How to create a Windows 2008 Advanced Firewall rules group definition through the command prompt

Solution 1:

Rules in the Windows Firewall can be bundle together and activated or deactivated as a group.

With netsh advfirewall command you can add rules to the Firewall. Use the switch group= for manage the AdvFirewall groups.

Use something like this:

netsh advfirewall firewall set rule profile=domain group="Remote Desktop" new enable=Yes

Solution 2:

While you specifically mention

... through the command prompt

I'm gonna assume you mean using a script. With 2008, you can use powershell. Its pretty straightforward:

function Add-FirewallRule {
   param( 
      $name,
      $tcpPorts,
      $appName = $null,
      $serviceName = $null
   )
    $fw = New-Object -ComObject hnetcfg.fwpolicy2 
    $rule = New-Object -ComObject HNetCfg.FWRule

    $rule.Name = $name
    if ($appName -ne $null) { $rule.ApplicationName = $appName }
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
    $rule.Protocol = 6 #NET_FW_IP_PROTOCOL_TCP
    $rule.LocalPorts = $tcpPorts
    $rule.Enabled = $true
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Profiles = 7 # all
    $rule.Action = 1 # NET_FW_ACTION_ALLOW
    $rule.EdgeTraversal = $false

    $fw.Rules.Add($rule)
}

# Sample Usage
Add-FirewallRule "Test port 1234" "1234" $null $null
Add-FirewallRule "Test port 5555-6666" "5555-6666" $null $null
Add-FirewallRule "Test port 2222 Calc" 2222 "c:\windows\system32\calc.exe" $null
Add-FirewallRule "Test port 3333 W3SVC" 3333 $null "W3SVC"

See this article for more detail...

---

Solution 3:

Found a solution for this old question that has also been bugging me for a long time!

The New-NetFirewallRule TechNet article states this about the -Group parameter of the New-NetFirewallRule commandlet:

[...] This parameter specifies the source string for the DisplayGroup parameter. [...] Rule groups can be used to organize rules by influence and allows batch rule modifications. Using the Set-NetFirewallRule cmdlets, if the group name is specified for a set of rules or sets, then all of the rules or sets in that group receive the same set of modifications. It is a good practice to specify this parameter value with a universal and world-ready indirect @FirewallAPI name.

Note: The DisplayGroup parameter cannot be specified upon object creation using the New-NetFirewallRule cmdlet, but can be modified using dot-notation and the Set-NetFirewallRule cmdlet.

That sounds like there's a chance, right? While trying to find out how to do this myself, I ran the following:

Get-NetFirewallRule -DisplayName "Core Networking - IPv6 (IPv6-In)" | Get-Member

...and noted that the DisplayGroup property only has a Get method, but the Group property (with its RuleGroup alias) has both a Get and a Set method.

The PowerShell solution is as-follows:

Thanks to @maoizm, this solution now works when 1 or more rules with the same DisplayName exist:

$RuleName = "NameOfYourFirewallRuleGoesHere"
$RuleGroup = "YourGroupNameGoesHere"
Get-NetFirewallRule -DisplayName $RuleName | ForEach { $_.Group = '$RuleGroup'; Set-NetFirewallRule -InputObject $_ }

And this will actually create a new group name that is assigned to your rule.

Note: The netsh command does not have an add group command. See the syntax for Netsh AdvFirewall Firewall Commands here.