Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell to work with Windows Firewall on Windows 8 and Windows Server 2012.
Microsoft Scripting Guy, Ed Wilson, is here. The Scripting Wife returned home from the Windows PowerShell Saturday #003 event in Atlanta, Georgia, last night, and she was exhausted—happy, but exhausted. First of all we had pre-ordered a Surface for her that was delivered after she left for Alpharetta, but PowerShell MVP Jim Christopher came to the rescue. Jim was kind enough to stop by the house and pick up the Surface and hand delivered it to the Scripting Wife Friday evening. Speaking of rescue and speaking, (pun intended) I want to heartily thank Glenn Sizemore and Robert Cain for delivering the two sessions that I had planned on presenting. I hear both gentlemen did a wonderful job. The event was packed, and Mark Schill and the crew did a fantastic job organizing a flawless Windows PowerShell Saturday. Well done.
If you follow the Scripting Wife on Facebook or Twitter, you know I have not been able to eat or drink anything hot for a week—that means no hot tea—and it has been driving me crazy. So, I am sitting on the lanai sipping a cool glass of water—not quite the same as English Breakfast Tea—not by a long shot.
Anyway, one of the things I have wanted to play with is the cmdlets for Windows Firewall. With nothing on the agenda but a murder mystery, written by my good friend and mentor Jaden Terrell, and a glass of cool water, today is the day.
Windows 8 Firewall cmdlets—a quick look
I am a huge fan of Windows Firewall because it works well, provides a measure of in-depth security, and comes with the operating system. In fact, I rarely find firewall-related issues, and, therefore, I do not turn it off—in fact, I leave it running on both the desktop and the server.
The first thing to do when working with the firewall is to determine the network connection profile because this determines the way the firewall policies work. In Windows 8 and Windows Server 2012, the Get-NetConnectionProfile cmdlet is extremely useful for this task. I first enumerate my network adapters, find the ones that are up, and then get the network connection profile. The commands are shown here.
Note I use the error action of 0 to remove errors about connection profiles for virtual adapters that are not connected to a network but are considered to be up. I also use the simple Where-Object syntax (? is an alias for the Where-Object cmdlet). Keep in mind when working with Windows PowerShell cmdlets that you have tab completion, and it greatly simplifies typing commands.
PS C:\> Get-NetAdapter | ? status -EQ 'up' | Get-NetConnectionProfile –ea 0
Name : Unidentified network
InterfaceAlias : vEthernet (InternalSwitch)
InterfaceIndex : 19
NetworkCategory : Public
IPv4Connectivity : NoTraffic
IPv6Connectivity : NoTraffic
Name : iammred.net
InterfaceAlias : vEthernet (External Switch)
InterfaceIndex : 23
NetworkCategory : DomainAuthenticated
IPv4Connectivity : Internet
IPv6Connectivity : LocalNetwork
To find the names and the status of the various Windows Firewall profiles, I use the Get-NetFirewallProfile cmdlet. I pipe the results to the Format-Table cmdlet (ft is the alias), and I choose only the name and the enabled properties. I then use the autosize switch to tighten up the display. The command and results are shown here.
PS C:\> Get-NetFirewallProfile | ft name, enabled -auto
name Enabled
---- -------
Domain True
Private True
Public True
Now for the first frustration: Except for the public network category, the value of the network category and the name of the firewall profile do not match up, and, therefore, it prevents piping. In this case, I cannot use Get-NetworkAdapter to get my network adapters, pipe it to the Get-NetConnectionProfile cmdlet, and then pipe it to the Get-NetFireWallProfile cmdlet. However, I can focus on the details of a specific firewall profile. Here are the details of the public network profile.
PS C:\> Get-NetFirewallProfile public
Name : Public
Enabled : True
DefaultInboundAction : NotConfigured
DefaultOutboundAction : NotConfigured
AllowInboundRules : NotConfigured
AllowLocalFirewallRules : NotConfigured
AllowLocalIPsecRules : NotConfigured
AllowUserApps : NotConfigured
AllowUserPorts : NotConfigured
AllowUnicastResponseToMulticast : NotConfigured
NotifyOnListen : True
EnableStealthModeForIPsec : NotConfigured
LogFileName : %systemroot%\system32\LogFiles\Firewall\pfirewall
log
LogMaxSizeKilobytes : 4096
LogAllowed : False
LogBlocked : False
LogIgnored : NotConfigured
DisabledInterfaceAliases : {NotConfigured}
The cool thing is that the Get-NetFirewallProfile cmdlet accepts an array for the profile name. Therefore, I can use a command something like the one appearing here.
Get-NetFirewallProfile domain,private,public
Even better, the Get-NetFirewallProfile cmdlet accepts wildcards. Therefore, I can use a command something like this one.
Get-NetFirewallProfile d*,p*
One problem with the firewall cmdlets is that they are all part of the massive NetSecurity module—a module that supplies 84 cmdlets and functions. I found this out by using the command shown here.
PS C:\> (gcm -Module netsecurity).count
84
Further, there are no aliases for any of the commands in the NetSecurity module. This is revealed by the command shown here.
gcm -Module netsecurity | % {gal -Definition $_.name -ea 0}
Besides no aliases for the firewall cmdlets, all of the names are pretty long, and due to the naming convention, tab expansion for the cmdlet names is not very efficient either. The 27 cmdlets appear here (sorted by name because the verb and noun are not exposed through Get-Command).
PS C:\> gcm -noun *fire* | sort name | select name
Name
----
Copy-NetFirewallRule
Disable-NetFirewallRule
Enable-NetFirewallRule
Get-NetFirewallAddressFilter
Get-NetFirewallApplicationFilter
Get-NetFirewallInterfaceFilter
Get-NetFirewallInterfaceTypeFilter
Get-NetFirewallPortFilter
Get-NetFirewallProfile
Get-NetFirewallRule
Get-NetFirewallSecurityFilter
Get-NetFirewallServiceFilter
Get-NetFirewallSetting
New-NetFirewallRule
Remove-NetFirewallRule
Rename-NetFirewallRule
Set-NetFirewallAddressFilter
Set-NetFirewallApplicationFilter
Set-NetFirewallInterfaceFilter
Set-NetFirewallInterfaceTypeFilter
Set-NetFirewallPortFilter
Set-NetFirewallProfile
Set-NetFirewallRule
Set-NetFirewallSecurityFilter
Set-NetFirewallServiceFilter
Set-NetFirewallSetting
Show-NetFirewallRule
Because of the naming convention, when using tab expansion, I have to type NetFirewall, and then a letter, such as P or R or S, to get close to the actual function name. If I type NetF and press tab, I have to cycle through the commands to find the function name I'm looking for.
Note If your duties require you to spend much time working with the firewall cmdlets, I recommend that you create your own series of aliases for the functions with which you regularly work. Store these aliases in a module that you can load on demand or in your profile, if you wish to have them at hand.
That is a quick overview of the firewall functions. Hope all is well with you, and happy scripting.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy