Add Inbound Firewall rule for TCP and UDP
try {
Write-Log -Message "Creating inbound firewall rules for Application XYZ" -Severity 1
$ExePath = "Path to EXE"
$ruleNameTCP = "Allow Application XYZ Inbound TCP"
$ruleNameUDP = "Allow Application XYZ Inbound UDP"
if (Test-Path $ExePath) {
try {
New-NetFirewallRule -DisplayName $ruleNameTCP `
-Direction Inbound `
-Program $ExePath `
-Action Allow `
-Protocol TCP `
-Profile Any
Write-Log -Message "Created TCP firewall rule: '$ruleNameTCP'" -Severity 1
} catch {
Write-Log -Message "Failed to create TCP rule. Error: $($_.Exception.Message)" -Severity 3
}
try {
New-NetFirewallRule -DisplayName $ruleNameUDP `
-Direction Inbound `
-Program $ExePath `
-Action Allow `
-Protocol UDP `
-Profile Any
Write-Log -Message "Created UDP firewall rule: '$ruleNameUDP'" -Severity 1
} catch {
Write-Log -Message "Failed to create UDP rule. Error: $($_.Exception.Message)" -Severity 3
}
} else {
Write-Log -Message "Executable not found at path: $ExePath" -Severity 2
}
Write-Log -Message "Finished firewall rule creation for Application XYZ." -Severity 1
} catch {
Write-Log -Message "Unexpected error during firewall rule creation: $($_.Exception.Message)" -Severity 3
}Remove Inbound Firewall rule for TCP and UDP
try {
Write-Log -Message "Removing all Application XYZ related firewall rules" -Severity 1
$rulePatterns = @(
"Allow Application XYZ Inbound TCP*",
"Allow Application XYZ Inbound UDP*"
)
foreach ($pattern in $rulePatterns) {
$matchingRules = Get-NetFirewallRule -ErrorAction SilentlyContinue | Where-Object {
$_.DisplayName -like $pattern
}
if ($matchingRules) {
foreach ($rule in $matchingRules) {
Remove-NetFirewallRule -Name $rule.Name -ErrorAction Stop
Write-Log -Message "Removed firewall rule: '$($rule.DisplayName)'" -Severity 1
}
} else {
Write-Log -Message "No matching firewall rules found for pattern: '$pattern'" -Severity 2
}
}
Write-Log -Message "Cleanup completed successfully." -Severity 1
}
catch {
Write-Log -Message "Cleanup failed. Error: $($_.Exception.Message)" -Severity 3
} Add Inbound Firewall rule for TCP and UDP for each user profile (excluding Default, Public, All Users, Default User)
try {
Write-Log -Message "Scanning user profiles for Application XYZ and creating inbound firewall rules..." -Severity 1
$relativePath = "AppData\Local\Application\XYZ.exe"
$userProfiles = Get-ChildItem -Path "C:\Users" | Where-Object {
$_.PSIsContainer -and $_.Name -notmatch "^(Default|Public|All Users|Default User)$"
}
foreach ($profile in $userProfiles) {
$userProfile = $profile.FullName
$userName = $profile.Name
$ExePath = Join-Path $userProfile $relativePath
if (Test-Path $ExePath) {
Write-Log -Message "Found EXE for user '$userName' at path: $ExePath" -Severity 1
$ruleNameTCP = "Allow XYZ Inbound TCP ($userName)"
$ruleNameUDP = "Allow XYZ Inbound UDP ($userName)"
try {
New-NetFirewallRule -DisplayName $ruleNameTCP `
-Direction Inbound `
-Program $ExePath `
-Action Allow `
-Protocol TCP `
-Profile Any
Write-Log -Message "Created TCP firewall rule: '$ruleNameTCP'" -Severity 1
} catch {
Write-Log -Message "Failed to create TCP rule for '$userName'. Error: $($_.Exception.Message)" -Severity 3
}
try {
New-NetFirewallRule -DisplayName $ruleNameUDP `
-Direction Inbound `
-Program $ExePath `
-Action Allow `
-Protocol UDP `
-Profile Any
Write-Log -Message "Created UDP firewall rule: '$ruleNameUDP'" -Severity 1
} catch {
Write-Log -Message "Failed to create UDP rule for '$userName'. Error: $($_.Exception.Message)" -Severity 3
}
} else {
Write-Log -Message "Executable not found for user '$userName'. Skipping." -Severity 2
}
}
Write-Log -Message "Finished processing all user profiles." -Severity 1
} catch {
Write-Log -Message "Unexpected error during firewall rule creation: $($_.Exception.Message)" -Severity 3
}Remove Inbound Firewall rule for TCP and UDP for each user profile
try {
Write-Log -Message "Removing all Application XYZ related firewall rules" -Severity 1
$rulePatterns = @(
"Allow XYZ Inbound TCP*",
"Allow XYZ Inbound UDP*"
)
foreach ($pattern in $rulePatterns) {
$matchingRules = Get-NetFirewallRule -ErrorAction SilentlyContinue | Where-Object {
$_.DisplayName -like $pattern
}
if ($matchingRules) {
foreach ($rule in $matchingRules) {
Remove-NetFirewallRule -Name $rule.Name -ErrorAction Stop
Write-Log -Message "Removed firewall rule: '$($rule.DisplayName)'" -Severity 1
}
} else {
Write-Log -Message "No matching firewall rules found for pattern: '$pattern'" -Severity 2
}
}
Write-Log -Message "Cleanup completed successfully." -Severity 1
}
catch {
Write-Log -Message "Cleanup failed. Error: $($_.Exception.Message)" -Severity 3
}Add Firewall rules with Authentication – Detection
$expectedRules = @(
@{
Name = "Application XYZ"
Protocol = "Any"
LocalPort = "Any"
RemotePort = "Any"
RemoteAddress = "192.168.1.100"
Enabled = "True"
Action = "Allow"
},
@{
Name = "SNMP TCP"
Protocol = "TCP"
LocalPort = "161-162"
RemotePort = "Any"
RemoteAddress = "192.168.1.111"
Enabled = "True"
Action = "Allow"
},
@{
Name = "SNMP UDP"
Protocol = "UDP"
LocalPort = "161-162"
RemotePort = "Any"
RemoteAddress = "192.168.1.111"
Enabled = "True"
Action = "Allow"
}
)
$compliant = $true
foreach ($rule in $expectedRules) {
$fwRule = Get-NetFirewallRule -DisplayName $rule.Name -ErrorAction SilentlyContinue
if (-not $fwRule) {
Write-Host "Missing rule: $($rule.Name)"
$compliant = $false
continue
}
if ($fwRule.Enabled -ne $rule.Enabled -or ($fwRule.Action -ne "Allow" -and $fwRule.Action -ne "Secure") -or $fwRule.Authentication -ne $rule.Authentication) {
Write-Host "Rule exists but has incorrect base settings: $($rule.Name)"
$compliant = $false
continue
}
$portFilter = $fwRule | Get-NetFirewallPortFilter
$addressFilter = $fwRule | Get-NetFirewallAddressFilter
$actualProtocol = switch ($portFilter.Protocol) {
6 { "TCP" }
17 { "UDP" }
256 { "Any" }
default { $_ }
}
if (
($rule.Protocol -ne "Any" -and $actualProtocol -ne $rule.Protocol) -or
($rule.LocalPort -ne "Any" -and $portFilter.LocalPort -ne $rule.LocalPort) -or
($rule.RemotePort -ne "Any" -and $portFilter.RemotePort -ne $rule.RemotePort) -or
($addressFilter.RemoteAddress -ne $rule.RemoteAddress)
) {
Write-Host "Rule exists but has incorrect filters: $($rule.Name)"
$compliant = $false
continue
}
}
if ($compliant) {
Write-Host "All firewal rules are present"
exit 0
} else {
Write-Host "One or more firewall rules are missing"
exit 1
}Remove Firewall rules – Remediation
$rules = @(
@{
Name = "Application XYZ"
Protocol = "Any"
LocalPort = "Any"
RemoteAddress = "192.168.1.100"
},
@{
Name = "SNMP TCP"
Protocol = 6
LocalPort = "161-162"
RemoteAddress = "192.168.1.111"
},
@{
Name = "SNMP UDP"
Protocol = 17
LocalPort = "161-162"
RemoteAddress = "192.168.1.111"
}
)
foreach ($rule in $rules) {
$existing = Get-NetFirewallRule -DisplayName $rule.Name -ErrorAction SilentlyContinue
if ($existing) {
Remove-NetFirewallRule -DisplayName $rule.Name
}
$params = @{
DisplayName = $rule.Name
Direction = "Inbound"
Action = "Allow"
Enabled = "True"
Profile = "Any"
Program = "Any"
RemoteAddress = $rule.RemoteAddress
EdgeTraversalPolicy = "Block"
InterfaceType = "Any"
}
if ($rule.Protocol -ne "Any") {
$params.Protocol = $rule.Protocol
}
if ($rule.LocalPort -ne "Any") {
$params.LocalPort = $rule.LocalPort
}
New-NetFirewallRule @params
# Apply authentication explicitly
Set-NetFirewallRule -DisplayName $rule.Name -Authentication Required
}