How to Configure the Windows Server Firewall

How to Configure the Windows Server Firewall

A
Admin
17 min read

Introduction

The Windows Firewall (Windows Defender Firewall) is your server's first line of defense. It controls incoming and outgoing network traffic by allowing or blocking connections based on defined rules.

Why Configure the Firewall?

  • Security — Block unauthorized access
  • Control — Precisely define which services are accessible
  • Protection — Reduce the server's attack surface
  • Compliance — Adhere to security best practices

What You Will Learn

  • Access and navigate the Windows Firewall
  • Open and close ports
  • Create custom rules
  • Configure via the graphical interface and PowerShell
  • Apply security best practices

Accessing the Windows Firewall

Several methods to access the Windows Server Firewall:

Method 1: Windows Search (Quick)

1. Press the Windows key
2. Type "Windows Defender Firewall with Advanced Security"
3. Click on the result

Or simply type: wf.msc

Method 2: Run (Win + R)

1. Press Windows + R
2. Type: wf.msc
3. Press Enter

Method 3: Control Panel

1. Control Panel
2. System and Security
3. Windows Defender Firewall
4. Advanced settings (left column)

Method 4: Server Manager

1. Open Server Manager
2. Tools
3. Windows Defender Firewall with Advanced Security

Method 5: PowerShell

# Open the graphical interface
wf.msc

# Or manage directly via command line
Get-NetFirewallRule

Understanding the Interface

The Windows Firewall interface is divided into several sections:

┌─────────────────────────────────────────────────────────────────┐
│  Windows Defender Firewall with Advanced Security                 │
├──────────────────┬──────────────────────────────────────────────┤
│                  │                                              │
│  ▼ Inbound       │   [List of rules]                            │
│    Rules         │                                              │
│                  │   Name | Group | Profile | Enabled | Action  │
│                  │   ─────────────────────────────────────────  │
│  ▼ Outbound      │   Rule 1...                                   │
│    Rules         │   Rule 2...                                   │
│                  │   Rule 3...                                   │
│                  │                                              │
│  ▼ Connection    │                                              │
│    Security      │                                              │
│                  │                                              │
│  ▼ Monitoring    │                                              │
│                  │                                              │
└──────────────────┴──────────────────────────────────────────────┘

Main Sections

Section Description
Inbound Rules Controls connections TO your server
Outbound Rules Controls connections FROM your server
Connection Security Rules IPsec and authentication
Monitoring Monitoring active rules

Rule States

Icon Meaning
✅ Green Rule enabled - Allows traffic
✅ Green with circle Rule enabled - Blocks traffic
⬜ Grayed Rule disabled

Open a Port (Graphical Interface)

Step by Step: Open a TCP Port

Example: Open port 25565 (Minecraft)

Step 1: Access Inbound Rules

1. Open the firewall (wf.msc)
2. Click on "Inbound Rules" in the left panel
3. Click on "New Rule..." in the right panel

Step 2: Rule Type

○ Program
● Port          ← Select this option
○ Predefined
○ Custom

→ Click "Next"

Step 3: Protocol and Ports

● TCP           ← For most services
○ UDP           ← For some games/VoIP

○ All local ports
● Specific local ports: 25565

→ Click "Next"

Step 4: Action

● Allow the connection      ← Select this option
○ Allow if secure
○ Block the connection

→ Click "Next"

Step 5: Profiles

☑ Domain       ← Corporate network (Active Directory)
☑ Private       ← Trusted network
☑ Public        ← Internet / Untrusted network

→ Check all three for a server
→ Click "Next"

Step 6: Rule Name

Name: Minecraft Server (TCP 25565)
Description: Allows connections to the Minecraft server

→ Click "Finish"

Port 25565 TCP is now open!

Open a UDP Port

Same procedure, but select UDP in step 3.

Example: Open port 19132 UDP (Minecraft Bedrock)

Step 3:
○ TCP
● UDP           ← Select UDP

Specific local ports: 19132

Open a Range of Ports

To open several consecutive ports:

Step 3:
Specific local ports: 27015-27030

→ Opens all ports from 27015 to 27030

Open Multiple Non-Consecutive Ports

Step 3:
Specific local ports: 80, 443, 8080

→ Opens ports 80, 443, and 8080

Close a Port

Method 1: Disable an Existing Rule

1. Open the firewall (wf.msc)
2. Inbound Rules
3. Find the relevant rule
4. Right-click → "Disable Rule"

Method 2: Delete a Rule

1. Open the firewall (wf.msc)
2. Inbound Rules
3. Find the relevant rule
4. Right-click → "Delete"
5. Confirm deletion

Method 3: Create a Block Rule

To explicitly block a port:

1. New Rule → Port
2. TCP or UDP → Port number
3. ● Block the connection    ← Select this option
4. All profiles
5. Name: "Block Port XXXX"

⚠️ Note: By default, Windows blocks everything that is not explicitly allowed (inbound mode). Deleting an allow rule usually suffices.

Configuration with PowerShell

PowerShell offers faster and scriptable management of the firewall.

Basic Commands

View Firewall Status

# General status
Get-NetFirewallProfile

# Status by profile
Get-NetFirewallProfile -Profile Domain,Public,Private | Format-Table Name, Enabled

Enable / Disable the Firewall

# Disable the firewall (NOT RECOMMENDED)
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

# Enable the firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Open a Port with PowerShell

Basic Syntax

New-NetFirewallRule -DisplayName "NAME" -Direction Inbound -Protocol TCP -LocalPort PORT -Action Allow

Concrete Examples

# Open port 80 (HTTP)
New-NetFirewallRule -DisplayName "HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow

# Open port 443 (HTTPS)
New-NetFirewallRule -DisplayName "HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

# Open port 25565 TCP (Minecraft Java)
New-NetFirewallRule -DisplayName "Minecraft Java" -Direction Inbound -Protocol TCP -LocalPort 25565 -Action Allow

# Open port 19132 UDP (Minecraft Bedrock)
New-NetFirewallRule -DisplayName "Minecraft Bedrock" -Direction Inbound -Protocol UDP -LocalPort 19132 -Action Allow

# Open a range of ports
New-NetFirewallRule -DisplayName "Game Ports" -Direction Inbound -Protocol UDP -LocalPort 27015-27030 -Action Allow

# Open multiple ports
New-NetFirewallRule -DisplayName "Web Ports" -Direction Inbound -Protocol TCP -LocalPort 80,443,8080 -Action Allow

Open TCP and UDP at the Same Time

# Port 7777 TCP and UDP (ARK, etc.)
New-NetFirewallRule -DisplayName "ARK Server TCP" -Direction Inbound -Protocol TCP -LocalPort 7777 -Action Allow
New-NetFirewallRule -DisplayName "ARK Server UDP" -Direction Inbound -Protocol UDP -LocalPort 7777 -Action Allow

Close / Delete a Rule

# Delete by name
Remove-NetFirewallRule -DisplayName "Minecraft Java"

# Disable a rule (without deleting)
Disable-NetFirewallRule -DisplayName "Minecraft Java"

# Enable a rule
Enable-NetFirewallRule -DisplayName "Minecraft Java"

List Rules

# All inbound rules
Get-NetFirewallRule -Direction Inbound | Format-Table DisplayName, Enabled, Action

# Only active rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Format-Table DisplayName, Action

# Search for a rule by name
Get-NetFirewallRule -DisplayName "*Minecraft*"

# View details of a rule
Get-NetFirewallRule -DisplayName "Minecraft Java" | Get-NetFirewallPortFilter

Block a Port

# Block port 23 (Telnet)
New-NetFirewallRule -DisplayName "Block Telnet" -Direction Inbound -Protocol TCP -LocalPort 23 -Action Block

Restrict by IP

# Allow only a specific IP
New-NetFirewallRule -DisplayName "RDP Restricted" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 86.123.45.67 -Action Allow

# Allow a range of IPs
New-NetFirewallRule -DisplayName "Office Network" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.1.0/24 -Action Allow

# Allow multiple IPs
New-NetFirewallRule -DisplayName "Admins Only" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 86.123.45.67,91.234.56.78 -Action Allow

Complete Script: Web Server Configuration

# Firewall configuration script for web server
# To be run as Administrator

Write-Host "Configuring firewall for web server..." -ForegroundColor Green

# HTTP
New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
Write-Host "✓ Port 80 (HTTP) opened" -ForegroundColor Cyan

# HTTPS
New-NetFirewallRule -DisplayName "HTTPS (443)" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
Write-Host "✓ Port 443 (HTTPS) opened" -ForegroundColor Cyan

# FTP (optional)
New-NetFirewallRule -DisplayName "FTP (21)" -Direction Inbound -Protocol TCP -LocalPort 21 -Action Allow
New-NetFirewallRule -DisplayName "FTP Passive" -Direction Inbound -Protocol TCP -LocalPort 50000-50100 -Action Allow
Write-Host "✓ FTP ports opened" -ForegroundColor Cyan

# MySQL (local only - security)
New-NetFirewallRule -DisplayName "MySQL Local" -Direction Inbound -Protocol TCP -LocalPort 3306 -RemoteAddress 127.0.0.1 -Action Allow
Write-Host "✓ MySQL (local only)" -ForegroundColor Cyan

Write-Host "`nConfiguration complete!" -ForegroundColor Green

Configuration with CMD (netsh)

For those who prefer the classic command prompt.

Basic Syntax

netsh advfirewall firewall add rule name="NAME" dir=in action=allow protocol=TCP localport=PORT

Open a Port

:: Open port 80 TCP
netsh advfirewall firewall add rule name="HTTP" dir=in action=allow protocol=TCP localport=80

:: Open port 443 TCP
netsh advfirewall firewall add rule name="HTTPS" dir=in action=allow protocol=TCP localport=443

:: Open port 25565 TCP (Minecraft)
netsh advfirewall firewall add rule name="Minecraft" dir=in action=allow protocol=TCP localport=25565

:: Open port 19132 UDP
netsh advfirewall firewall add rule name="Minecraft Bedrock" dir=in action=allow protocol=UDP localport=19132

:: Open a range of ports
netsh advfirewall firewall add rule name="Game Ports" dir=in action=allow protocol=UDP localport=27015-27030

Close / Delete a Rule

:: Delete a rule by name
netsh advfirewall firewall delete rule name="Minecraft"

:: Delete by port
netsh advfirewall firewall delete rule name=all protocol=TCP localport=25565

List Rules

:: All rules
netsh advfirewall firewall show rule name=all

:: Inbound rules only
netsh advfirewall firewall show rule name=all dir=in

:: Search for a rule
netsh advfirewall firewall show rule name="Minecraft"

Enable / Disable the Firewall

:: Disable (NOT RECOMMENDED)
netsh advfirewall set allprofiles state off

:: Enable
netsh advfirewall set allprofiles state on

:: Enable only the Public profile
netsh advfirewall set publicprofile state on

Restrict by IP

:: Allow only one IP
netsh advfirewall firewall add rule name="RDP Restricted" dir=in action=allow protocol=TCP localport=3389 remoteip=86.123.45.67

Rules for Applications

You can allow an application instead of a port.

Via the Graphical Interface

1. New rule
2. ● Program     ← Select this option
3. Browse → Select the executable
   Example: C:\Minecraft\server.jar
4. Allow the connection
5. All profiles
6. Name the rule

Via PowerShell

# Allow an application
New-NetFirewallRule -DisplayName "Minecraft Server" -Direction Inbound -Program "C:\Minecraft\server.jar" -Action Allow

# Allow Java (for all Java servers)
New-NetFirewallRule -DisplayName "Java" -Direction Inbound -Program "C:\Program Files\Java\jdk-21\bin\java.exe" -Action Allow

Via CMD

netsh advfirewall firewall add rule name="Minecraft Server" dir=in action=allow program="C:\Minecraft\server.jar"

Common Ports to Configure

Quick Reference Table

Web Services

Service Port Protocol PowerShell Command
HTTP 80 TCP New-NetFirewallRule -DisplayName "HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
HTTPS 443 TCP New-NetFirewallRule -DisplayName "HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
HTTP Alt 8080 TCP New-NetFirewallRule -DisplayName "HTTP Alt" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow

Remote Access

Service Port Protocol PowerShell Command
RDP 3389 TCP New-NetFirewallRule -DisplayName "RDP" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow
SSH 22 TCP New-NetFirewallRule -DisplayName "SSH" -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow
VNC 5900 TCP New-NetFirewallRule -DisplayName "VNC" -Direction Inbound -Protocol TCP -LocalPort 5900 -Action Allow

File Transfer

Service Port Protocol PowerShell Command
FTP 21 TCP New-NetFirewallRule -DisplayName "FTP" -Direction Inbound -Protocol TCP -LocalPort 21 -Action Allow
FTP Passive 50000-50100 TCP New-NetFirewallRule -DisplayName "FTP Passive" -Direction Inbound -Protocol TCP -LocalPort 50000-50100 -Action Allow
SFTP 22 TCP (Same as SSH)
FTPS 990 TCP New-NetFirewallRule -DisplayName "FTPS" -Direction Inbound -Protocol TCP -LocalPort 990 -Action Allow

Databases

Service Port Protocol PowerShell Command
MySQL 3306 TCP New-NetFirewallRule -DisplayName "MySQL" -Direction Inbound -Protocol TCP -LocalPort 3306 -Action Allow
PostgreSQL 5432 TCP New-NetFirewallRule -DisplayName "PostgreSQL" -Direction Inbound -Protocol TCP -LocalPort 5432 -Action Allow
SQL Server 1433 TCP New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow
MongoDB 27017 TCP New-NetFirewallRule -DisplayName "MongoDB" -Direction Inbound -Protocol TCP -LocalPort 27017 -Action Allow
Redis 6379 TCP New-NetFirewallRule -DisplayName "Redis" -Direction Inbound -Protocol TCP -LocalPort 6379 -Action Allow

Game Servers

Game Port(s) Protocol PowerShell Command
Minecraft Java 25565 TCP New-NetFirewallRule -DisplayName "Minecraft" -Direction Inbound -Protocol TCP -LocalPort 25565 -Action Allow
Minecraft Bedrock 19132 UDP New-NetFirewallRule -DisplayName "Minecraft Bedrock" -Direction Inbound -Protocol UDP -LocalPort 19132 -Action Allow
FiveM (GTA) 30120 TCP/UDP See script below
Rust 28015 TCP/UDP See script below
ARK 7777-7778 TCP/UDP See script below
Valheim 2456-2458 UDP New-NetFirewallRule -DisplayName "Valheim" -Direction Inbound -Protocol UDP -LocalPort 2456-2458 -Action Allow
CS2 27015 TCP/UDP See script below
Palworld 8211 UDP New-NetFirewallRule -DisplayName "Palworld" -Direction Inbound -Protocol UDP -LocalPort 8211 -Action Allow
Terraria 7777 TCP New-NetFirewallRule -DisplayName "Terraria" -Direction Inbound -Protocol TCP -LocalPort 7777 -Action Allow

Ready-to-Use Scripts

Script: Minecraft Java Server

# Minecraft Java Edition
New-NetFirewallRule -DisplayName "Minecraft Java TCP" -Direction Inbound -Protocol TCP -LocalPort 25565 -Action Allow
New-NetFirewallRule -DisplayName "Minecraft Java UDP" -Direction Inbound -Protocol UDP -LocalPort 25565 -Action Allow
New-NetFirewallRule -DisplayName "Minecraft RCON" -Direction Inbound -Protocol TCP -LocalPort 25575 -Action Allow
New-NetFirewallRule -DisplayName "Minecraft Query" -Direction Inbound -Protocol UDP -LocalPort 25565 -Action Allow
Write-Host "Ports Minecraft opened: 25565 (TCP/UDP), 25575 (RCON)" -ForegroundColor Green

Script: FiveM Server (GTA RP)

# FiveM Server
New-NetFirewallRule -DisplayName "FiveM TCP" -Direction Inbound -Protocol TCP -LocalPort 30120 -Action Allow
New-NetFirewallRule -DisplayName "FiveM UDP" -Direction Inbound -Protocol UDP -LocalPort 30120 -Action Allow
New-NetFirewallRule -DisplayName "FiveM HTTP" -Direction Inbound -Protocol TCP -LocalPort 40120 -Action Allow
Write-Host "Ports FiveM opened: 30120 (TCP/UDP), 40120 (HTTP)" -ForegroundColor Green

Script: Rust Server

# Rust Dedicated Server
New-NetFirewallRule -DisplayName "Rust Game TCP" -Direction Inbound -Protocol TCP -LocalPort 28015 -Action Allow
New-NetFirewallRule -DisplayName "Rust Game UDP" -Direction Inbound -Protocol UDP -LocalPort 28015 -Action Allow
New-NetFirewallRule -DisplayName "Rust RCON" -Direction Inbound -Protocol TCP -LocalPort 28016 -Action Allow
New-NetFirewallRule -DisplayName "Rust App" -Direction Inbound -Protocol TCP -LocalPort 28082 -Action Allow
Write-Host "Ports Rust opened: 28015, 28016 (RCON), 28082 (App)" -ForegroundColor Green

Script: ARK Server

# ARK: Survival Evolved
New-NetFirewallRule -DisplayName "ARK Game UDP" -Direction Inbound -Protocol UDP -LocalPort 7777-7778 -Action Allow
New-NetFirewallRule -DisplayName "ARK Query UDP" -Direction Inbound -Protocol UDP -LocalPort 27015 -Action Allow
New-NetFirewallRule -DisplayName "ARK RCON TCP" -Direction Inbound -Protocol TCP -LocalPort 27020 -Action Allow
Write-Host "Ports ARK opened: 7777-7778, 27015, 27020" -ForegroundColor Green

Script: CS2 / CSGO Server

# Counter-Strike 2
New-NetFirewallRule -DisplayName "CS2 Game TCP" -Direction Inbound -Protocol TCP -LocalPort 27015 -Action Allow
New-NetFirewallRule -DisplayName "CS2 Game UDP" -Direction Inbound -Protocol UDP -LocalPort 27015 -Action Allow
New-NetFirewallRule -DisplayName "CS2 RCON" -Direction Inbound -Protocol TCP -LocalPort 27015 -Action Allow
New-NetFirewallRule -DisplayName "CS2 Steam" -Direction Inbound -Protocol UDP -LocalPort 27020 -Action Allow
Write-Host "Ports CS2 opened: 27015 (TCP/UDP), 27020" -ForegroundColor Green

Firewall Profiles

Windows uses three firewall profiles depending on the type of network.

The Three Profiles

Profile Description Usage
Domain Network with Active Directory Enterprise
Private Trusted network Home, office
Public Untrusted network Internet, public Wi-Fi

Which Profile for a Server?

For a VPS or dedicated server accessible from the Internet:

→ Use the "Public" profile or "All profiles"

Configure a Rule by Profile

Graphical Interface

When creating the rule (step 5):
☐ Domain
☐ Private
☑ Public     ← For an Internet server

PowerShell

# Rule only for the Public profile
New-NetFirewallRule -DisplayName "Web Server" -Direction Inbound -Protocol TCP -LocalPort 80 -Profile Public -Action Allow

# Rule for all profiles
New-NetFirewallRule -DisplayName "Web Server" -Direction Inbound -Protocol TCP -LocalPort 80 -Profile Any -Action Allow

View Active Profile

# See which profile is active
Get-NetConnectionProfile

# Example result:
# Name             : Network
# NetworkCategory  : Public    ← Active profile

Change a Connection's Profile

# Switch to Private profile
Set-NetConnectionProfile -InterfaceAlias "Ethernet" -NetworkCategory Private

# Switch to Public profile
Set-NetConnectionProfile -InterfaceAlias "Ethernet" -NetworkCategory Public

Security Best Practices

✅ Do's

Practice Description
Principle of least privilege Only open strictly necessary ports
Clearly name rules "Minecraft Server TCP 25565" instead of "Rule1"
Document rules Keep track of what is open and why
Restrict by IP if possible Limit RDP access to your fixed IP
Use non-standard ports Change the RDP port from 3389 to another
Regularly audit Check active rules periodically
Keep the firewall enabled Never "disable for testing" permanently

❌ Don'ts

Bad Practice Risk
Disable the firewall Server exposed to all attacks
Open all ports Maximum attack surface
Too permissive rules Unauthorized access
Ignore outbound rules Possible data exfiltration
No documentation Impossible to maintain security

Recommended Secure Configuration

# 1. Ensure the firewall is enabled
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# 2. Default policy: block inbound, allow outbound
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultOutboundAction Allow

# 3. Enable logs
Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogAllowed False -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

# 4. RDP restricted by IP (replace with your IP)
Remove-NetFirewallRule -DisplayName "Remote Desktop*" -ErrorAction SilentlyContinue
New-NetFirewallRule -DisplayName "RDP Restricted" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress YOUR.PUBLIC.IP -Action Allow

Audit Active Rules

# Export all active rules
Get-NetFirewallRule -Enabled True -Direction Inbound | 
    Select-Object DisplayName, Profile, Action | 
    Export-Csv -Path "C:\firewall_rules.csv" -NoTypeInformation

# Display rules that allow everything
Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow | 
    Where-Object { $_.Profile -eq "Any" } |
    Format-Table DisplayName, Profile

Troubleshooting

Problem: The port seems closed despite the rule

Checks:

# 1. Check that the rule exists and is active
Get-NetFirewallRule -DisplayName "*RuleName*" | Format-Table DisplayName, Enabled, Action

# 2. Check the associated port
Get-NetFirewallRule -DisplayName "RuleName" | Get-NetFirewallPortFilter

# 3. Check that the service is listening on the port
netstat -an | findstr "25565"

# 4. Test locally
Test-NetConnection -ComputerName localhost -Port 25565

Common solutions:

  1. The rule is disabled → Enable it
  2. Wrong protocol → Check TCP vs UDP
  3. Wrong profile → Check that the correct profile is active
  4. The service is not listening → Start the application
  5. Host firewall → Check the hosting panel's firewall

Problem: "Access denied" when creating a rule

Solution:

Run PowerShell or CMD as Administrator:
1. Right-click on PowerShell
2. "Run as administrator"

Problem: Too many rules, hard to manage

Solution: Export and clean up

# Export all rules
netsh advfirewall export "C:\firewall_backup.wfw"

# View disabled rules (candidates for deletion)
Get-NetFirewallRule -Enabled False | Format-Table DisplayName

# Delete disabled rules
Get-NetFirewallRule -Enabled False | Remove-NetFirewallRule

Problem: Restore default configuration

# Reset the firewall (WARNING: deletes all custom rules)
netsh advfirewall reset

# Or via the interface:
# Windows Firewall → "Restore defaults"

Test if a Port is Open

From another computer:

# PowerShell
Test-NetConnection -ComputerName SERVER_IP -Port 25565

# Expected result:
# TcpTestSucceeded : True    ← Port open
# TcpTestSucceeded : False   ← Port closed

From the Internet:

Use an online tool like:

Firewall Logs

Enable logs:

# Enable logging
Set-NetFirewallProfile -Profile Domain,Public,Private -LogBlocked True -LogMaxSizeKilobytes 4096

# Log location
%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

Analyze logs:

# View the latest blocked entries
Get-Content "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -Tail 50 | Where-Object { $_ -match "DROP" }

Quick Reference

Essential PowerShell Commands

# Open a TCP port
New-NetFirewallRule -DisplayName "NAME" -Direction Inbound -Protocol TCP -LocalPort PORT -Action Allow

# Open a UDP port
New-NetFirewallRule -DisplayName "NAME" -Direction Inbound -Protocol UDP -LocalPort PORT -Action Allow

# Delete a rule
Remove-NetFirewallRule -DisplayName "NAME"

# List active rules
Get-NetFirewallRule -Enabled True -Direction Inbound | Format-Table DisplayName, Action

# Disable a rule
Disable-NetFirewallRule -DisplayName "NAME"

# Enable a rule
Enable-NetFirewallRule -DisplayName "NAME"

Essential CMD Commands

:: Open a port
netsh advfirewall firewall add rule name="NAME" dir=in action=allow protocol=TCP localport=PORT

:: Delete a rule
netsh advfirewall firewall delete rule name="NAME"

:: List rules
netsh advfirewall firewall show rule name=all dir=in

:: Enable the firewall
netsh advfirewall set allprofiles state on

Conclusion

The Windows Server Firewall is a powerful tool to secure your server. Key points to remember:

  1. Keep the firewall enabled — Always
  2. Only open what is necessary — Principle of least privilege
  3. Use PowerShell — Faster and scriptable
  4. Document your rules — To facilitate maintenance
  5. Regularly audit — Check active rules

Recommended next steps:

  • Secure RDP access (change the port, restrict by IP)
  • Configure firewall logs
  • Create a configuration script for your servers
  • Establish a periodic review policy
Back to blog