salt.modules.win_firewall

Module for configuring Windows Firewall using netsh

salt.modules.win_firewall.add_rule(name, localport, protocol='tcp', action='allow', dir='in', remoteip='any')

New in version 2015.5.0.

Add a new inbound or outbound rule to the firewall policy

Parameters
  • name (str) -- The name of the rule. Must be unique and cannot be "all". Required.

  • localport (int) -- The port the rule applies to. Must be a number between 0 and 65535. Can be a range. Can specify multiple ports separated by commas. Required.

  • protocol (Optional[str]) --

    The protocol. Can be any of the following:

    • A number between 0 and 255

    • icmpv4

    • icmpv6

    • tcp

    • udp

    • any

  • action (Optional[str]) --

    The action the rule performs. Can be any of the following:

    • allow

    • block

    • bypass

  • dir (Optional[str]) -- The direction. Can be in or out.

  • remoteip (Optional [str]) --

    The remote IP. Can be any of the following:

    • any

    • localsubnet

    • dns

    • dhcp

    • wins

    • defaultgateway

    • Any valid IPv4 address (192.168.0.12)

    • Any valid IPv6 address (2002:9b3b:1a31:4:208:74ff:fe39:6c43)

    • Any valid subnet (192.168.1.0/24)

    • Any valid range of IP addresses (192.168.0.1-192.168.0.12)

    • A list of valid IP addresses

    Can be combinations of the above separated by commas.

Returns

True if successful

Return type

bool

Raises

CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.add_rule 'test' '8080' 'tcp'
salt '*' firewall.add_rule 'test' '1' 'icmpv4'
salt '*' firewall.add_rule 'test_remote_ip' '8000' 'tcp' 'allow' 'in' '192.168.0.1'
salt.modules.win_firewall.delete_rule(name=None, localport=None, protocol=None, dir=None, remoteip=None)

New in version 2015.8.0.

Delete an existing firewall rule identified by name and optionally by ports, protocols, direction, and remote IP.

Parameters
  • name (str) -- The name of the rule to delete. If the name all is used you must specify additional parameters.

  • localport (Optional[str]) -- The port of the rule. If protocol is not specified, protocol will be set to tcp

  • protocol (Optional[str]) -- The protocol of the rule. Default is tcp when localport is specified

  • dir (Optional[str]) -- The direction of the rule.

  • remoteip (Optional[str]) -- The remote IP of the rule.

Returns

True if successful

Return type

bool

Raises

CommandExecutionError -- If the command fails

CLI Example:

# Delete incoming tcp port 8080 in the rule named 'test'
salt '*' firewall.delete_rule 'test' '8080' 'tcp' 'in'

# Delete the incoming tcp port 8000 from 192.168.0.1 in the rule named
# 'test_remote_ip'
salt '*' firewall.delete_rule 'test_remote_ip' '8000' 'tcp' 'in' '192.168.0.1'

# Delete all rules for local port 80:
salt '*' firewall.delete_rule all 80 tcp

# Delete a rule called 'allow80':
salt '*' firewall.delete_rule allow80
salt.modules.win_firewall.disable(profile='allprofiles')

Disable firewall profile

Parameters

profile (Optional[str]) --

The name of the profile to disable. Default is allprofiles. Valid options are:

  • allprofiles

  • domainprofile

  • privateprofile

  • publicprofile

Returns

True if successful

Return type

bool

Raises

CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.disable
salt.modules.win_firewall.enable(profile='allprofiles')

New in version 2015.5.0.

Enable firewall profile

Parameters

profile (Optional[str]) --

The name of the profile to enable. Default is allprofiles. Valid options are:

  • allprofiles

  • domainprofile

  • privateprofile

  • publicprofile

Returns

True if successful

Return type

bool

Raises

CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.enable
salt.modules.win_firewall.get_all_profiles(store='local')

Gets all properties for all profiles in the specified store

New in version 2018.3.4.

New in version 2019.2.0.

Parameters

store (str) --

The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

  • lgpo

  • local

Default is local

Returns

A dictionary containing the specified settings for each profile

Return type

dict

CLI Example:

# Get all firewall settings for all profiles
salt * firewall.get_all_settings

# Get all firewall settings for all profiles as defined by local group
# policy

salt * firewall.get_all_settings lgpo
salt.modules.win_firewall.get_all_settings(domain, store='local')

Gets all the properties for the specified profile in the specified store

New in version 2018.3.4.

New in version 2019.2.0.

Parameters
  • profile (str) --

    The firewall profile to query. Valid options are:

    • domain

    • public

    • private

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo

    • local

    Default is local

Returns

A dictionary containing the specified settings

Return type

dict

CLI Example:

# Get all firewall settings for connections on the domain profile
salt * win_firewall.get_all_settings domain

# Get all firewall settings for connections on the domain profile as
# defined by local group policy
salt * win_firewall.get_all_settings domain lgpo
salt.modules.win_firewall.get_config()

Get the status of all the firewall profiles

Returns

A dictionary of all profiles on the system

Return type

dict

Raises

CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.get_config
salt.modules.win_firewall.get_rule(name='all')

New in version 2015.5.0.

Display all matching rules as specified by name

Parameters

name (Optional[str]) -- The full name of the rule. all will return all rules. Default is all

Returns

A dictionary of all rules or rules that match the name exactly

Return type

dict

Raises

CommandExecutionError -- If the command fails

CLI Example:

salt '*' firewall.get_rule 'MyAppPort'
salt.modules.win_firewall.get_settings(profile, section, store='local')

Get the firewall property from the specified profile in the specified store as returned by netsh advfirewall.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters
  • profile (str) --

    The firewall profile to query. Valid options are:

    • domain

    • public

    • private

  • section (str) --

    The property to query within the selected profile. Valid options are:

    • firewallpolicy : inbound/outbound behavior

    • logging : firewall logging settings

    • settings : firewall properties

    • state : firewalls state (on | off)

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo

    • local

    Default is local

Returns

A dictionary containing the properties for the specified profile

Return type

dict

Raises

CLI Example:

# Get the inbound/outbound firewall settings for connections on the
# local domain profile
salt * win_firewall.get_settings domain firewallpolicy

# Get the inbound/outbound firewall settings for connections on the
# domain profile as defined by local group policy
salt * win_firewall.get_settings domain firewallpolicy lgpo
salt.modules.win_firewall.rule_exists(name)

New in version 2016.11.6.

Checks if a firewall rule exists in the firewall policy

Parameters

name (str) -- The name of the rule

Returns

True if exists, otherwise False

Return type

bool

CLI Example:

# Is there a rule named RemoteDesktop
salt '*' firewall.rule_exists RemoteDesktop
salt.modules.win_firewall.set_firewall_settings(profile, inbound=None, outbound=None, store='local')

Set the firewall inbound/outbound settings for the specified profile and store

New in version 2018.3.4.

New in version 2019.2.0.

Parameters
  • profile (str) --

    The firewall profile to query. Valid options are:

    • domain

    • public

    • private

  • inbound (str) --

    The inbound setting. If None is passed, the setting will remain unchanged. Valid values are:

    • blockinbound

    • blockinboundalways

    • allowinbound

    • notconfigured

    Default is None

  • outbound (str) --

    The outbound setting. If None is passed, the setting will remain unchanged. Valid values are:

    • allowoutbound

    • blockoutbound

    • notconfigured

    Default is None

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo

    • local

    Default is local

Returns

True if successful

Return type

bool

Raises

CLI Example:

# Set the inbound setting for the domain profile to block inbound
# connections
salt * firewall.set_firewall_settings domain='domain' inbound='blockinbound'

# Set the outbound setting for the domain profile to allow outbound
# connections
salt * firewall.set_firewall_settings domain='domain' outbound='allowoutbound'

# Set inbound/outbound settings for the domain profile in the group
# policy to block inbound and allow outbound
salt * firewall.set_firewall_settings domain='domain' inbound='blockinbound' outbound='allowoutbound' store='lgpo'
salt.modules.win_firewall.set_logging_settings(profile, setting, value, store='local')

Configure logging settings for the Windows firewall.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters
  • profile (str) --

    The firewall profile to configure. Valid options are:

    • domain

    • public

    • private

  • setting (str) --

    The logging setting to configure. Valid options are:

    • allowedconnections

    • droppedconnections

    • filename

    • maxfilesize

  • value (str) --

    The value to apply to the setting. Valid values are dependent upon the setting being configured. Valid options are:

    allowedconnections:

    • enable

    • disable

    • notconfigured

    droppedconnections:

    • enable

    • disable

    • notconfigured

    filename:

    • Full path and name of the firewall log file

    • notconfigured

    maxfilesize:

    • 1 - 32767

    • notconfigured

    Note

    notconfigured can only be used when using the lgpo store

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo

    • local

    Default is local

Returns

True if successful

Return type

bool

Raises

CLI Example:

# Log allowed connections and set that in local group policy
salt * firewall.set_logging_settings domain allowedconnections enable lgpo

# Don't log dropped connections
salt * firewall.set_logging_settings profile=private setting=droppedconnections value=disable

# Set the location of the log file
salt * firewall.set_logging_settings domain filename C:\windows\logs\firewall.log

# You can also use environment variables
salt * firewall.set_logging_settings domain filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log

# Set the max file size of the log to 2048 Kb
salt * firewall.set_logging_settings domain maxfilesize 2048
salt.modules.win_firewall.set_settings(profile, setting, value, store='local')

Configure firewall settings.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters
  • profile (str) --

    The firewall profile to configure. Valid options are:

    • domain

    • public

    • private

  • setting (str) --

    The firewall setting to configure. Valid options are:

    • localfirewallrules

    • localconsecrules

    • inboundusernotification

    • remotemanagement

    • unicastresponsetomulticast

  • value (str) --

    The value to apply to the setting. Valid options are

    • enable

    • disable

    • notconfigured

    Note

    notconfigured can only be used when using the lgpo store

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo

    • local

    Default is local

Returns

True if successful

Return type

bool

Raises

CLI Example:

# Merge local rules with those distributed through group policy
salt * firewall.set_settings domain localfirewallrules enable

# Allow remote management of Windows Firewall
salt * firewall.set_settings domain remotemanagement enable
salt.modules.win_firewall.set_state(profile, state, store='local')

Configure the firewall state.

New in version 2018.3.4.

New in version 2019.2.0.

Parameters
  • profile (str) --

    The firewall profile to configure. Valid options are:

    • domain

    • public

    • private

  • state (str) --

    The firewall state. Valid options are:

    • on

    • off

    • notconfigured

    Note

    notconfigured can only be used when using the lgpo store

  • store (str) --

    The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:

    • lgpo

    • local

    Default is local

Returns

True if successful

Return type

bool

Raises

CLI Example:

# Turn the firewall off when the domain profile is active
salt * firewall.set_state domain off

# Turn the firewall on when the public profile is active and set that in
# the local group policy
salt * firewall.set_state public on lgpo