Firewall Management
Get-FalconFirewallPlatform -DetailedGet-FalconFirewallField -DetailedThe -Rules parameter accepts a PowerShell array of rule objects which are converted to Json before submission.
$Rules = @(
@{
name = 'Block IP'
description = 'Block outbound to example.com IP address'
platform_ids = @( '0' )
enabled = $true
action = 'DENY'
direction = 'OUT'
address_family = 'IP4'
protocol = '*'
fields = @(
@{
name = 'network_location'
type = 'set'
values = @( 'ANY' )
}
)
local_address = @(@{ address = '*'; netmask = 0 })
remote_address = @(@{ address = '93.184.216.34'; netmask = 32 })
}
)
New-FalconFirewallGroup -Name 'test rule group' -Enabled $true -Description 'describing a rule group' -Rules $RulesGet-FalconFirewallGroup -Ids <id>, <id>Get-FalconFirewallRule -Ids <id>, <id>$DiffOperations = @(@{ op = 'replace'; path = '/enabled'; value = $true })
Edit-FalconFirewallGroup -Id <id> -DiffOperations $DiffOperations$DiffOperations = @(
@{
op = 'add'
path = '/rules/0'
value = @{
temp_id = '1'
name = 'First rule in a group'
description = 'Example'
platform_ids = @('0')
enabled = $false
action = 'ALLOW'
direction = 'IN'
address_family = 'NONE'
protocol = '6'
fields = @(
@{
name = 'network_location'
type = 'set'
values = @( 'ANY' )
}
)
local_address = @(@{ address = '*'; netmask = 0 })
remote_address = @(@{ address = '*'; netmask = 0 })
}
}
)
$Group = Get-FalconFirewallGroup -Ids <id>
$Rules = Get-FalconFirewallRule -Ids $Group.rule_ids
$RuleIds = @('1') + $Group.rule_ids
$RuleVersions = @('null') + $Rules.version
Edit-FalconFirewallGroup -Id $Group.id -DiffOperations $DiffOperations -RuleIds $RuleIds -RuleVersions $RuleVersionsRemove-FalconFirewallGroup -Ids <id>, <id>Get-FalconFirewallPolicy -Ids <id>, <id>Get-FalconFirewallSetting -Ids <id>, <id>Get-FalconFirewallPolicyMember -Id <id> [-All]New-FalconFirewallPolicy -PlatformName Windows -Name 'Test Policy' -Description 'Firewall test policy'Edit-FalconFirewallPolicy -Id <id> -Name 'Test Policy 1 Name Changed'Edit-FalconFirewallSetting -PolicyId <id> -Enforce $true -DefaultInbound DENY -DefaultOutbound ALLOWNew-FalconFirewallPolicy -PlatformName Windows -Name 'Cloned Test Policy' -Description 'Firewall test cloned policy' -CloneId <id>Invoke-FalconFirewallPolicyAction -Name enable -Id <id>Invoke-FalconFirewallPolicyAction -Name add-host-group -Id <id> -GroupId <id>Invoke-FalconFirewallPolicyAction -Name disable -Id <id>Remove-FalconFirewallPolicy -Ids <id>, <id>NOTE: All policy ids (with the exception of platform_default) must be supplied in desired precedence order.
Set-FalconFirewallPrecedence -PlatformName Windows -Ids <id1>, <id2>, <id3>, <id4>Get-FalconFirewallEvent [-Detailed] [-All]Get-FalconFirewallEvent -Ids <id>, <id>