Skip to content

DSC_FirewallProfile: Issues with DSC_FirewallProfile in combination with Windows Server 2016 and Azure Machine Configuration #530

New issue
New issue
Open
Open
DSC_FirewallProfile: Issues with DSC_FirewallProfile in combination with Windows Server 2016 and Azure Machine Configuration#530
@MasoudSamadi

Description

@MasoudSamadi
MasoudSamadi
opened on Oct 10, 2024

Problem description

We are using NetworkingDsc to change Windows Firewall profile settings.
It works correctly with Server 2019 and 2022 machines, but when using the same DSC config with server 2016, we see the following error:
Property: "AllowInboundRules" | Expected: "True" | Actual: "1".
Property: "AllowLocalFirewallRules" | Expected: "False" | Actual: "0".
Property: "AllowLocalIPsecRules" | Expected: "False" | Actual: "0".
Property: "DefaultInboundAction" | Expected: "Allow" | Actual: "2".
Property: "DefaultOutboundAction" | Expected: "Allow" | Actual: "2".
Property: "Enabled" | Expected: "True" | Actual: "1".
Property: "LogAllowed" | Expected: "True" | Actual: "1".
Property: "LogBlocked" | Expected: "True" | Actual: "1".
Property: "LogIgnored" | Expected: "NotConfigured" | Actual: "2".
Property: "NotifyOnListen" | Expected: "True" | Actual: "1".

This happens for all the 3 profiles:
[FirewallProfile]ConfigureDomainFirewallProfile
[FirewallProfile]ConfigurePrivateFirewallProfile
[FirewallProfile]ConfigurePublicFirewallProfile

Verbose logs

instance of MSFT_DSCResource
{
    ResourceId = "[FirewallProfile]ConfigureDomainFirewallProfile";
    InDesiredState = False;
    RebootRequested = False;
};

instance of MSFT_DSCResource
{
    ResourceId = "[FirewallProfile]ConfigurePrivateFirewallProfile";
    InDesiredState = False;
    RebootRequested = False;
};

instance of MSFT_DSCResource
{
    ResourceId = "[FirewallProfile]ConfigurePublicFirewallProfile";
    InDesiredState = False;
    RebootRequested = False;
};

DSC configuration

# Configuration Definition
Configuration MemberServer_SRV2016_WinFirewall {

    Import-DscResource -ModuleName 'PSDscResources'
    Import-DscResource -ModuleName 'AuditPolicyDsc'
    Import-DscResource -ModuleName 'SecurityPolicyDsc'
    Import-DSCResource -ModuleName 'ComputerManagementDsc'
    Import-DscResource -ModuleName 'NetworkingDsc'
    
    Node localhost {
        # Windows Firewall: Domain Profile
        FirewallProfile ConfigureDomainFirewallProfile {
            Name                    = 'Domain'
            Enabled                 = 'True'
            DefaultInboundAction    = 'Allow'
            DefaultOutboundAction   = 'Allow'
            AllowInboundRules       = 'True'
            AllowLocalFirewallRules = 'False'
            AllowLocalIPsecRules    = 'False'
            NotifyOnListen          = 'True'
            LogFileName             = '%systemroot%\system32\LogFiles\firewall\domainfirewall.log'
            LogMaxSizeKilobytes     = 16384
            LogAllowed              = 'True'
            LogBlocked              = 'True'
            LogIgnored              = 'NotConfigured'
        }
        
        # Windows Firewall: Private Profile
        FirewallProfile ConfigurePrivateFirewallProfile {
            Name                    = 'Private'
            Enabled                 = 'True'
            DefaultInboundAction    = 'Allow'
            DefaultOutboundAction   = 'Allow'
            AllowInboundRules       = 'True'
            AllowLocalFirewallRules = 'False'
            AllowLocalIPsecRules    = 'False'
            NotifyOnListen          = 'True'
            LogFileName             = '%systemroot%\system32\LogFiles\firewall\privatefirewall.log'
            LogMaxSizeKilobytes     = 16384
            LogAllowed              = 'True'
            LogBlocked              = 'True'
            LogIgnored              = 'NotConfigured'
        }
        
        # Windows Firewall: Public Profile
        FirewallProfile ConfigurePublicFirewallProfile {
            Name                    = 'Public'
            Enabled                 = 'True'
            DefaultInboundAction    = 'Allow'
            DefaultOutboundAction   = 'Allow'
            AllowInboundRules       = 'True'
            AllowLocalFirewallRules = 'False'
            AllowLocalIPsecRules    = 'False'
            NotifyOnListen          = 'True'
            LogFileName             = '%systemroot%\system32\LogFiles\firewall\publicfirewall.log'
            LogMaxSizeKilobytes     = 16384
            LogAllowed              = 'True'
            LogBlocked              = 'True'
            LogIgnored              = 'NotConfigured'
        }
        
    }
}
MemberServer_SRV2016_WinFirewall

Suggested solution

DSC settings are applied correctly, but it goes wrong during the verification phase.
networkingdsc-issue-server2016

Operating system the target node is running

OsName               : Microsoft Windows Server 2016 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.7330.amd64fre.rs1_release.240812-1801
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.14393.7330
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.7330
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

NetworkingDsc version

Name          Version Path
----          ------- ----
NetworkingDsc 9.0.0   C:\Program Files\WindowsPowerShell\Modules\NetworkingDsc\9.0.0\NetworkingDsc.psd1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions