Backup Firewall script

[kidguardian]

I just came across your WindowsFirewallRuleset after I recently created a backup script using the get-netfirewallrule commands and exporting to CSV but was completely taken aghast at the amount of time (1 minute to 20+ minutes) it took to export the entire rule set verses the under 1 second pull and export to CSV using the older object model. Example:

$fwRules=(New-object -ComObject HNetCfg.FWPolicy2).rules

It is also much faster to use this method to search for existing open ports, etc. Not sure if you knew about the older method and if it still gives you what you want but I thought I would mention it.

[metablaster]

Thank you for sharing your solution!
Very useful because these are the slowest scripts, I'll play with this when I get back and find time for scripting.

[metablaster]

Hello again,

I attempted to implement your suggestion but come to conclusion that this method to export firewall is not useful for the following reasons:

1. Firewall rules obtained by HNetCfg.FWPolicy2 are those from persistent store
   persistent store rules are those which you see in Windows Firewall with Advanced security, accessed trough control panel or System settings.

2. There is no way to export only GPO rules by using HNetCfg.FWPolicy2.
   As such export\import from persistent store is of no use because only GPO rules is what is needed to export.
   We make no use of control panel firewall (persistent store) for several reasons, one of them is that it is constantly modified by system and by random programs that users install, which is why only GPO store is used.

3. I don't know why but when I run following code to get outbound rules there is no output:

$FWPolicy2 = (New-Object -ComObject HNetCfg.FWPolicy2).rules
$FWPolicy2 | where {$_.Direction -eq 0 }

It looks like only inbound rules can be retrieved, ex following works:

$FWPolicy2 = (New-Object -ComObject HNetCfg.FWPolicy2).rules
$FWPolicy2 | where {$_.Direction -eq 1 }

So even if I wanted to write a new export function for control panel firewall it would not work as expected.

There are 2 alternatives to your suggestion but with drawbacks:

1. Get-GPResultantSetOfPolicy may retrieve RSOP store and GPO store.
   Problem is this command works only on domain computers, which means export on workstations would see no performance benefit.

2. GPO rules could be exported from registry directly which is as fast as with HNetCfg.FWPolicy2
   Problem is lack of documentation on how rules are stored in registry, and also registry could be corrupted.
   I have plans for this approach in the future but it will take some time.

I could be wrong on some points, if so let me know.

Following reference was helpful:
https://docs.microsoft.com/en-us/windows/win32/api/netfw/nn-netfw-inetfwpolicy2
https://devblogs.microsoft.com/scripting/quick-hits-friday-the-scripting-guys-respond-to-a-bunch-of-questions-9310/
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/e209a8d7-119a-4e5f-819a-f4f323e1777a/auditing-windows-firewall-rules?forum=ITCG
https://serverfault.com/questions/797144/evaluating-properties-of-gpo-created-firewall-rules-in-a-script

[metablaster]

Hello again @kidguardian I don't know if you're still watching this discusion but,
I just wanted to share that firewall export now takes less than a minute with the help of
new function Export-RegistryRule which uses Get-RegistryRule

These functions instead of using slow filters, drill and parse registry which as fast as it can be.
You can test exprt\import by using scripts Backup-Firewall and Restore-Firewall

Thank you again for reporting!