCP-In)

List the detail configuration of Firewall Rule

# Detail configuration 
Get-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)"
# List TCP / UDP Ports defined
Get-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" | Get-NetFirewallPortFilter

Enabled the pre-defined Group to allow inbound connection

# TCP & UDP 3389
Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled True
# TCP 445, 139, UDP 137, 138, 5355 and RPC EndPoint
Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True
# TCP 135
Set-NetFirewallRule -Displaygroup "Windows Management Instrumentation (WMI)" -Enabled True

New Firewall Rule for Inbound

Create a new Firewall Rule

  • Display Name = Name to identified the functionality of Rule
  • Direction = Inbound / Outbound
  • Protocol = TCP, UCP, ICMPv4
  • Local Port = Port allowed for inbound access
  • Remote Address = Allow only certain IP Range to access
  • Action = Allow / Block
# Allow inbound TCP 8002 from 192.168.1.0/24 & 172.16.1.0/24
New-NetFirewallRule -DisplayName "In-TCP-8002" -Direction Inbound -Protocol TCP -LocalPort 8002 -RemoteAddress 192.168.1.0,172.16.1.0 -Action Allow

# Allow inbound Ping
New-NetFirewallRule -DisplayName "In-ICMPv4-PING" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow

Group Customized Firewall Rules

Create a new group called AVENTISLAB to include all the customize Firewall Rules for ease of management

$RuleName = "Allow inbound ICMPv4"
$RuleGroup = "AVENTISLAB"
Get-NetFirewallRule -DisplayName $RuleName | ForEach { $_.Group = $RuleGroup; Set-NetFirewallRule -InputObject $_ }

Customized Firewall Rules included in AVENTISLAB Group

Get-NetFirewallRule -DisplayGroup "AVENTISLAB" | Select DisplayName

DisplayName
-----------
In-TCP-8002
In-ICMPv4-PING
In-TCP-8000

Firewall Logs

Enable logging to record all Allow & Drop traffics in C:\Windows\system32\LogFiles\Firewall\pfirewall.log for Private Profile

Set-NetFirewallProfile -Name Private -LogFileName %systemroot%\system32\LogFiles\Firewall\pfirewall.
log -LogAllowed True -LogBlocked True

View last ten logs in Realtime for ALLOW traffics

Get-Content "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" -last 10 -wait | Select-String "ALLOW"

#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode
info path

2020-04-18 14:03:25 ALLOW UDP 10.3.3.248 10.3.3.11 53083 53 0 - - - - - - - SEND
2020-04-18 14:03:25 ALLOW UDP 10.3.3.248 10.3.3.12 53083 53 0 - - - - - - - SEND
2020-04-18 14:03:25 ALLOW UDP fe80::4042:88a7:cfd8:ef53 ff02::1:3 59227 5355 0 - - - - - - - SEND

Table of Contents
Scroll to Top