Automate firewall policy rule update in GPO

Question

Automate firewall policy rule update in GPO

P Mowleeswaran 25

Hello Team,

We are applying firewall rules for all my domain machines through GPO. I have three GPOs for firewall rules that apply to workstations, servers, and domain controllers. Therefore, we have different sets of inbound and outbound firewall rules for each GPO.

Now, I need a PowerShell script that updates the remote address for a particular rule in a specific GPO . I would like to provide input in a data preparation file, and the script should apply the remote address for that particular GPO.

For example, I have the GPOs Wks_Firewall_GPO, Server_Firewall_GPO, and DC_Firewall_GPO on my domain controller. In the Wks_Firewall_GPO, I have an inbound rule for which I need to add a few more remote addresses via the PowerShell script. i need to execute this script from my domain controller.

Could you please assist me with this?

Regards,

Mowlee

1 answer

Your answer

Answer 1

Anonymous

Hello P Mowleeswaran,

Thank you for posting in Q&A forum.

I am sorry we don’t directly write script for use on the forum, and I am not familiar with script.

I think you could use the Get-GPO, Get-GPRegistryValue, and Set-GPRegistryValue cmdlets to achieve it.

For example:

Get-GPO -Name "YourGPOName"

Get-GPRegistryValue -Name "YourGPOName" -Key “registryPath” -ValueName ”ruleName”

References:

Get-GPO (GroupPolicy) | Microsoft Learn

Get-GPRegistryValue (GroupPolicy) | Microsoft Learn

Set-GPRegistryValue (GroupPolicy) | Microsoft Learn

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

P Mowleeswaran 25 Reputation points

2024-10-14T04:06:40.4166667+00:00
Below is my high-level script that I have used to test it. When I execute it, I'm getting the error below. Could you please check the error and help me to understand the issue?

$mydomain = (Get-ADDomain).DNSRoot

$gponame = "Server_Firewall_GPO"

$policystore = "$($mydomain)$($gponame)"

$gposession = Open-NetGPO -PolicyStore $policystore

$findrule = Get-NetFirewallRule -DisplayName 'test' -PolicyStore $policystore

Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $findrule | Set-NetFirewallRule -RemoteAddress "10.1.10.4"

Save-NetGPO -GPOSession $gposession

Error:

Set-NetFirewallAddressFilter : Indicates two revision levels are incompatible.

At line:1 char:69

... e $findrule | Set-NetFirewallAddressFilter -RemoteAddress "10.1.10.4"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : NotSpecified: (MSFT_NetAddress...ystemName = ""):root/standardcimv2/MSFT_NetAddressFilter) [Set-NetFir

ewallAddressFilter], CimException

FullyQualifiedErrorId : Windows System Error 1306,Set-NetFirewallAddressFilter

Note: I executed this script directly from the Domain Controller (Windows Server 2022 Core). While executing this script, I opened PowerShell by running

PowerShell Start-Process PowerShell -Verb RunAs, and it has domain admin privileges.

Share via

Automate firewall policy rule update in GPO

1 answer

Your answer