Module for configuring Windows Firewall using netsh
New in version 2015.5.0.
Add a new inbound or outbound rule to the firewall policy
name (str) -- The name of the rule. Must be unique and cannot be "all". Required.
localport (int) -- The port the rule applies to. Must be a number between 0 and 65535. Can be a range. Can specify multiple ports separated by commas. Required.
protocol (Optional[str]) --
The protocol. Can be any of the following:
A number between 0 and 255
icmpv4
icmpv6
tcp
udp
any
action (Optional[str]) --
The action the rule performs. Can be any of the following:
allow
block
bypass
dir (Optional[str]) -- The direction. Can be in or out.
remoteip (Optional [str]) --
The remote IP. Can be any of the following:
any
localsubnet
dns
dhcp
wins
defaultgateway
Any valid IPv4 address (192.168.0.12)
Any valid IPv6 address (2002:9b3b:1a31:4:208:74ff:fe39:6c43)
Any valid subnet (192.168.1.0/24)
Any valid range of IP addresses (192.168.0.1-192.168.0.12)
A list of valid IP addresses
Can be combinations of the above separated by commas.
True if successful
CommandExecutionError -- If the command fails
CLI Example:
salt '*' firewall.add_rule 'test' '8080' 'tcp'
salt '*' firewall.add_rule 'test' '1' 'icmpv4'
salt '*' firewall.add_rule 'test_remote_ip' '8000' 'tcp' 'allow' 'in' '192.168.0.1'
New in version 2015.8.0.
Delete an existing firewall rule identified by name and optionally by ports, protocols, direction, and remote IP.
name (str) -- The name of the rule to delete. If the name all is used
you must specify additional parameters.
localport (Optional[str]) -- The port of the rule. If protocol is not
specified, protocol will be set to tcp
protocol (Optional[str]) -- The protocol of the rule. Default is tcp
when localport is specified
dir (Optional[str]) -- The direction of the rule.
remoteip (Optional[str]) -- The remote IP of the rule.
True if successful
CommandExecutionError -- If the command fails
CLI Example:
# Delete incoming tcp port 8080 in the rule named 'test'
salt '*' firewall.delete_rule 'test' '8080' 'tcp' 'in'
# Delete the incoming tcp port 8000 from 192.168.0.1 in the rule named
# 'test_remote_ip'
salt '*' firewall.delete_rule 'test_remote_ip' '8000' 'tcp' 'in' '192.168.0.1'
# Delete all rules for local port 80:
salt '*' firewall.delete_rule all 80 tcp
# Delete a rule called 'allow80':
salt '*' firewall.delete_rule allow80
Disable firewall profile
profile (Optional[str]) --
The name of the profile to disable. Default is
allprofiles. Valid options are:
allprofiles
domainprofile
privateprofile
publicprofile
True if successful
CommandExecutionError -- If the command fails
CLI Example:
salt '*' firewall.disable
New in version 2015.5.0.
Enable firewall profile
profile (Optional[str]) --
The name of the profile to enable. Default is
allprofiles. Valid options are:
allprofiles
domainprofile
privateprofile
publicprofile
True if successful
CommandExecutionError -- If the command fails
CLI Example:
salt '*' firewall.enable
Gets all properties for all profiles in the specified store
New in version 2018.3.4.
New in version 2019.2.0.
store (str) --
The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:
lgpo
local
Default is local
A dictionary containing the specified settings for each profile
CLI Example:
# Get all firewall settings for all profiles
salt * firewall.get_all_settings
# Get all firewall settings for all profiles as defined by local group
# policy
salt * firewall.get_all_settings lgpo
Gets all the properties for the specified profile in the specified store
New in version 2018.3.4.
New in version 2019.2.0.
A dictionary containing the specified settings
CLI Example:
# Get all firewall settings for connections on the domain profile
salt * win_firewall.get_all_settings domain
# Get all firewall settings for connections on the domain profile as
# defined by local group policy
salt * win_firewall.get_all_settings domain lgpo
Get the status of all the firewall profiles
A dictionary of all profiles on the system
CommandExecutionError -- If the command fails
CLI Example:
salt '*' firewall.get_config
New in version 2015.5.0.
Display all matching rules as specified by name
name (Optional[str]) -- The full name of the rule. all will return all
rules. Default is all
A dictionary of all rules or rules that match the name exactly
CommandExecutionError -- If the command fails
CLI Example:
salt '*' firewall.get_rule 'MyAppPort'
Get the firewall property from the specified profile in the specified store
as returned by netsh advfirewall.
New in version 2018.3.4.
New in version 2019.2.0.
profile (str) --
The firewall profile to query. Valid options are:
domain
public
private
section (str) --
The property to query within the selected profile. Valid options are:
firewallpolicy : inbound/outbound behavior
logging : firewall logging settings
settings : firewall properties
state : firewalls state (on | off)
store (str) --
The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:
lgpo
local
Default is local
A dictionary containing the properties for the specified profile
CommandExecutionError -- If an error occurs
ValueError -- If the parameters are incorrect
CLI Example:
# Get the inbound/outbound firewall settings for connections on the
# local domain profile
salt * win_firewall.get_settings domain firewallpolicy
# Get the inbound/outbound firewall settings for connections on the
# domain profile as defined by local group policy
salt * win_firewall.get_settings domain firewallpolicy lgpo
New in version 2016.11.6.
Checks if a firewall rule exists in the firewall policy
name (str) -- The name of the rule
True if exists, otherwise False
CLI Example:
# Is there a rule named RemoteDesktop
salt '*' firewall.rule_exists RemoteDesktop
Set the firewall inbound/outbound settings for the specified profile and store
New in version 2018.3.4.
New in version 2019.2.0.
profile (str) --
The firewall profile to query. Valid options are:
domain
public
private
inbound (str) --
The inbound setting. If None is passed, the setting will remain
unchanged. Valid values are:
blockinbound
blockinboundalways
allowinbound
notconfigured
Default is None
outbound (str) --
The outbound setting. If None is passed, the setting will remain
unchanged. Valid values are:
allowoutbound
blockoutbound
notconfigured
Default is None
store (str) --
The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:
lgpo
local
Default is local
True if successful
CommandExecutionError -- If an error occurs
ValueError -- If the parameters are incorrect
CLI Example:
# Set the inbound setting for the domain profile to block inbound
# connections
salt * firewall.set_firewall_settings domain='domain' inbound='blockinbound'
# Set the outbound setting for the domain profile to allow outbound
# connections
salt * firewall.set_firewall_settings domain='domain' outbound='allowoutbound'
# Set inbound/outbound settings for the domain profile in the group
# policy to block inbound and allow outbound
salt * firewall.set_firewall_settings domain='domain' inbound='blockinbound' outbound='allowoutbound' store='lgpo'
Configure logging settings for the Windows firewall.
New in version 2018.3.4.
New in version 2019.2.0.
profile (str) --
The firewall profile to configure. Valid options are:
domain
public
private
setting (str) --
The logging setting to configure. Valid options are:
allowedconnections
droppedconnections
filename
maxfilesize
value (str) --
The value to apply to the setting. Valid values are dependent upon the setting being configured. Valid options are:
allowedconnections:
enable
disable
notconfigured
droppedconnections:
enable
disable
notconfigured
filename:
Full path and name of the firewall log file
notconfigured
maxfilesize:
1 - 32767
notconfigured
Note
notconfigured can only be used when using the lgpo store
store (str) --
The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:
lgpo
local
Default is local
True if successful
CommandExecutionError -- If an error occurs
ValueError -- If the parameters are incorrect
CLI Example:
# Log allowed connections and set that in local group policy
salt * firewall.set_logging_settings domain allowedconnections enable lgpo
# Don't log dropped connections
salt * firewall.set_logging_settings profile=private setting=droppedconnections value=disable
# Set the location of the log file
salt * firewall.set_logging_settings domain filename C:\windows\logs\firewall.log
# You can also use environment variables
salt * firewall.set_logging_settings domain filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log
# Set the max file size of the log to 2048 Kb
salt * firewall.set_logging_settings domain maxfilesize 2048
Configure firewall settings.
New in version 2018.3.4.
New in version 2019.2.0.
profile (str) --
The firewall profile to configure. Valid options are:
domain
public
private
setting (str) --
The firewall setting to configure. Valid options are:
localfirewallrules
localconsecrules
inboundusernotification
remotemanagement
unicastresponsetomulticast
value (str) --
The value to apply to the setting. Valid options are
enable
disable
notconfigured
Note
notconfigured can only be used when using the lgpo store
store (str) --
The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:
lgpo
local
Default is local
True if successful
CommandExecutionError -- If an error occurs
ValueError -- If the parameters are incorrect
CLI Example:
# Merge local rules with those distributed through group policy
salt * firewall.set_settings domain localfirewallrules enable
# Allow remote management of Windows Firewall
salt * firewall.set_settings domain remotemanagement enable
Configure the firewall state.
New in version 2018.3.4.
New in version 2019.2.0.
profile (str) --
The firewall profile to configure. Valid options are:
domain
public
private
state (str) --
The firewall state. Valid options are:
on
off
notconfigured
Note
notconfigured can only be used when using the lgpo store
store (str) --
The store to use. This is either the local firewall policy or the policy defined by local group policy. Valid options are:
lgpo
local
Default is local
True if successful
CommandExecutionError -- If an error occurs
ValueError -- If the parameters are incorrect
CLI Example:
# Turn the firewall off when the domain profile is active
salt * firewall.set_state domain off
# Turn the firewall on when the public profile is active and set that in
# the local group policy
salt * firewall.set_state public on lgpo