search

dsccommunity / NetworkingDsc

DSC resources for configuring settings related to networking.
https://dsccommunity.org
MIT License
226 stars 88 forks source link

xFirewall Can't Detect Rules Created via the GUI (Windows 2012/WMF4) #121

Open mhendric opened 8 years ago

mhendric commented 8 years ago

I'm running Windows 2012 (non R2) with WMF4. We have manually created some firewall rules using the GUI, and are now trying to detect and monitor these rules using DSC. When created with the GUI, the resources get a Name that is a GUID, and a DisplayName of whatever you intended the name to be. All the -NetFirewallRule checks in the xFirewall resource use -Name, so it is unable to detect the rule properly. A possible fix would be to have -NetFirewallRule check for either Name or DisplayName matches.

Output: Here's what happens when I try to Test-TargetResource:

PS C:\Program Files\WindowsPowerShell\Modules\xNetworking\DSCResources\MSFT_xFirewall> $parms

Name Value

Action Allow
Ensure Present
Profile Domain
Description Allow Trend for Exchange2013
LocalPort {80, 443, 5168, 16372...}
Name TrendFirewallPortsforExchange2013 (TCP-IN)
Direction Inbound
Protocol Tcp
DisplayName TrendFirewallPortsforExchange2013 (TCP-IN)

PS C:\Program Files\WindowsPowerShell\Modules\xNetworking\DSCResources\MSFT_xFirewall> Import-Module .\MSFT_xFirewall.psm1

PS C:\Program Files\WindowsPowerShell\Modules\xNetworking\DSCResources\MSFT_xFirewall> Test-TargetResource @parms -Verbose VERBOSE: Test-TargetResource: Checking settings for firewall rule with Name 'TrendFirewallPortsforExchange2013 (TCP-IN)'. VERBOSE: Test-TargetResource: Find firewall rule with Name 'TrendFirewallPortsforExchange2013 (TCP-IN)'. VERBOSE: Get-FirewallRule: No Firewall Rule found with Name 'TrendFirewallPortsforExchange2013 (TCP-IN)'. VERBOSE: Test-TargetResource: Firewall rule with Name 'TrendFirewallPortsforExchange2013 (TCP-IN)' does not exist. VERBOSE: Test-TargetResource: Check Firewall rule with Name 'TrendFirewallPortsforExchange2013 (TCP-IN)' returning False. False

Here's the resource props: [DBG]: PS C:\Program Files\WindowsPowerShell\Modules\xNetworking\DSCResources\MSFTxFirewall>> Get-NetFirewallRule | where {$.DisplayName -like "Trend"} | fl

Name : {615DCE6C-32DD-49B0-B81E-808BA37473DC} DisplayName : TrendFirewallPortsforExchange2013 (TCP-IN) Description : Allow Trend for Exchange2013 DisplayGroup : Group : Enabled : True Profile : Domain Platform : {} Direction : Inbound Action : Allow EdgeTraversalPolicy : Block LooseSourceMapping : False LocalOnlyMapping : False Owner : PrimaryStatus : OK Status : The rule was parsed successfully from the store. (65536) EnforcementStatus : NotApplicable PolicyStoreSource : PersistentStore PolicyStoreSourceType : Local

Here's a pic of the GUI: guirule

PlagueHO commented 8 years ago

I think this issue is the same as this recently closed (but not resolved) issue: https://github.com/PowerShell/xNetworking/issues/75

I did post a possible way we could work around this (in #75), but we never actually implemented it.

@tysonjhayes - any thoughts on this?