Configure Windows Firewall Rule using Group Policy

Every Windows OS comes with a native firewall as the basic protection against malicious programs. Windows Firewall controls the incoming and outgoing traffic from and to the local system based on the criteria defined in the rules. The criteria can be program name, protocol, port, or IP address. In a domain environment, administrator can centrally configure Windows Firewall rule using Group Policy. This way, the rules will be automatically applied to all targeted computers in the domain and therefore increasing the security.

How to Configure Windows Firewall Rule using Group Policy

There are two ways to configure Windows Firewall rule using Group Policy:

  • Using the legacy configuration
    The settings can be found under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. The settings in this section was intended for Windows Version before the release of Windows Vista and Windows Server 2008 but still work for newer release of Windows. However, it is not recommended to be used unless we’re still managing outdated OS in the domain.
  • Using the new configuration
    The settings can be found under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security. The settings in this section has been optimized for current Windows release, and it has the very same wizard GUI when creating the firewall rule directly on the client computer, making it easier for administrator.

In this example, we are going to create a custom firewall rule using the new configuration. The scenario is to allow an application named MustBeGeek.exe that communicates using random TCP port number 60000-65535 for inbound connection.

The step by step configuration is as follows:

1. Defining the policy object

Open up Group Policy Management console and decide whether to use an existing GPO or creating a new one. After that edit the GPO and go to configuration in Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Configure Windows Firewall Rule using Group Policy - 1

2. Set the firewall to be enabled

Click on the Windows Firewall with Advanced Security on the left pane, then this menu below will show up in the right pane. Click on Windows Firewall Properties.

Configure Windows Firewall Rule using Group Policy - 2

On the first three tabs, Domain Profile, Private Profile, and Public Profile, make sure the firewall is set to On (recommended), and the following configuration is applied. This will make sure that no computer in the domain having its firewall turned off. Click OK to confirm the setting.

Configure Windows Firewall Rule using Group Policy - 3

Verify the overview now looks like below screenshot

Configure Windows Firewall Rule using Group Policy - 4

3. Configuring firewall rules

Now it is time to create the firewall rule. The action performed in this step may vary depending on what needs to be configured. In this example, an inbound rule will be created. Click on Inbound Rules on the left pane, then right click on an empty area in the right pane and select New Rule.

Configure Windows Firewall Rule using Group Policy - 5

There will be four types of rule to be created. Select Custom and click Next.

Configure Windows Firewall Rule using Group Policy - 6

In a custom rule, we can specify the program, ports, and IP address as necessary. According to the requirement in this example, the configuration will be like below screenshots.

Program path

Configure Windows Firewall Rule using Group Policy - 7

Protocol and ports

Configure Windows Firewall Rule using Group Policy - 8

Scope (IP address)

Configure Windows Firewall Rule using Group Policy - 9

Action
After specifying the program path, ports, and IP address, now select the action to Allow the connection.

Configure Windows Firewall Rule using Group Policy - 10

Profile
Tick all the box to ensure that this rule is applied on all profiles

Configure Windows Firewall Rule using Group Policy - 11

Completion
When all the settings has been completed, give a name for the rule for identification purpose.

Configure Windows Firewall Rule using Group Policy - 12

Once done, the summary of the newly created rule can be seen in the Group Policy Management console.

Configure Windows Firewall Rule using Group Policy - 13

4. Verify results on the client

Apply the GPO to a computer OU, and see the result on the client firewall configuration. There will be a banner saying the settings are controlled by Group Policy and the firewall state will be the same as what has been configured before.

Configure Windows Firewall Rule using Group Policy - 14

End user will no longer be able to modify the firewall state and action.

Configure Windows Firewall Rule using Group Policy - 15

On the rule section, see the configured rule has been added to the list.

Configure Windows Firewall Rule using Group Policy - 16

Useful Tips for Managing Windows Firewall Rule using Group Policy

The firewall rule will be added as soon as Group Policy is refreshed, and a manual refresh can be triggered by using command gpupdate /force

Configure Windows Firewall Rule using Group Policy - 17

When configuring the firewall rules in Group Policy, it is not recommended to set firewall rules using both legacy and new configuration in the same Group Policy Object. Windows will somehow try to merge the settings but the result may not be as expected. The best practice is to separate the policy object for legacy computers.

Another handy tip, administrator can simply import firewall rules created in other Windows computer to the Group Policy instead of re-creating it one by one. This way can save more time and effort to create consistent firewall rules across the domain.

And that’s the example to configure Windows Firewall rule using Group Policy.

The following two tabs change content below.
Arranda Saputra

Arranda Saputra

ITIL Certified, CCNA, CCDA, VCP6-DCV, MCSA Administering Windows Server 2012
I am IT practitioner in real life with specialization in network and server infrastructure. I have years of experience in design, analysis, operation, and optimization of infrastructure solutions for enterprise-scaled network. You can send me a message on LinkedIn or email to arranda.saputra@outlook.com for further inquiry regarding stuffs that I wrote or opportunity to collaborate in a project.
scroll to top