Adding Firewall Rules to a GPO via Powershell

If you’ve ever had to add new rules (especially a whole new bunch if commissioning a new GPO) to the Firewall Policy within a GPO you know it can be a bit of a PITA..  Especially if someone has very kindly provided them nicely tabled in a document (ahem – Mr Vendor…)

Yes you can tripsy thru the GUI and add them line by line, or you can have developed them in a test/pre-prod environment and do an export/import cycle into your shiny new Prod GPO.  – and import all that other Firewall Policy stuff as well – so now you have to clean up… So…

If you just want to add the rule(s) precisely and well formatted (and with the bonus of assigning a nice group name to them):

First – this is a Server 2012/Windows 8 and up solution – so choose the management Server wisely…

Assign the GPO you going to update to a session variable – this has the effect of copying the GPO to the servers local cache

• $gp_ = Open-NetGPO <domain>\<gponame>

Now create your new rule(s) and include the -GPOSession switch with your session variable. Me personally I construct all my rules in Excel table so I can generate hundreds (well OK -10’s) of rules quickly and consistently:

• New-NetFirewallRule -DisplayName “Block Outbound Port 80” -Direction Outbound –LocalPort 80 -Protocol TCP -Action Block -Group “TestGroup” -GPOSession $gp_

Now save back the locally modified cached version back to the domain, et voila…

• Save-NetGPO -GPOSession $gp_

Of course you only have to call the Save-NetGPO once you have completed all your new rules – no need to call it after every one..

Your GPO now has exactly the rules you defined..   Now you can go about buggering it up in other ways (don’t forget to back up !)

Cheers !

Links for the technically slavish..

Open-NetGPO: https://technet.microsoft.com/en-us/library/jj554879(v=wps.630).aspx

Save-NetGPO: https://technet.microsoft.com/en-us/library/jj554899(v=wps.630).aspx

New-NetFirewallRule: https://technet.microsoft.com/en-us/library/jj554908(v=wps.630).aspx