SANS Penetration Testing

Pen Test Poster: "White Board" - PowerShell - Get Firewall Rules

Board Elements_clean_Get Firewall Rules

By Matthew Toussain, Grant Curell
Updated - 3/14/2017


Concealed within his fortress, the Lord of Mordor sees all? And with PowerShell we can too!


Microsoft has truly given system administrators and computer hackers alike a gift: The gift of vision. Take for instance, PowerShell output, format, and export functions. Most scripting languages are built to be lean, efficient, and capable. PowerShell manages all three while natively supporting a host of features to retrieve data and walk through it, step by step.


Methods Covered in this Section

Get-NetFirewallRule display rules:

Get-NetFirewallRule -all

Get-NetFirewallRule basic formatting (list of names):

Get-NetFirewallRule -all | Format-List -Property Name

Get-NetFirewallRule in grid view:

Get-NetFirewallRule -all | Out-GridView

Get-NetFirewallRule export to csv:

Get-NetFirewallRule -all | Export-Csv <file_path.csv>

Firewall rules via comObjects:

$(New-object -comObject HNetCfg.FwPolicy2).rules | Format-Table -Property name, protocol, localports


PowerShell cmdlets are built around the concept of objects. To display a list of all firewall rule objects run the command below.


Get-NetFirewallRule display rules:
Get-NetFirewallRule -allget_firewall_rules_v2_02


The robust formatting capabilities of PowerShell would not be possible without its object oriented design. For example, because we are interacting with firewall rule objects we do not have to parse the results of our command line-by-line. In bash, we would have to use some combination of the cut, grep, sort, and uniq commands to have even the slightest chance at transforming the above data into the list below.


Get-NetFirewallRule basic formatting (list of names):
Get-NetFirewallRule -all | Format-List -Property Name


The Format-List cmdlet is the most basic method to control and format object information with PowerShell. Where the first command spewed lines of data, Format-List (limiting by the Name property) is able to present a list of all firewall rules by name.


A more robust output format is Out-GridView this sends command output into a specialized grid view window where it is displayed in an interactive table:


Get-NetFirewallRule in grid view:
Get-NetFirewallRule -all | Out-GridViewget_firewall_rules_v2_04


Grid view can be exceptionally handy as part of a clickable script allowing for quick spreadsheet viewing of large datasets without ever delving into the command line. As a result, it proves particularly useful for technical experts to make their results accessible to less specialized analysts. Its direct interactivity and built-in search filter only make it more useful.


Even more extensibility is possible by leveraging the export set of cmdlets. PowerShell natively supports several export mechanisms including ConvertTo-Html and Export-Csv.


Get-NetFirewallRule export to csv:
Get-NetFirewallRule -all | Export-csv <file_path.csv>



Bonus Command — Firewall Rules on Windows 7

There is one major downside to the NetFirewall series of cmdlets, they are not supported on Windows 7 and older systems even when their PowerShell version has been upgraded past version 3.0. Fortunately, we can still arrive at similar functionality within PowerShell via a clever little hack. Using the Microsoft Component Object Model (COM) to leverage comObjects allows us to use a set of features introduced in 1993 to empower backwards compatibility within our PowerShell scripts. Behold!


Firewall rules via comObjects:
$(New-object -comObject HNetCfg.FwPolicy2).rules | Format-Table -Property name, protocol, localportsget_firewall_rules_v2_06



PowerShell is magical. Consider for a moment what just went on under the hood as you executed these ultra-simple one liners. Controlling, managing, and formatting information is an inherent facet of PowerShell. As such, its application is not limited to viewing the Windows firewall setup. Let the situation and your imagination drive its usage! Remember: No matter how much data you are presented with, through PowerShell you are the Dark Lord, and YOU. SEE.. ALL...

Matthew Toussain

I am teaching SEC560: Network Penetration Testing and Ethical Hacking in New York City in August 2018.

SANS Online Training:


All SANS Online Training courses include:

  • Convenience and Flexibility
  • Subject-Matter Expert Support
  • Anytime, Anywhere access for four or more months
  • Save costs and time - no travel necessary

Test Drive any of 30 SANS courses today at

"I love the material, I love the SANS Online delivery, and I want the entire industry to take these courses." - Nick Sewell, IIT

Post a Comment


* Indicates a required field.