none
Powershell determine FW Inbound blockall or block RRS feed

  • Question

  • Hi

    I noticed that group policy has 2 settings to block inbound traffic

    1.   incoming connections that do not match a rule are blocked

    or

    2.   All inbound connections are blocked

    From the client side I'm looking to determine which of these inbound settings is the case.

    I can do this with  "netsh advfirewall show domainprofile firewallpolicy"

    The output will differentiate with either   BlockInbound   or   BlockinboundALLways

    I cant find this so far with powershell though

    Ive tried a number of cmdlets including Get-NetFirewallProfile & GetNetFirewallSettingI

    From the powershell results I can only see BLOCK  for the inbound action even if the actual connection rule is BLOCKALL.

    The output makes them look the same which seems inaccurate.

    Is powershell able to differentiate between the incoming connection rule more specifically ?

    Thanks


    confuseis


    • Edited by confuseis Friday, June 26, 2020 12:13 PM
    Thursday, June 25, 2020 2:53 PM

Answers

  • I have it now

    The answer is on separate fields & unlike netsh  I need to combine them 

    in powershell to get the answer 

    So  IF   enabled=True    -and  Allowinboundrules=False         THEN we have our answer :)

    Initially when i ran this it didnt work as  NB:  we need to query the actual aggregated FW rules 

    e.g.  local and group policy

    To do this we need to use  "Get-NetFirewallProfile -PolicyStore activestore"

    Looking at all the pitfalls & Gotchas with windows firewall i'm not surprised why its not used 

    in businesses.

    I'm in good shape now thanks.


    confuseis

    • Marked as answer by confuseis Sunday, June 28, 2020 2:51 PM
    Sunday, June 28, 2020 2:51 PM

All replies

  • Alarmingly  Powershell and netsh   seem to be reading the firewall wrong ?!  

    Example in screenshot

    This could be dangerous as if I have a script to act upon firewall settings and the commands are feeding

    back information opposite of what's true.....

    maybe there is something I'm not seeing / Considering ?


    confuseis

    Friday, June 26, 2020 10:26 AM
  • I believe the answer to the inaccuracy issue this is to use  -PolicyStore ActiveStore

    Else PowerShell reads the local policy by default not the group policy settings.

    To examine both and give the actual setting I used below which seems to report accurately.

    "Get-NetfirewallProfile -PolicyStore ActiveStore"


    confuseis

    Friday, June 26, 2020 10:57 AM
  • Question still remains though how do we accurately see if the firewall is in state     Block   or   Blockallways ?

    as the output still reads block  for a profile that is actually set to  Block all connections.

    Block with rules for me is acceptable

    Block all connections is not an acceptable rule so I need to know if this is applied.


    confuseis


    • Edited by confuseis Friday, June 26, 2020 3:16 PM
    Friday, June 26, 2020 12:06 PM
  • There is no such setting as BlockAll for a profile or a rule.  Only "Block", "Allow" and "NotConfigured".


    \_(ツ)_/

    Friday, June 26, 2020 5:24 PM
  • Darn that's disappointing. Netsh has the block or blockallways differentiation.

    The group policy object below has 2 different inbound connection rules

    do not match a rule are blocked

    or

    All are blocked

    I was hoping to differentiate from the client end which inbound setting was applied.

    but it looks as if they are both treated as block.

    I'll go with netsh

    Thanks


    confuseis


    • Edited by confuseis Friday, June 26, 2020 11:07 PM
    Friday, June 26, 2020 6:48 PM
  • Those are global firewall setting per profile.  They are not rules in the normal sense.  It is likely they are an aggregate of settings that combine profile rules.

    Get a profile and look at the settings then select to block all and compare the results.  This will tell you the individual changes


    \_(ツ)_/

    Friday, June 26, 2020 11:08 PM
  • Hope im reading you right

    The settings are deployed to the client by group policy and cant be changed on the client.

    To get the the aggregated settings  I use "Get-NetfirewallProfile -PolicyStore ActiveStore"

    This to my understanding factors in the local and GPO settings to reveal the actual settings currently applied.

    When I compare on the client its accurate as in shows if the firewall is on or off  and whether the connection is block or allow 

    But not so granular to reveal whether its 

    block where a rule is not met   

    OR   

    Block all connections

    it just shows block in either case.


    confuseis

    Friday, June 26, 2020 11:20 PM
  • I have it now

    The answer is on separate fields & unlike netsh  I need to combine them 

    in powershell to get the answer 

    So  IF   enabled=True    -and  Allowinboundrules=False         THEN we have our answer :)

    Initially when i ran this it didnt work as  NB:  we need to query the actual aggregated FW rules 

    e.g.  local and group policy

    To do this we need to use  "Get-NetFirewallProfile -PolicyStore activestore"

    Looking at all the pitfalls & Gotchas with windows firewall i'm not surprised why its not used 

    in businesses.

    I'm in good shape now thanks.


    confuseis

    • Marked as answer by confuseis Sunday, June 28, 2020 2:51 PM
    Sunday, June 28, 2020 2:51 PM