Summary: Use Windows PowerShell to enable, disable, and configure firewall rules in Windows Server 2012 R2.
Hey, Scripting Guy!
I see there are some new Windows PowerShell cmdlets for managing the built-in Windows Server 2012 R2 firewall. Could you lend a friend a hand and give me some help in learning how to use them?
—JD
Hello JD,
Honorary Scripting Guy, Sean Kearney, is here, delving further into the wonderful world of Windows PowerShell and the new network cmdlets. This is the second part in a series called Windows PowerShell Network Week. You also might enjoy reading Windows Server 2012 R2 Network Cmdlets: Part 1.
Lend a hand? More than happy to! If there is anything I can do to help take away some stress from a fellow IT pro through Windows PowerShell, I’m quite happy to oblige.
So first, let’s do something fairly simple. We’ll pull up a list of the firewall rules with the Get-NetFirewallRule cmdlet:
Get-NetFirewallRule
….and as I watch twelve hundred lines of raw data fly by, I realize that wasn’t such a bright idea. So we’ll pipe the output to Format-Table and make this a bit more viewable:
Get-NetFirewallRule | Format-Table
I initially decided to filter on only those that were Enabled. But seeing True and False in the output, I “assumed” it was Boolean. So I tried this line:
Get-NetFirewallRule | Where { $_.Enabled –eq $TRUE }
As you can see, that didn’t work very well. So turn the brain back on and run the output through Get-Member to see what the output actually is. I gave this a quick shot. Perhaps a string with the word True? Naaaaaahhhhh…
Get-NetFirewallRule | Where { $_.Enabled –eq ‘TRUE’ }
Victory!
So how about getting those rules grouped by type? We have Domain, Public, and Private profiles. How would you know if somebody created a custom profile? We can access that information with the Get-NetFirewallProfile cmdlet:
Get-NetFirewallProfile | Format-Table
We can even take this and filter on only Private and show the firewall rules within that criteria:
Get-NetFirewallProfile –name ‘Private’ | Get-NetfirewallRule
But working with the firewall isn’t only about if auditing has been enabled (although that is certainly handy to know). Sometimes you have to quickly enable some built in firewall rules. For example, if your server running Hyper-V wasn’t enabled, you could first find all the rules based on Hyper-V:
Get-NetFirewallRule –displaygroup *Hyper-V*
This would show all rules within that DisplayGroup where Hyper-V was anywhere in the name. If you want to ensure those rules were enabled in general, you could pipe them to the Set-NetFirewallRule cmdlet:
Get-NetFirewallRule –displaygroup *Hyper-V* | Set-NetFirewallRule –enabled True
Now here’s why I love Windows PowerShell for working with the firewall. Netsh.exe worked. But Windows PowerShell works EASILY!
Here’s one task I am forever doing computers running SQL Server after an installation because Port 1433 needs to be opened in my labs. I used to go into the GUI and “clickety clickety clickety…oops…clickety clickety…” But in Windows Server 2012 R2, I can simply use the Net-NetFirewallRule cmdlet.
We’re going to enable Port 1433 as an inbound rule, and name it SQL Inbound. Don’t blink because it will be done before you know it.
New-NetFirewallRule –Rule ‘Sql Inbound’ –Displayname ‘Sql Inbound’ –protocol TCP –localport 1433 –enabled True
This was cool. But of course, I can easily disable it by doing this:
Get-NetFirewallRule ‘SQL Inbound’ | Disable-NetFirewallRule
I could even easily remove it in this manner:
Get-NetFirewallRule ‘SQL Inbound’ | Remove-NetFirewallRule
Let’s imagine a scenario where the rule exists, but you don’t know the name. I would say that’s more typical if you’re a consultant walking in. Somebody says, “Show me any firewall rules that exist that enable Port 1433, and do it quickly!”
If you run the Get-NetFirewallPortFilter cmdlet, you can see all of the ports that are already defined in the Windows Server 2012 R2 firewall:
Get-NetFirewallPortFilter
You can take this output, and filter it down to what you want:
Get-NetFirewallPortFilter –Protocol TCP | Where { $_.localport –eq ‘1433’ }
Then pipe that into the Get-NetFirewallRule cmdlet:
Get-NetFirewallPortFilter –Protocol TCP | Where { $_.localport –eq ‘1433’ } | Get-NetFirewallRule
Now you’re cooking!
Pop back in tomorrow, JD, and I’ll throw more hot cmdlets on the grill!
I invite you to follow The Scripting Guys on Twitter and Facebook. If you have any questions, send an email to The Scripting Guys at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then remember eat your cmdlets each and every day with a taste dash of creativity.
Sean Kearney, Windows PowerShell MVP, Honorary Scripting Guy