Converting list of IPs into Windows Firewall rules RRS feed

  • Question

  • I am writing a script that takes a JSON data set of IPs with subnet masks ("") and converts them to Windows Firewall rules. The code works as intended and successfully creates the rules, however some of the IPs have the subnet mask cut off. There is no correlation between the IPs where this occurs. I believe I have isolated the issue to how the $ips variable is passed into the -RemoteAddress attribute, but I am not sure how to fix it.

    Example JSON Input Data:

    { "ActionGroup": [ "", "", "", "", "", "", "", "", "", "", "", "", "", "" ]


    PowerShell Code:

    $publicips = Get-Content -Path D:\repo\azure_ips\extracted_ips.json #store downloaded ips
    $publicips = $publicips | ConvertFrom-Json #convert to powershell object
    $existing_rules = Get-NetFirewallRule #store existing rules
    foreach ($name in $ {
        $ips = $publicips.$name
        if ($name -in $existing_rules.Displayname){
            Set-NetFirewallRule -DisplayName $name -RemoteAddress $ips
            Write-Host "updated rule"
        else {
            New-NetFirewallRule -DisplayName $name -RemoteAddress $ips -Direction Outbound -LocalPort 443 -Protocol TCP -Action Allow
            Write-Host "new rule"

    Some of the IPs under RemoteAddress are missing the subnet mask:

    Friday, July 10, 2020 7:03 PM

All replies

  • Can you provide a representative example of the JSON file? You needn't use real IP addresses, and it'd only be necessary to provide two rule names. It isn't clear what the contents of the resultant PSCustomObject are from the ConvertFrom-Json cmdlet.

    Is your problem consistent? Does the problem happen to the same IP addresses each time?

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Friday, July 10, 2020 9:24 PM
  • in case if you will add some restrction rule for those networks, and 1 rule will cover 2 others so no sense to add all of them. you can check yoyr inputs and i guess you will find duplicates, and in this case your quistion is not about powershell but about firewall

    The opinion expressed by me is not an official position of Microsoft

    Friday, July 10, 2020 10:56 PM
  • I'm curious to know if it's the /32 network masks that are being removed. For an IPv4 address that's really just a single address, not a network.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Saturday, July 11, 2020 3:18 PM
  • I tried to create some rules and found only the /32 prefix was removed. As there's only one IP address in the CIDR block this behavior could be designed. You may get better answers at networking forum located at

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, July 14, 2020 8:33 AM