Saturday, July 6, 2013

Manage the Windows Firewall with Powershell

With the release of Windows Server 2012 and Windows 8, Microsoft has begun issuing the following warning when using NETSH to manage the firewall:

In future versions of Windows, Microsoft might remove the Netsh functionality
for Windows Firewall with Advanced Security.

Sounds like a good enough reason to learn how to manage the firewall with Powershell to me. Fortunately Microsoft has made welcome improvements to firewall management in Powershell for version 3. Let's do it.


  • Windows 2012 or Windows 8
  • Administrator access to the machine in question
  • Powershell ran as administrator on the machine in question

CMDLets Involved

Powershell provides the following commands for firewall management:

Get-Command -Noun "*Firewall*"

As per normal, type get-help followed by the CMDLet name in question to get more information.

Common Examples

Below are some examples of common tasks you may wish to perform with Powershell:

Enable or Disable the Firewall

Disable the firewall on the DOMAIN profile:

Set-NetFirewallProfile -Profile Domain -Enabled True

Note the -Enabled parameter does not accept typical $True but rather True. Obviously False is an option and the other valid profiles are "Public" and "Private".

Enable a Group of Pre-Made Rules

Groups are sets of rules for a specific purpose. Windows ships with several; are a few you may find useful:

Set-NetFirewallRule -DisplayGroup "Remote Event Log Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Management Instrumentation(WMI)" -Enabled True
Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled True
Set-NetFirewallRule -DisplayGroup "Windows Remote Management" -Enabled True
Set-NetFirewallRule -DisplayGroup "Remote Administration" -Enabled True

To list all groups, see the item below.

List all current Rule Groups

$DisplayGroups=foreach ($rule in $rules){$rule.displaygroup}
$DisplayGroups|Select-Object -Unique

Make a New Rule

New-NetFirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Direction Inbound -LocalPort 1194 -Protocol UDP -Action Allow
New-NetFirewallRule -DisplayName "Block Outbound itunes.exe" -Direction Outbound -Program "C:\Program Files\apple\itunes\itunes.exe" -Action Block

Enable or Disable an Existing Rule

Set-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Enabled True
Set-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests" -Enabled False

Delete a Rule

This will permanently delete a rule. To disable use the set-netfirewallrule command from the previous section.

Remove-NetfirewallRule -DisplayName "Allow Inbound OpenVPN Client Requests"

Get Firewall Profile Information

Get-NetFirewallProfile -name Domain

Manage Rules Remotely

Any of the commands can be used remotely by using the New-CimSession cmdlet. This also assumes you have already enabled the firewall rule group "Windows Firewall Remote Management" as listed above.

$TargetComputer=New-CIMSession -Computername MYCOMPUTER
Set-NetFirewallRule -DisplayGroup "Remote Event Log Management" -Enabled True -CimSession $TargetComputer

What About Windows Server 2008/7?

Unfortunately, this will only work in 2012, 8, or newer even if you install Powershell 3.0 on  previous versions. The NetSecurity module was newly introduced in 2012/8. If you want to manage the FW on older versions you'll need to use NETSH.

Tip 'o The Iceberg!

So that's just a start to all the things we can do with powershell to manage the firewall. This article focuses on controlling one machine at a time so you'll most likely want to investigate controlling rules via group policy. Server 2012 introduces some very interesting tools for that as well. (Open-NetGPO!) For more information, see the links below and as always feel free to interact using the comments!

Further Reading

Technet: Windows Firewall with Advanced Security Administration with Windows Powershell
Let IT Know Blog: Manage Windows Firewall With Powershell 3
Microsoft Networking Blog: Deployment: Windows Firewall and Group Policy


Thomas Lee said...

These cmdlets are only available for Server 2012/Windows 8 or higher as they are bound to the OS, not just to Win 7. With Windows 7, even with PowerShell v4, you do not have these cmdlets.

Spamhater007 said...

Ignore Thomas Lee, as apparently he cannot read. In this article; The first paragraph states 2012/Win8. The end of article states 2008/7 not supported .