commands

^

New-DbaFirewallRule

Author Andreas Jordan (@JordanOrdix), ordix.de
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out New-DbaFirewallRule on GitHub.
Want to see the Bill Of Health for this command? Check out New-DbaFirewallRule.

Synopsis

Creates Windows firewall rules for SQL Server instances to allow network connectivity

Description

Creates inbound Windows firewall rules for SQL Server instances, Browser service, and Dedicated Admin Connection (DAC) to allow network connectivity.
This automates the tedious post-installation task of configuring firewall access for SQL Server, eliminating the need to manually determine ports and create rules through Windows Firewall GUI or netsh commands.

The function intelligently detects whether instances use static or dynamic ports and creates appropriate rules.
For static ports, it creates port-based rules; for dynamic ports, it creates program-based rules targeting sqlservr.exe.
When instances use non-default ports, it automatically includes a Browser service rule so clients can discover the instance.

This is a wrapper around New-NetFirewallRule executed remotely on the target computer via Invoke-Command2.
Both DisplayName and Name are set to the same value to ensure unique rule identification and prevent duplicates.
All rules use the "SQL Server" group for easy management with Get-DbaFirewallRule.

The functionality is currently limited. Help to extend the functionality is welcome.

As long as you can read this note here, there may be breaking changes in future versions.
So please review your scripts using this command after updating dbatools.

The firewall rule for the instance itself will have the following configuration (parameters for New-NetFirewallRule):

DisplayName = 'SQL Server default instance' or 'SQL Server instance <InstanceName>'  
Name        = 'SQL Server default instance' or 'SQL Server instance <InstanceName>'  
Group       = 'SQL Server'  
Enabled     = 'True'  
Direction   = 'Inbound'  
Protocol    = 'TCP'  
LocalPort   = '<Port>' (for instances with static port)  
Program     = '<Path ending with MSSQL\Binn\sqlservr.exe>' (for instances with dynamic port)  

The firewall rule for the SQL Server Browser will have the following configuration (parameters for New-NetFirewallRule):

DisplayName = 'SQL Server Browser'  
Name        = 'SQL Server Browser'  
Group       = 'SQL Server'  
Enabled     = 'True'  
Direction   = 'Inbound'  
Protocol    = 'UDP'  
LocalPort   = '1434'  

The firewall rule for the dedicated admin connection (DAC) will have the following configuration (parameters for New-NetFirewallRule):

DisplayName = 'SQL Server default instance (DAC)' or 'SQL Server instance <InstanceName> (DAC)'  
Name        = 'SQL Server default instance (DAC)' or 'SQL Server instance <InstanceName> (DAC)'  
Group       = 'SQL Server'  
Enabled     = 'True'  
Direction   = 'Inbound'  
Protocol    = 'TCP'  
LocalPort   = '<Port>' (typically 1434 for a default instance, but will be fetched from ERRORLOG)  

The firewall rule for the DAC will only be created if the DAC is configured for listening remotely.
Use Set-DbaSpConfigure -SqlInstance SRV1 -Name RemoteDacConnectionsEnabled -Value 1 to enable remote DAC before running this command.

Syntax

New-DbaFirewallRule
    [-SqlInstance] <DbaInstanceParameter[]>
    [[-Credential] <PSCredential>]
    [[-Type] <String[]>]
    [[-Configuration] <Hashtable>]
    [-Force]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> New-DbaFirewallRule -SqlInstance SRV1, SRV1\TEST

Automatically configures the needed firewall rules for both the default instance and the instance named TEST on SRV1.

Example: 2
PS C:\> New-DbaFirewallRule -SqlInstance SRV1, SRV1\TEST -Configuration @{ Profile = 'Domain' }

Automatically configures the needed firewall rules for both the default instance and the instance named TEST on SRV1,
but configures the firewall rule for the domain profile only.

Example: 3
PS C:\> New-DbaFirewallRule -SqlInstance SRV1\TEST -Type Engine -Force -Confirm:$false

Creates or recreates the firewall rule for the instance TEST on SRV1. Does not prompt for confirmation.

Required Parameters

-SqlInstance

The target SQL Server instance or instances.

Alias
Required True
Pipeline true (ByValue)
Default Value

Optional Parameters

-Credential

Credential object used to connect to the Computer as a different user.

Alias
Required False
Pipeline false
Default Value
-Type

Specifies which firewall rule types to create for SQL Server network access.
Use this when you need to create specific rules instead of the automatic detection behavior.
Valid values are Engine (SQL Server instance), Browser (SQL Server Browser service), and DAC (Dedicated Admin Connection). When omitted, the function automatically creates Engine rules plus Browser
rules for non-default ports and DAC rules when remote DAC is enabled.

Alias
Required False
Pipeline false
Default Value
Accepted Values Engine,Browser,DAC
-Configuration

Provides custom settings to override the default firewall rule configuration when calling New-NetFirewallRule.
Use this when you need to restrict rules to specific network profiles (Domain, Private, Public) or modify other advanced firewall settings.
Common examples include @ to limit rules to domain networks only, or @ to restrict source IPs. The Name, DisplayName, and Group parameters are
reserved and will be ignored if specified.

Alias
Required False
Pipeline false
Default Value
-Force

Forces recreation of firewall rules that already exist by deleting and recreating them.
Use this when you need to update existing rules with new settings or when troubleshooting connectivity issues.
Without this switch, the function will warn you about existing rules and skip their creation.

Alias
Required False
Pipeline false
Default Value False
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False
-WhatIf

If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.

Alias wi
Required False
Pipeline false
Default Value
-Confirm

If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.

Alias cf
Required False
Pipeline false
Default Value