win_firewall_rule: when multiple rules exist in the case of predefined rules ansible creates new rule about community.windows HOT 20 OPEN

From @octagonprogramming on Jul 30, 2019 23:53

!component =lib/ansible/modules/windows/win_firewall_rule.ps1

from community.windows.

From @ShachafGoldstein on Aug 03, 2019 14:05

Removing the state parameter in your example give the expected result you mentioned

You can see in the docs that the state param is only used for removal/addition

from community.windows.

From @octagonprogramming on Aug 05, 2019 18:15

I removed this parameter and am still getting the same result. Specifically in the case of the rules for Cortana, it will just create a new rule.

from community.windows.

From @ShachafGoldstein on Aug 06, 2019 20:51

Are you sure it adds a new rule without the state parameter?

from community.windows.

From @octagonprogramming on Aug 07, 2019 15:18

Yes I tested this when the suggestion was made. It only appears to be a problem with the rules that I specified in the sample code as well.
Also the state parameter is by default set to present.

from community.windows.

From @ShachafGoldstein on Aug 07, 2019 16:04

Your'e right about the state.

On my machines I get the error when running

 - name: Disable Microsofts Built in Rules
       win_firewall_rule:
          name: Cortana
          action: allow
          direction: in
          enabled: no

if you run the powershell lines with the user you use for ansible, what is the output?

    $name = "Cortana"
    $fw = New-Object -ComObject HNetCfg.FwPolicy2

    $existingRule = $fw.Rules | Where-Object { $_.Name -eq $name }

    if ($existingRule -is [System.Array]) {
        Fail-Json $result "Multiple firewall rules with name '$name' found."
    }

from community.windows.

From @octagonprogramming on Aug 09, 2019 23:12

My apologies for the delay I had to set up a new testing environment and this time the target system is a windows 2016 LTSB but still having the same issue with the firewall rule as I ran the firewall module and got the same result.
Here is my output for the powershell lines:

changed: [<host>] => {
    "changed": true,
    "cmd": "$name = \"Cortana\"\n$fw = New-Object -ComObject HNetCfg.FwPolicy2\n\n$existingRule = $fw.Rules | Where-Object { $_.Name -eq $name }\n\nif ($existingRule -is [System.Array]) {\n    Fail-Json $result \"Multiple firewall rules with name '$name' found.\"\n}",
    "delta": "0:00:01.078182",
    "end": "2019-08-09 10:42:56.757763",
    "rc": 0,
    "start": "2019-08-09 10:42:55.679581",
    "stderr": "",
    "stderr_lines": [],
    "stdout": "",
    "stdout_lines": []
}

from community.windows.

From @ShachafGoldstein on Aug 10, 2019 11:25

I meant running it yourself on the machine in a Powershell window.
I can't replicate this issue on any machine I tried.

Maybe a permissions issue? can you try running with a stronger user if not currently?

from community.windows.

From @octagonprogramming on Aug 12, 2019 15:36

Ah, well in that case there is no output when run on the target machine.
Current user is Administrator and running powershell as administrator.

from community.windows.

From @ShachafGoldstein on Aug 12, 2019 17:03

Can you post the output of $fw = New-Object -ComObject HNetCfg.FwPolicy2; $fw.Rules.name

from community.windows.

From @octagonprogramming on Aug 12, 2019 17:11

There is no output for this either.

from community.windows.

From @octagonprogramming on Aug 12, 2019 17:15

When running this I get the name for all rules on the system

$fw.Rules | select-object -property name

from community.windows.

From @octagonprogramming on Aug 12, 2019 17:20

In the output of the above command the is what is shown for the name of Cortana:

@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}                           
@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}

from community.windows.

From @octagonprogramming on Aug 12, 2019 17:26

Using the above hash I got the expected fail for the rule
Code:

    - name: Testing
      win_firewall_rule:
        name: '@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}'
        action: allow
        direction: in
        enabled: no

Result:

fatal: [<host>]: FAILED! => {
    "changed": false,
    "msg": "Multiple firewall rules with name '@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}' found."
}

from community.windows.

From @octagonprogramming on Aug 12, 2019 17:59

On further review it was discovered that how the com object is seeing the rule v.s. how powershell is seeing the rule.
For example comparing how both view the rule cortana:

Powershell

Command

Get-NetFirewallRule -DisplayName 'Cortana'

Sample Output

Name                  : {961222A4-CB5D-4336-A5F2-60C3F3CF25C8}
DisplayName           : Cortana
Description           : Search the web and Windows
DisplayGroup          : Cortana
Group                 : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
Enabled               : False
Profile               : Domain, Private, Public
Platform              : {6.2+}
Direction             : Outbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 : S-1-5-21-2732372105-1916055189-1631554620-1002
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local

Using com object

Commands

$fw = New-Object -ComObject HNetCfg.FwPolicy2
$fw.Rules | Where-Object { $_.Name -match 'cortana' }

Sample Output

Name                        : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
Description                 : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}
ApplicationName             : 
serviceName                 : 
Protocol                    : 256
LocalPorts                  : 
RemotePorts                 : 
LocalAddresses              : *
RemoteAddresses             : *
IcmpTypesAndCodes           : 
Direction                   : 1
Interfaces                  : 
InterfaceTypes              : All
Enabled                     : True
Grouping                    : @{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}
Profiles                    : 7
EdgeTraversal               : True
Action                      : 1
EdgeTraversalOptions        : 1
LocalAppPackageId           : S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742
LocalUserOwner              : S-1-5-21-2732372105-1916055189-1631554620-1001
LocalUserAuthorizedList     : 
RemoteUserAuthorizedList    : 
RemoteMachineAuthorizedList : 
SecureFlags                 : 0

from community.windows.

From @octagonprogramming on Aug 12, 2019 18:02

As you can see above the 'Group' from the powershell command output is what the COM is gettting for the name and description of the rule which would explain why it is creating an entirely new rule as the name does not match.

from community.windows.

From @ShachafGoldstein on Aug 12, 2019 18:50

I see.
On my machine (insider) I have both simple Cortana rules and the type with the @{} name.

The only solution I see is using the full name as you did.
if we try to change the condition to be anything other then equal we can cause a lot of issues.

from community.windows.

From @frogstarr78 on Aug 12, 2019 22:41

Couldn't you use the built in powershell modules for handling firewall rules?

from community.windows.

From @jborean93 on Aug 12, 2019 23:02

Couldn't you use the built in powershell modules for handling firewall rules?

I haven't read the actual conversation here but no not right now, these modules were only added in Server 2012 and newer and the COM object is used so we can run this module on Server 2008 and 2008 R2.

from community.windows.

So while this isn't a fix I'm posting this here for future reference. To convert the resource id string that some of these rules use we can use something like ConvertFrom-IndirectString. This would allow us to convert the raw string from the firewall rule and compare to the human readable value in the future.

Also with #127, we can now edit multiple rules at the same time that match the name or group.

from community.windows.