Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

Remove duplicate Windows Firewall rules; Create rules without duplicating them.

I have a PowerShell script that runs a number of commands that look like this (with various names involved):
Set-NetFirewallRule -DisplayName "Remote Event Log Management (RPC)" -RemoteAddress 10.10.2.0/24,LocalSubnet -Profile Private -Enabled True

Open in new window

One problem with this is that it creates duplicate firewall rules.  So, if we run the script twice then we are assured of getting at least 2 identical rules.
(It's easier to run the script than to decide whether to run it!).

So, I have two objectives that I've not been able to reasonably figure out on my own:

1) I want to remove the duplicate firewall rules that this process has created.
2) I want to add the same firewall rules to computers that have no duplicates, without creating duplicates once more.
3) I want all of this wrapped up into two scripts.

How might you suggest this be done?
Avatar of Jeremy Weisinger
Jeremy Weisinger

Are you using New-NetFirewallRule instead of Set-NetFirewallRule?

Set-NetFirewallRule should only change the configuration of an existing rule.

Is there any more to your script that you could post?
Avatar of hypercube

ASKER

Jeremy Weisinger:  Well, the script is mostly one-off one-liners like this.  There are maybe 7 firewall rules being "SET".
I was a little surprised that SETting would duplicate but it does seem to do that.  I suppose I should do an experiment to prove this.  Maybe something else did it....

Oh my!  It's NOT duplicating more.  So it must have been some interim construct that caused it.  There remain two copies each still however.

So now I'm only needing to gracefully remove the duplicates but that becomes a lower priority now.

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Jeremy Weisinger
Jeremy Weisinger

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So, first of all, duplicate rules are only a problem if their common names obscure their details.
So, leaving duplicates may be a pretty good idea unless one is being careful about which one might be deleted.
Is that the conclusion?  or at least one?

I notice that there is a banner "This is a predefined rule and ..... "  and that the duplicates I have repeat this.  So, there are 2 "predefined rules".  
I didn't see the GUID..
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you all.  Lots of questions answered and powerful suggestions!
oBdA:  What is your preferred code for adding a Firewall Rule Group?
There's not really such a thing; it's just the "Group" property of the rules.
New-NetFirewallRule -Group "Fred: Some Group" ...
I take it that much of the talk "around" this subject then boils down to:
"In order to create a new Group, one must create a rule that is within and, thus, introduces the new Group within its properties".

It would appear that it all depends on the perspective.
If a Group were a thing like a file folder then it would "exist" in that context. And, I believe that this is the perspective that many have or have had.
But since a Group is a property of a things (rules) then it can only exist IF there is at least one rule with that property.
And, that's why we don't see the Firewall contents of rules with Groups being  at a higher level of some hierarchy by themselves - like file folders.  The Groups are at the same level as other rule properties.

I might be tempted to say that Group is just a "label".  That would apply even though a Group label can be used to apply changes to an entire set of rules with the same Group property, right?