The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

    • RT @samgerrits: Caroline en asielzoekers, een tweeluik. Links: dwepen met een speldje gekregen van een Iraanse asielzoeker, rechts: nou ja… 3 hours ago
    • RT @delphijunkie: Yeah, nah. I'm good thanks Twitter. https://t.co/eTMPUoeSEa 3 hours ago
    • RT @d_feldman: Microsoft: We have world class AI research Google: We have world class AI research Meta: We’re one or two steps behind in AI… 4 hours ago
    • RT @SchipholWatch: Op dit moment is kerosine zo’n tien keer goedkoper dan alternatieve synthetische brandstof. De overheid moet dit prijsve… 4 hours ago
    • RT @jasongorman: One aspect of LLMs many folks overlook is the energy cost of training one. GPT-3 used an ~936 MWh and training it took 102… 4 hours ago

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,178 other subscribers
«
»

PowerShell: working around Get-NetFirewallRule not showing all the fields that Set-NetFirewallRule allows you to set

Posted by jpluimers on 2022/10/26

With APIs, you always hope that Get and Set methods mirror each other. More often than not, they don’t.

Take for instance these two:

They are far from symmetric: [Wayback/Archive] Get-NetFirewallRule shows far less than [Wayback/Archive] Set-NetFirewallRule allows you to set (first and foremost the various port related properties). It can be worked around though.

There are a few posts discussing this, of which I think these two are the most important:

Both above posts via [Wayback/Archive] “Get-NetFirewallRule” “LocalPort” – Google Search.

This is what I was after:

PowerShell "Get-NetFirewallRule -Name 'RemoteDesktop-UserMode-In-TCP' | Select-Object Name,DisplayName,Enabled,Direction,@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},Action,@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}"

Or actually:

PowerShell "Get-NetFirewallRule -Name 'RemoteDesktop-UserMode-In-TCP' -ErrorAction SilentlyContinue | Select-Object Name,DisplayName,Enabled,Direction,@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},Action,@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}"

Let me explain this:

  1. Get-NetFirewallRule gets a firewall rule with a specific name, but can only get you a few properties that can be set through Set-NetFirewallRule. Name,DisplayName,Enabled,Direction are properties it understands. Protocol and LocalPort aren’t, but are often of interest.
  2. Get-NetFirewallPortFilter can get you both Protocol and LocalPort.
  3. There are more functions named like Get-NetFirewall*Filter, all of which require an -AssociatedNetFirewallRule <CimInstance> (or an -All) parameter which is what Get-NetFirewallRule returns. This way you can retrieve details not provided by Get-NetFirewallRule.
  4. The portions like @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}} returns one property, in this case the Protocol property from Get-NetFirewallPortFilter returned as Protocol (the latter can be different if you want; the former needs to be Protocol).
  5. The -ErrorAction SilentlyContinue bit is to prevent this kind of exception when no -Name matches:
    Get-NetFirewallRule : No MSFT_NetFirewallRule objects found with property 'InstanceID' equal to
'RemoteDesktop-UserMode-In-TCP_'.  Verify the value of the property and retry.
At line:1 char:1
+ Get-NetFirewallRule -Name 'RemoteDesktop-UserMode-In-TCP_'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (RemoteDesktop-UserMode-In-TCP_:String) [Get-NetFirewallRule], CimJobExc
   eption
    + FullyQualifiedErrorId : CmdletizationQuery_NotFound_InstanceID,Get-NetFirewallRule
    When the exception occurs, the execution continues, but since no object is returned the | pipe will not execute and no details are returned.

    I got this trick from [Wayback/Archive] firewall – How can I stop the Powershell command `Get-NetFirewallRule` from throwing an error? – Stack Overflow (thanks [Wayback/Archive] Pure.Krome and [Wayback/Archive] arco444)

Notes:

  • 3. also allows Get-NetFirewallRule to search for a group, then get all the firewall rules out of them, for instance with
    Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | ForEach-Object { Write-Host $_.DisplayName ; Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $_ }
  • 4. also works the other way around, but only if you have elevated using an administrative token. The below lists all firewall rules involving port 3389 (Remote Desktop Protocol):
    PowerShell "Get-NetFirewallPortFilter | Where LocalPort -eq 3389 | Get-NetFirewallRule"

    Even a plain Get-NetFirewallPortFilter will get you an error without elevation:

    Get-NetFirewallPortFilter : Access is denied.
At line:1 char:1
+ Get-NetFirewallPortFilter
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (MSFT_NetProtocolPortFilter:root/standardci...tocolPortFilter) [Get-Ne
   tFirewallPortFilter], CimException
    + FullyQualifiedErrorId : Windows System Error 5,Get-NetFirewallPortFilter

You might want to return more details than just Protocol and Localport, so I dug around and made the below table to document the asymmetry.

Documenting the asymmetry

For documentation purposes, below is what Set-NetFirewallRule and Get-NetFirewallRule allow you to set and get.

All methods are in the [Wayback/Archive] NetSecurity Module | Microsoft Docs.

Set-NetFirewallRule Get-NetFirewallRule 

Set-NetFirewallRule
   [-Name] <String[]>
   [-PolicyStore ]
   [-GPOSession ]
   [-NewDisplayName ]
   [-Description ]
   [-Enabled ]
   [-Profile ]
   [-Platform <String[]>]
   [-Direction ]
   [-Action ]
   [-EdgeTraversalPolicy ]
   [-LooseSourceMapping ]
   [-LocalOnlyMapping ]
   [-Owner ]
   [-LocalAddress <String[]>]
   [-RemoteAddress <String[]>]
   [-Protocol ]
   [-LocalPort <String[]>]
   [-RemotePort <String[]>]
   [-IcmpType <String[]>]
   [-DynamicTarget ]
   [-Program ]
   [-Package ]
   [-Service ]
   [-InterfaceAlias <WildcardPattern[]>]
   [-InterfaceType ]
   [-LocalUser ]
   [-RemoteUser ]
   [-RemoteMachine ]
   [-Authentication ]
   [-Encryption ]
   [-OverrideBlockRules ]
   [-CimSession <CimSession[]>]
   [-ThrottleLimit ]
   [-AsJob]
   [-PassThru]
   [-WhatIf]
   [-Confirm]
   []

   TypeName: Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule [Wayback/Archive]

Name
PolicyStoreSource/PolicyStoreSourceType

DisplayName (based on ElementName)
Description
Enabled
Profiles -> Profiles
Platform -> Platforms
Direction
Action
EdgeTraversalPolicy
LooseSourceMapping
LocalOnlyMapping
Owner

This is what is missing from Get-NetFirewallRule when compared to Set-NetFirewallRule:

   [-GPOSession ]
   [-LocalAddress <String[]>]
   [-RemoteAddress <String[]>]
   [-Protocol ]
   [-LocalPort <String[]>]
   [-RemotePort <String[]>]
   [-IcmpType <String[]>]
   [-DynamicTarget ]
   [-Program ]
   [-Package ]
   [-Service ]
   [-InterfaceAlias <WildcardPattern[]>]
   [-InterfaceType ]
   [-LocalUser ]
   [-RemoteUser ]
   [-RemoteMachine ]
   [-Authentication ]
   [-Encryption ]
   [-OverrideBlockRules ]
   [-ThrottleLimit ]
   [-AsJob]
   [-PassThru]
   [-WhatIf]
   [-Confirm]

I listed all Get-NetFirewall*Filter methods and their properties to get at this table of how to get all of the properties settable by Set-NetFirewallRule:

Get-NetFirewall* method Set-NetFirewallRule compatible properties provided by it
[Wayback/Archive]

Get-NetFirewallRule
 
Name
PolicyStoreSource
DisplayName
Description
Enabled
Profile
Platform
Direction
Action
EdgeTraversalPolicy
LooseSourceMapping
LocalOnlyMapping
Owner
[Wayback/Archive]

Get-NetFirewallAddressFilter
 
LocalAddress
RemoteAddress
[Wayback/Archive]

Get-NetFirewallPortFilter
 
Protocol
LocalPort
RemotePort
IcmpType
DynamicTarget
[Wayback/Archive]

Get-NetFirewallApplicationFilter
 
Program
Package
[Wayback/Archive]

Get-NetFirewallServiceFilter
 
Service
[Wayback/Archive]

Get-NetFirewallInterfaceFilter
 
InterfaceAlias
[Wayback/Archive]

Get-NetFirewallInterfaceTypeFilter
 
InterfaceType
[Wayback/Archive]

Get-NetFirewallSecurityFilter
 
LocalUser
RemoteUser
RemoteMachine
Authentication
Encryption
GetCimSessionComputerName
GetCimSessionInstanceId

I could not find ways to retrieve these Set-NetFirewallRule parameters from Get-NetFirewallRule* methods:

   [-Name] <String[]>
   [-PolicyStore ]
   [-GPOSession ]
   [-OverrideBlockRules ]
   [-ThrottleLimit ]
   [-AsJob]
   [-PassThru]
   [-WhatIf]
   [-Confirm]
   []

Vice versa, I could not find these properties returned from Get-NetFirewallRule in the Set-NetFirewallRule parameters:

Caption
CommonName                (ignored)
ConditionListType         (ignored)
CreationClassName
DisplayGroup              (based on RuleGroup)
ElementName               (base for DisplayName)
ExecutionStrategy         (ignored)
InstanceID                (of the PolicyStore)
Mandatory                 (ignored)
PolicyDecisionStrategy    (ignored)
PolicyKeywords            (ignored)
PolicyRoles               (ignored)
PolicyRuleName            (reserved for internal use)
Priority                  (ignored)
PSComputerName            (PowerShell specific)
RuleGroup
RuleUsage                 (ignored)
SequencedActions          (ignored)
StatusCode
SystemCreationClassName   (reserved for internal use)
SystemName                (reserved for internal use)
EnforcementStatus
PrimaryStatus
Status

–jeroen

This entry was posted on 2022/10/26 at 12:00 and is filed under CommandLine, Development, Power User, PowerShell, PowerShell, Remote Desktop Protocol/MSTSC/Terminal Services, Scripting, Software Development, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: