xFirewall: DisplayName not set correctly if not in desired state

[ghost]

Ok, this is an odd one, found it by chance. So short background, I usually use DSC through Puppet, but no worries I have reproduced this strangeness in "native" DSC code as well. I had a few rules (one bultin for SNMP and the other one created by the installation of NSClient++) that have been set to remote address 'Any' by default. Looking into that, wanting to restrict the allowed addresses, I created a suitable config with xFirewall and in a big environment its rather nice to in an easy way see "what" actually set something to "something" so I thought of incorporating the puppet modules name in the DisplayName of the rule. That is when I stumbled on this one: If the DisplayName is not already in the desired state it will be set to Name for some unknown reason.

So this is what I got:

configuration` 'NSclient_FW_rule' {
  Import-DscResource -modulename xnetworking -moduleversion '5.0.0.0'
  node localhost {
    xfirewall 'nrpe' {
      name = '{9142D173-5ACD-4AA5-BA0E-4FE2FB4CEB36}'
      ensure = 'Present'
      displayname = 'NSClient++ Monitoring Agent'
      description = 'NSClient++ Monitoring Agent'
      action = 'Allow'
      direction = 'Inbound'
      enabled = $true
      protocol = 'TCP'
      program = 'C:\Program Files\NSClient++\nscp.exe'
      remoteaddress = @(my_array_of_remoteaddresses)
      localport = '5666'
    }
  }
}

What I expect to see is:
displayname = 'NSClient++ Monitoring Agent'

What I get, if not in desired state (say the rule was manually renamed to 'This is a faulty displayname'):
displayname = '{9142D173-5ACD-4AA5-BA0E-4FE2FB4CEB36}'

While if the name is already 'NSClient++ Monitoring Agent' I get:
displayname = 'NSClient++ Monitoring Agent'

I've tried different versions of the module as 3.2.0.0 is the one included with puppetlabs-dsc, but natively 3.2.0.0 and 5.0.0.0 gives me the same results. To get the correct name set again you have to either:
Set-NetFirewallRule -name '{9142D173-5ACD-4AA5-BA0E-4FE2FB4CEB36}' -NewDisplayName 'NSClient++ Monitoring Agent' or cut'n paste in the Firewall GUI....

[PlagueHO]

Hi @freni59,

Thanks for raising this and all the info.

Are you able to apply your config above with the -Verbose keyword specified and then dump the log here? xFirewall has lots of Verbose logging entries that may tell us what is going on here.

There are a few little "gotchas" with the way the *-NetFirewallRule cmdlets work with "Built-in" rules that may be involved here. But I'll know more with the Verbose logs hopefully.

Thanks again!

[ghost]

Hi @PlagueHO,

Lets see I ran an apply with verbose and this is what I got as an output:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/Des
iredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer HERA with user sid S-1-5-21-3466306919-469524849-1554712323-204576.
VERBOSE: [HERA]: LCM:  [ Start  Set      ]
VERBOSE: [HERA]: LCM:  [ Start  Resource ]  [[xFirewall]nrpe]
VERBOSE: [HERA]: LCM:  [ Start  Test     ]  [[xFirewall]nrpe]
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Checking settings for firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Find firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Check each defined parameter against the existing firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Get-FirewallRuleProperty: Get all the properties and add filter info to rule map.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: DisplayName property value 'Wrong DisplayName' does not match desired state 'NSClient++ Monitoring Agent'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: Test Firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' returning False.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Check Firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' returning False.
VERBOSE: [HERA]: LCM:  [ End    Test     ]  [[xFirewall]nrpe]  in 3.5160 seconds.
VERBOSE: [HERA]: LCM:  [ Start  Set      ]  [[xFirewall]nrpe]
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Applying settings for firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Find firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: We want the firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' to exist since Ensure is set to Present.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: We want the firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' to exist and it does. Check for valid propert
ies.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Check each defined parameter against the existing firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Get-FirewallRuleProperty: Get all the properties and add filter info to rule map.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: DisplayName property value 'Wrong DisplayName' does not match desired state 'NSClient++ Monitoring Agent'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: Test Firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' returning False.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Updating existing firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-NetFirewallRule DisplayName: {96804A6E-712C-4B3F-B96B-E85CF44B18B4}
VERBOSE: [HERA]: LCM:  [ End    Set      ]  [[xFirewall]nrpe]  in 1.5310 seconds.
VERBOSE: [HERA]: LCM:  [ End    Resource ]  [[xFirewall]nrpe]
VERBOSE: [HERA]: LCM:  [ End    Set      ]
VERBOSE: [HERA]: LCM:  [ End    Set      ]    in  5.4850 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 5.577 seconds

I did a fork and found part of a solution, a "Name" that should be a "DisplayName", can put up a pull request for that one, but I am a little bit too rookie to find out how to correct the verbose output because it still says it is changing the DisplayName to Name....

[ghost]

There is something funky with that line in the verbose output. this is the output from a config run when the remoteaddresses are wrongly set to Any, the DisplayName is not change but it still gives that output line stating Set-NetFirewallRule.... That output might be a totally different issue?

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/Des
iredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer HERA with user sid S-1-5-21-3466306919-469524849-1554712323-204576.
VERBOSE: [HERA]: LCM:  [ Start  Set      ]
VERBOSE: [HERA]: LCM:  [ Start  Resource ]  [[xFirewall]nrpe]
VERBOSE: [HERA]: LCM:  [ Start  Test     ]  [[xFirewall]nrpe]
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Checking settings for firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Find firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Check each defined parameter against the existing firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Get-FirewallRuleProperty: Get all the properties and add filter info to rule map.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: RemoteAddress property value 'Any' does not match desired state '130.236.2.184/255.255.255.248,2001:6b0:17:f001::/64'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: Test Firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' returning False.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-TargetResource: Check Firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' returning False.
VERBOSE: [HERA]: LCM:  [ End    Test     ]  [[xFirewall]nrpe]  in 2.9840 seconds.
VERBOSE: [HERA]: LCM:  [ Start  Set      ]  [[xFirewall]nrpe]
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Applying settings for firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Find firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: We want the firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' to exist since Ensure is set to Present.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: We want the firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' to exist and it does. Check for valid propert
ies.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Check each defined parameter against the existing firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Get-FirewallRuleProperty: Get all the properties and add filter info to rule map.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: RemoteAddress property value 'Any' does not match desired state '130.236.2.184/255.255.255.248,2001:6b0:17:f001::/64'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Test-RuleProperties: Test Firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}' returning False.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-TargetResource: Updating existing firewall rule with Name '{96804A6E-712C-4B3F-B96B-E85CF44B18B4}'.
VERBOSE: [HERA]:                            [[xFirewall]nrpe] Set-NetFirewallRule DisplayName: {96804A6E-712C-4B3F-B96B-E85CF44B18B4}
VERBOSE: [HERA]: LCM:  [ End    Set      ]  [[xFirewall]nrpe]  in 1.4530 seconds.
VERBOSE: [HERA]: LCM:  [ End    Resource ]  [[xFirewall]nrpe]
VERBOSE: [HERA]: LCM:  [ End    Set      ]
VERBOSE: [HERA]: LCM:  [ End    Set      ]    in  5.0160 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 5.176 seconds