Create Firewall Rule


This topic contains 3 replies, has 3 voices, and was last updated by  Michael Craig 4 years ago.

  • Author
  • #9901

    Michael Craig


    I'm attempting to use Powershell v3 (on Windows 2008R2) to create a new firewall rule.
    I've found that the helpful new cmdlets only work on Win2k12 or Win8. So I'm trying to find a way using Powershell v2.

    Does anyone have a quick script they can share? Othewise here is what I'm working with so far, with little success.
    Import-Module ServerManager

    $FWPath = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules'
    New-ItemProperty -Path $FWPath -Name TEST_Allow_Secure_HTTPS_Ports -Type String -Value 'v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=1443,2443,3443,4443,5443,6443,7443,8443,9443|App=System|Name=@%windir%\system32\inetsrv\iisres.dll,-30502|Desc=@%windir%\system32\inetsrv\iisres.dll,-30512|EmbedCtxt=@%windir%\system32\inetsrv\iisres.dll,-30503|'

  • #9902

    Don Jones

    Yeah, so, you've figured this out, but for the benefit of anyone running across this...

    The version of PowerShell you use doesn't necessarily confer specific capabilities. Capability is part of the OS version. So on Win2012/Win8, you get more commands – therefore, more capability – than you do on older versions of Windows, regardless of which PowerShell version you're using. So whether you're using PowerShell v3 or v2 doesn't matter. Neither of them come with firewall commands. Win2012 comes with firewall commands.

    Have you considered looking at the "netsh advfirewall" command? – intended to offer command-line management of the firewall, and completely usable from Cmd.exe or from PowerShell. I don't think it's strictly recommended that you hack the registry directly – my impression has always been that's there mainly for use by GPO-based firewall management.

  • #9903

    Richard Siddaway

    You can also use the HNetCfg.FwMgr COM object

  • #9904

    Michael Craig

    Thanks Richard, I had tried going down that path but it seemed far more difficult than necessary.
    Thanks, Don, I went with the NetSH approach as suggested. I initially looked at this, but was hoping to find a more powershell-ish way of doing this.
    Just in case someone else needs an example in the future, here is what I ended up doing:

    #Set Firewall to allow secure ports 1443,2443,3443,4443
    1443, 2443, 3443 | %{
    write-verbose "Firewall: Checking if secure port is allowed: $_"
    $ruleExist=(netsh advfirewall firewall show rule name="VCI: Allow HTTPS $_")
    if ($ruleExist -cmatch "HTTPS $_"){
    write-verbose "Port $_ rule already exists"
    write-verbose "Port $_ missing, creating firewall rule"
    netsh advfirewall firewall add rule name="VCI: Allow HTTPS $_" dir=in action=allow enable=yes Localip=Any LocalPort=$_ protocol=TCP


You must be logged in to reply to this topic.