ASDM Firewall Rules getting unchecked

Similar Messages

• Firewall rules getting set automatically

  When my users try to access the firewall tab of the Sharing preference pane, they get the "Other firewall software is running on your computer" error. There is no other firewall software running and i've tried the 'ipfw flush' solution. This works temporarily, but as soon as I restart the computer, this rule keeps popping up when I run 'ipfw list':
  00001 allow udp from any 626 to any dst-port 626
  Is there some software that automatically adds this rule to the firewall? Xsan? Remote Desktop?
  Thanks!
  Jason
  G5s   Mac OS X (10.4.7)  

  It seems to be this entry that's causing the OS X firewall to think there's other firewall software managing settings and won't allow me to manage the firewall through the PreferencePane.
  Is there a way to stop it from being added or a workaround so we can manage firewall settings via the GUI?

• 0x8007000e (E_OUTOFMEMORY) while adding a firewall rule using the windows firewall COM API

  Hello,
  Configuration: Windows Embedded 8 64-bit.
  I'm using the Windows Firewall with Advanced Security COM API. The program uses the INetFwRules interface. Basically, I'm using the following code (Form the code sample available here : http://msdn.microsoft.com/en-us/library/windows/desktop/dd339604%28v=vs.85%29.aspx.)
   I get the error when performing "hr = pFwRules->Add(pFwRule);".
  We can also encounter the problem when removing a rule (using pFwRules->Remove(ruleName);)
  HRESULT hrComInit = S_OK;
  HRESULT hr = S_OK;
  INetFwPolicy2 *pNetFwPolicy2 = NULL;
  INetFwRules *pFwRules = NULL;
  INetFwRule *pFwRule = NULL;
  long CurrentProfilesBitMask = 0;
  BSTR bstrRuleName = SysAllocString(L"SERVICE_RULE");
  BSTR bstrRuleDescription = SysAllocString(L"Allow incoming network traffic to myservice");
  BSTR bstrRuleGroup = SysAllocString(L"Sample Rule Group");
  BSTR bstrRuleApplication = SysAllocString(L"%systemroot%\\system32\\myservice.exe");
  BSTR bstrRuleService = SysAllocString(L"myservicename");
  BSTR bstrRuleLPorts = SysAllocString(L"135");
  // Initialize COM.
  hrComInit = CoInitializeEx(
  0,
  COINIT_APARTMENTTHREADED
  // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
  // initialized with a different mode. Since we don't care what the mode is,
  // we'll just use the existing mode.
  if (hrComInit != RPC_E_CHANGED_MODE)
  if (FAILED(hrComInit))
  printf("CoInitializeEx failed: 0x%08lx\n", hrComInit);
  goto Cleanup;
  // Retrieve INetFwPolicy2
  hr = WFCOMInitialize(&pNetFwPolicy2);
  if (FAILED(hr))
  goto Cleanup;
  // Retrieve INetFwRules
  hr = pNetFwPolicy2->get_Rules(&pFwRules);
  if (FAILED(hr))
  printf("get_Rules failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Create a new Firewall Rule object.
  hr = CoCreateInstance(
  __uuidof(NetFwRule),
  NULL,
  CLSCTX_INPROC_SERVER,
  __uuidof(INetFwRule),
  (void**)&pFwRule);
  if (FAILED(hr))
  printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Populate the Firewall Rule object
  pFwRule->put_Name(bstrRuleName);
  pFwRule->put_Description(bstrRuleDescription);
  pFwRule->put_ApplicationName(bstrRuleApplication);
  pFwRule->put_ServiceName(bstrRuleService);
  pFwRule->put_Protocol(NET_FW_IP_PROTOCOL_TCP);
  pFwRule->put_LocalPorts(bstrRuleLPorts);
  pFwRule->put_Grouping(bstrRuleGroup);
  pFwRule->put_Profiles(CurrentProfilesBitMask);
  pFwRule->put_Action(NET_FW_ACTION_ALLOW);
  pFwRule->put_Enabled(VARIANT_TRUE);
  // Add the Firewall Rule
  hr = pFwRules->Add(pFwRule);
  if (FAILED(hr))
  printf("Firewall Rule Add failed: 0x%08lx\n", hr);
  goto Cleanup;
  This works pretty well but, sometimes, at system startup, adding a rule ends up with the error 0x8007000e (E_OUTOFMEMORY) ! At startup, the system is always loaded cause several applications starts at the same time. But nothing abnormal. This is quite a random
  issue.
  According MSDN documentation, this error indicates that the system "failed to allocate the necessary memory".
  I'm not convinced that we ran out of memory.
  Has someone experienced such an issue? How to avoid this?
  Thank you in advance.
  Regards, -Ruben-

  Does Windows 8 desktop have the same issue? Are you building a custom WE8S image, or are you using a full WE8S image? The reason I ask is to make sure you have the modules in the image to support the operation.
  Is Windows Embedded 8.1 industry an option?
  www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

• Can't add a new Firewall Rule

  I have a very curious issue: I cannot add any new firewall rules at all! Clicking on the New Button does nothing and on the console I get
  System Preferences[487] * -[NSCFString objectForKey:]: selector not recognized [self = 0x3f11b0]
  I have flushed the firewall with ipfw, deleted the plist file, repaired permissions but the problem ist still there. Any suggestions? (apart from reinstallation)
  Adding Firewall Rules through ipfw works...

  Whenever I use ipfw I lose the ability to use System Preferences. At first I thought that it compared kernel memory with the plist file and if it found a difference, assumed another firewall was running and disabled itself. But I also deleted the plist file (assuming it would build one from kmem) but that didn't work. Right now I assume there's another file somewhere. It wouldn't make any sense to keep another table in kmem. The weird part is that rules can be the same, but different sequence numbers will cause this problem. There weren't sequence numbers in the plist file, so there's probably another file somewhere.
  I think your error is from the missing plist file. A reboot should clear it up.

• Appending Firewall Rules to vShield Edge with PowerCLI Script

  Hi,
  I have a script which enables us to upload 4k worth of firewall rules, but every time it executes, all existing rules are over written.
  Is this something to do with the API or just a scripting issue - if so, can anyone suggest how to append on to the existing set?
  Update:
  So obviously the following line seems to create a new instance of the firewall:
  $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
  Because the next 3 lines after are setting the main firewall parameters again - something you wouldn't need to do if we were just adding new rules to the existing firewall.
  $fwService.DefaultAction = "drop"
  $fwService.LogDefaultAction = $false
  $fwService.IsEnabled = $true
  Is there a way to use a PowerShell command such as add-member rather than new-object?
  param (
  [parameter(Mandatory = $true, HelpMessage="vCD Server")][alias("-server","s")][ValidateNotNullOrEmpty()][string[]]$CIServer,
  [parameter(Mandatory = $true, HelpMessage="Org")][alias("-vOrg","o")][ValidateNotNullOrEmpty()][string[]]$orgName,
  [parameter(Mandatory = $true, HelpMessage="OrgNet")][alias("-orgNet","n")][ValidateNotNullOrEmpty()][string[]]$orgNet,
  [parameter(Mandatory = $true, HelpMessage="CSV Path")][alias("-file","f")][ValidateNotNullOrEmpty()][string[]]$csvFile
  # Add in the VI Toolkit
  if ( (Get-PSSnapin -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) -eq $null ) {
  Add-PSsnapin VMware.VimAutomation.Core
  if ( (Get-PSSnapin -Name VMware.VimAutomation.Cloud -ErrorAction SilentlyContinue) -eq $null ) {
  Add-PSsnapin VMware.VimAutomation.Cloud
  try {
  Connect-CIServer -Server $CIServer 2>&1 | out-null
  } catch {
  Exit
  #Search EdgeGW
  try {
    $myOrgNet = Get-Org -Name $orgName | Get-OrgNetwork -Name $orgNet
    $edgeHREF = $myOrgNet.ExtensionData.EdgeGateway.Href
    $edgeView = Search-Cloud -QueryType EdgeGateway -ErrorAction Stop | Get-CIView | where {$_.href -eq $edgeHREF}
  } catch {
  [System.Windows.Forms.MessageBox]::Show("Exception: " + $_.Exception.Message + " - Failed item:" + $_.Exception.ItemName ,"Error.",0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)
    Exit
  #Item to Configure Services
  $edgeView.Configuration.EdgeGatewayServiceConfiguration
  $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
  $fwService.DefaultAction = "drop"
  $fwService.LogDefaultAction = $false
  $fwService.IsEnabled = $true
  $fwService.FirewallRule = @()
  Ipcsv -path $csvFile |
  foreach-object
  $fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule
  $rowNum = $_.Num -as [int]
  $fwService.FirewallRule[$rowNum].description = $_.Descr
  $fwService.FirewallRule[$rowNum].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
  switch ($_.Proto)
  "tcp" { $fwService.FirewallRule[$rowNum].protocols.tcp = $true }
  "udp" { $fwService.FirewallRule[$rowNum].protocols.udp = $true }
  "any" { $fwService.FirewallRule[$rowNum].protocols.any = $true }
  default { $fwService.FirewallRule[$rowNum].protocols.any = $true }
  $fwService.FirewallRule[$rowNum].sourceip = $_.SrcIP
  if ($_.SrcPort -eq "any" ) { $srcPort = "-1" } else { $srcPort = $_.SrcPort }
  $fwService.FirewallRule[$rowNum].sourceport = $srcPort
  $fwService.FirewallRule[$rowNum].destinationip = $_.DstIP
  $fwService.FirewallRule[$rowNum].destinationportrange = $_.DstPortRange
  $fwService.FirewallRule[$rowNum].policy = $_.Policy
  #$fwService.FirewallRule[$rowNum].direction = $_.Direction
  #$fwService.FirewallRule[$rowNum].MatchOnTranslate = [System.Convert]::ToBoolean($_.MatchOnTranslate)
  $fwService.FirewallRule[$rowNum].isenabled = [System.Convert]::ToBoolean($_.isEnabled)
  $fwService.FirewallRule[$rowNum].enablelogging = [System.Convert]::ToBoolean($_.EnableLogging)
  #configure Edge
  $edgeView.ConfigureServices($fwService)
  Thanks,
  Scott.

  Hi,
  Agree with Ed, you can publish CAS array VIP to internet, and use it to configure Federated Delegation.
  Thanks.
  Niko Cheng
  TechNet Community Support

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• [Solved] Windows Firewall rule that allows Windows Update

  Can anyone kindly give me a Windows Firewall rule that allows Windows Update? Assume I'm running MMC's "Windows Firewall with Advanced Security" snap-in as Administrator. Note that a "solution" that takes down the outbound firewall is
  not acceptable.
  Thank You.
  ===== Solution =====
  Suppose that, as the default, you've set the outbound firewall to block (see
  To close the outbound firewall, below). In order for Windows Update to check whether an update is available and then to download the update files, you first need an outbound firewall
  allow-rule that allows the Windows Update service to pass through the outbound firewall.
  Prerequisite: Knowledge of the Microsoft Management Console (MMC) and its "Windows Firewall with Advanced Security" plug-in.
  What you will do: You will use the "Windows Firewall with Advanced Security" MMC plug-in to create an outbound firewall rule that
  allows '%SystemRoot%\System32\svchost.exe' (the generic service driver) to pass through the outbound firewall on behalf of 'wuauserv' (the name of the specific service that performs the update).
  Warning: If you don't know what I'm writing about, get help.
  Name: Allow Windows Update (...or any name you prefer - it doesn't matter)
  Group:
  Profile: Public
  Enabled: Yes
  Action: Allow
  Program: %SystemRoot%\System32\svchost.exe
  Local Address: Any
  Remote Address: Any
  Protocol: Any
  Local Port: Any
  Remote Port: Any
  Allowed Computers: Any
  Status: OK
  Service: wuauserv
  Rule Source: Local Setting
  Interface Type: All interface types
  Excepted Computers: None
  Description:
  To open the outbound firewall:
  More accurate wording would be
  Outbound connections are allowed unless explicitly blocked by a rule.
  If you look at the standard rules you will find no block-rules. That means that nothing is blocked, everything is allowed, and the outbound firewall is wide open.
  To close the outbound firewall:
  More accurate wording would be
  Outbound connections are blocked unless explicitly allowed by a rule.
  If you look at the standard rules you will find only allow-rules that have been crafted to allow the vital Windows connections to pass through the outbound firewall. To an informed observer it's obvious that the firewall engineers crafted these
  allow-rules so that users who closed the outbound firewall wouldn't have to write them. But the firewall engineers left out Windows Update.

  Hi mark,
  Thanks for sharing, it will help other users who have similar issue.
  Regards

• ISA 550 Firewall Rule - how to specify a domain (to resolve a DDNS)

  I want to lock down access to an ISA 550 Firewall to 4 locations.  2 of the locations have dynamic IP addresses.
  Both sites have a dynamic domain maintained at no-ip.org.
  How can I enter 'name.no-ip.org' in to a firewall rule?

  There is not a way to use a domain name in a firewall rule.  When the traffic comes in the packets are addressed with IPs, not with domain names, so when the router looks things up it compares IP addresses. 
  In fact I have never seen this done, even on an enterprise device.  I'm not saying nothing can do it, but it definitely isn't possible with the ISA. 
  Your best bet would be to try and get some static IPs for those two sites as well.
  It is however possible to setup site-to-site VPNs between these devices even if some of them are using DDNS.  This does require those other site's routers to support site-to-site tunnels.  That way those four sites would be able to access resources behind the ISA, but no one else would, and you could still keep using the DDNS for the two dynamic sites.
  Thank you for choosing Cisco,
  Christopher Ebert
  Network Support Engineer - Cisco Small Business Support Center
  *please mark/rate helpful answers*

• Firewall rule for Novell Client

  My company recently purchased McAfee Desktop Firewall and I'm trying to
  configure the rules prior to deployment but I'm having trouble getting
  the Novell Client to cooperate. I've tried having the firewall "learn"
  the client, addresses, ports, protocols, etc. but have had no luck.
  My company is running a mix of Win2k/XP computers as well as Win95/98
  computers so any assistance in creating a firewall rule to allow the
  clients to log in is greatly apprecaited.
  Thanks!
  Ash

  Excellent, thanks!!
  > For NetWare connectivity over IP, you need ports TCP,UDP 524 and 427
  > which are NCP over IP and SLP.
  >
  >
  > --
  > Edison Ortiz
  > Novell Product Support Forum SysOp
  > (No Email Support, Thanks !)

• WSUS Firewall rules do not use names nor groupnames

  Hi everyone,
  Today I've been playing around with PowerShell Workflows and the firewall cmdlets on my test environment. (Great stuff, Thanks
  Scripting Guys)
  After working out a little workflow I noticed that the firewall rules that were made by the WSUS feature installation had no Name nor DisplayGroup, only the DisplayName.
  My test environment is made up from tree Server 2012 R2 servers with a domain.
  The script I made :
  workflow Get-AllFirewalls
  Parallel{
  InlineScript{
  Get-NetFirewallRule -Enabled True -Action Allow |?{
  $_.Profile -match "Any|Domain"
  } | select Name,DisplayName,direction,DisplayGroup,
  @{n='Port';e={($_|Get-NetFirewallPortFilter).LocalPort}},
  @{n='Protocol';e={($_|Get-NetFirewallPortFilter).Protocol}},
  @{n='Program';e={($_|Get-NetFirewallApplicationFilter).Program}}
  $output = Get-AllFirewalls -PSComputerName (Get-ADComputer -Filter 'OperatingSystem -like "Windows Server*"').name
  $output |Sort-Object DisplayGroup |Format-Table PSComputerName,Name,DisplayName,Direction,Port,Protocol,Program -GroupBy DisplayGroup -AutoSize
  Now this is just for testing and I could get around the fact there are no proper names but I think it's sloppy not to fill the naming attributes.
  Am I the only one with these results or is it just WSUS?

  There are only two rules created, one for HTTP on port 8530 one for HTTPS on port 8531, and the latter isn't even used in most WSUS installations.
  There is no Group Name, because this is not a GROUP of rules, it is two individual rules. One is always enabled; the second is optionally enabled WHEN the WSUS Server is configured to use SSL, and it's enabled by an administrative script provided in the
  WSUS toolset.
  Ergo, a server administrator never has to mess with these two rules at all, so, no, I think it's insignificant that these rules may be missing a couple of generally irrelevant attributes.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• RV120w DMZ Firewall Rules

  Hello,
  I am trying to set up a DMZ server.  I have an internal LAN IP address (192.168.1.10) that I would like to make a DMZ server. 
  In the GUI, I set this IP address to be the DMZ server.
  For firewall rules, I want to permit only one port from the WAN to the DMZ and none from the DMZ to the LAN.
  In my firewall rules, I don't see any options for DMZ options.  I only see WAN to LAN and LAN to WAN.
  I presume the DMZ setting doesn't do anything per se execept allow the firewall rules to have a target.  Is this correct?
  I am running the latest firmware.
  How do I get the DMZ firewall rules to show up?
  Thanks,
  John

  Hello,
  I have to say that this DMZ definition is not what I would excect Cisco to use.
  Basically, my DMZ host is fully exposed to the internet and if someone penetrates it, they are fully on my LAN.
  The manual says:
  Configuring a DMZ Host
  The Cisco RV120W supports DMZ options. A DMZ is a sub-network that is open to
  the public but behind the firewall. DMZ allows you to redirect packets going to
  your WAN port IP address to a particular IP address in your LAN. It is
  recommended that hosts that must be exposed to the WAN (such as web or e-mail
  servers) be placed in the DMZ network. Firewall rules can be allowed to permit
  access to specific services and ports to the DMZ from both the LAN or WAN. In
  the event of an attack on any of the DMZ nodes, the LAN is not necessarily
  vulnerable as well.
  You must configure a fixed (static) IP address for the endpoint that will be
  designated as the DMZ host. The DMZ host should be given an IP address in the
  same subnet as the router's LAN IP address but it cannot be identical to the IP
  address given to the LAN interface of this gateway.
  The bold section indicates that the LAN is not vulnerable if the DMZ host falls.  This is different from what you were talking about.  Can you double check this?
  I would like to know if there is a plan to add DMZ firewall rules.  Or, can I get into the box and use IPtables to create my own (knowing that I would be in an unsupported mode)?
  Or, make port access control lists on the inter VLAN routing option?
  Thanks for fully explaining this.  The manually is woefully inadequate in discussing what exactly the DMZ does.
  Can you please forward these concerns to product management.  Basically the DMZ is a security hole that I can't mitigate.  It provides no value to me beyond not having to port forward manually. 
  If I am mistaken, please provide the correct information.
  Thanks,
  John

• RVS4000 Default Firewall Rule

  Hi, RVS4000 has default firewall rule from ANY WAN -> to ANY LAN with status Allowed. Should that be denied by default, like in RV042 or RVL200?

  Jasbryan,
  Thank you for suggesting the call to business support.
  The support staff member was able to fully clarify (and thus resolve) the issue. Further, she will initiate the steps necessary to get the GUI updated in a future firmware release, so that the default rule will properly reflect DENY for all WAN to LAN connections.
  And so that others might be made aware (or learn, as did I) about the operation of the RV4000 firewall, here is a brief description of the resolution. Being used to One-To-One NAT devices, I believed that in addition to a Port Forwarding rule, I also needed to create a corresponding ACL firewall rule. However the support agent revealed that a Port Forwarding entry (automatically) opened the appropriate port(s) in the firewall, so that creation of an explicit rule was not necessary. My testing that revealed open ports without the presence of an ACL had only been done on ports associated with my Port Forwarding rules, so my testing was basically flawed. Now I know!

• VLAN to VLAN firewall rules support missing on RV180

  How do I submit an RFE (Request For Enhancement) to the Cisco SBR team to encourage them to  implement the missing support for VLAN to VLAN firewall rules that was available in the RVS4000 (See https://supportforums.cisco.com/message/3614106#3614106) and that was supposedly added to a beta release of the RV220W firmware (See  https://supportforums.cisco.com/message/3614106#3614106)?

  Hi Kelly, the RV220W does support LAN to LAN access rules on the 1.0.4.17 and it is released.
  To make a feature request, it is pretty simple. Call the SBSC, have a case created for you. Tell the engineer you'd like to make a feature request. It usually gets escalated in 3 days or less.
  -Tom
  Please mark answered for helpful posts

• SQL firewall rule to restrict traffic from only one Azure PaaS website (cross-post from websites)

  (This has also been posted on the websites forum)
  Hi,
  I have been asked to configure the firewall on the SQL PaaS instance to only allow traffic from a specified PaaS website that is within the same subscription. I can't see any way to set a static internal IP for the website, is there a way to identify it
  for the purpose of the SQL Database firewall rule?
  Thanks,
  Karina

  You're right, KG! Sorry.
  This article mentions a reserved-IP:
  https://msdn.microsoft.com/en-us/library/azure/dn690120.aspx
  It specifically mentions your scenario:
  You want to ensure that outbound traffic from Azure uses a predictable IP address. You may have your firewall configured to allow only traffic from specific IP addresses. By reserving a VIP, you will know the source IP address and won’t
  have to update your firewall rules due to a VIP change. This is especially helpful if you want to configure your firewall before you create your cloud service.
  The only thing I'm not confident on would be if it works with Azure Websites - it does mention cloud services, though. If you have further questions, I can give a shot myself and see if I can get a working example.

• Add firewall rule with custom environment variable in program path

  Hi,
  We want to create a firewall rule for a program which is placed in folder which changes sometimes. I know you can add a firewall with the ProgramFiles environment variable like this:
  netsh advfirewall firewall add rule name="Test Firewall rule" dir=in program="%%ProgramFiles%%\Test\Test.exe" action=allow security=notrequired
  The environment variable ProgramFiles isn't expanded and if the Program Files folder is different on a system the rule still works.
  We try to use this with a custom environment variable which we set a system environment variable with this command:
  SETX SomeFolder "D:\Some Folder\Apr 2015" /M
  If we use the command below to add the firewall rule in a batch file the environment variable SomeFolder is expanded correctly and the program path is added as a static path.
  netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%SomeFolder%\AFile.exe" action=allow security=notrequired
  Because the folder changes sometimes we want to change the environment variable SomeFolder and not remove the old firewall rule and create a new one. We want to add the environment variable SomeFolder to the program path as a (dynamic) environment variable
  and not as the expanded path at the moment when the rule is added. If we use this command:
  netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%%SomeFolder%%\AFile.exe" action=allow security=notrequired
  We get the error:
            Windows Firewall with Advanced Security
            An error occurred while adding the rule.
            Error: The parameter is incorrect
            Status: The application name could not be resolved
            OK   
  Why can't we use %%SOMEFOLDER%% like we can use %%PROGRAMFILES%%? The same error is shown when we try to add the firewall rule through the management console 'Windows Firewall with Advanced Security'
  W. Spu

  Hi,
  Based on my plenty of test with this problem, it seems like there is no better method to achieve your requirement. To add new policy to firewall, it would be better using general cmdlet. The path parameter like %%SomeFolder%% do have problem in add firewall
  policy cmdlet. 
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]