-
Notifications
You must be signed in to change notification settings - Fork 81
New FalconFirewallGroup
bk-cs edited this page Sep 19, 2025
·
23 revisions
Create Falcon Firewall Management rule groups
Requires 'Firewall management: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Name | String | Rule group name | X | ||||
| Enabled | Boolean | Rule group enablement status | X | ||||
| Platform | String | Operating system platform [default: windows] | X | ||||
| Description | String | Rule group description | X | ||||
| Rule | Object[] | Firewall rules | X | ||||
| Comment | String | Audit log comment | X | ||||
| Library | String | Clone default Firewall rules | |||||
| CloneId | String | Clone an existing rule group | |||||
| Validate | Switch | Toggle to perform validation, instead of creating rule group |
New-FalconFirewallGroup [-Name] <String> [-Enabled] <Boolean> [-Platform] <String> [[-Description] <String>] [[-Rule] <Object[]>] [[-Comment] <String>] [[-Library] <String>] [[-CloneId] <String>] [-WhatIf] [-Confirm] [<CommonParameters>]New-FalconFirewallGroup [-Name] <String> [-Enabled] <Boolean> [-Platform] <String> [[-Description] <String>] [[-Rule] <Object[]>] [[-Comment] <String>] [[-Library] <String>] [[-CloneId] <String>] -Validate [-WhatIf] [-Confirm] [<CommonParameters>]POST /fwmgr/entities/rule-groups/v1
POST /fwmgr/entities/rule-groups/validation/v1
create_rule_group
create_rule_group_validation
The Rules parameter accepts a PowerShell array of rule objects which are converted to Json before submission.
$Rule = @(
@{
name = 'Block IP'
description = 'Block outbound to example.com IP address'
enabled = $true
action = 'DENY'
direction = 'OUT'
address_family = 'IP4'
protocol = '*'
fields = @(
@{
name = 'network_location'
type = 'set'
values = @( 'ANY' )
}
)
local_address = @(@{ address = '*'; netmask = 0 })
remote_address = @(@{ address = '93.184.216.34'; netmask = 32 })
}
)
New-FalconFirewallGroup -Name 'test rule group' -Enabled $true -Platform windows -Description 'describing a rule group' -Rule $Rule2025-09-19: PSFalcon v2.2.9

- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Assets
- CAO Hunting
- Case Templates
- Cases
- Channel File Control Settings
- Cloud Security API Assets
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- IT Automation - Policies
- IT Automation - Task Executions
- IT Automation - Tasks
- IT Automation - User Groups
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- NGSIEM
- NGSIEM Dashboards
- NGSIEM Lookup Files
- NGSIEM Parsers
- NGSIEM Saved Queries
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust