Skip to main content
Falcon Firewall Management provides centralized control over host-based firewall policies across Windows and Linux systems. Configure firewall rules, manage rule groups, define network locations, and monitor firewall events.

Policy Settings

Get-FalconFirewallSetting

Retrieve general settings for a Falcon Firewall Management policy. 
Get-FalconFirewallSetting -Id <policy_id>

Parameters

Id
string[]
required
Policy identifier(s)

Edit-FalconFirewallSetting

Modify Falcon Firewall Management policy settings. 
Edit-FalconFirewallSetting -Id <policy_id> -Enforce $true -DefaultInbound DENY -DefaultOutbound ALLOW

Parameters

Id
string
required
Policy identifier
PlatformId
string
Operating System platform: 0 (Windows), 1 (Linux)
Enforce
boolean
Policy enforcement status
RuleGroupId
string[]
Rule group identifier(s) in precedence order
DefaultInbound
string
Default action for inbound traffic: ALLOW, DENY
DefaultOutbound
string
Default action for outbound traffic: ALLOW, DENY
MonitorMode
boolean
Override all block rules and enable monitoring
LocalLogging
boolean
Enable local logging of firewall events
All fields are required. PSFalcon automatically adds missing values from your existing policy.

Rule Groups

Get-FalconFirewallGroup

Search for Falcon Firewall Management rule groups. 
Get-FalconFirewallGroup -Filter "platform_id:'0'" -Detailed

Parameters

Id
string[]
Rule group identifier(s)
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Offset
int32
Position to begin retrieving results
After
string
Pagination token to retrieve the next set of results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved

New-FalconFirewallGroup

Create Falcon Firewall Management rule groups. 
New-FalconFirewallGroup -Name "Web Server Rules" -Enabled $true -Platform windows -Description "Allow HTTP/HTTPS"

Parameters

Name
string
required
Rule group name
Enabled
boolean
required
Rule group enablement status
Platform
string
required
Operating system platform: windows, linux
Description
string
Rule group description
Rule
object[]
Firewall rules array
Comment
string
Audit log comment
Library
string
Clone default Firewall rules
CloneId
string
Clone an existing rule group
Validate
switch
Perform validation instead of creating rule group

Edit-FalconFirewallGroup

Modify Falcon Firewall Management rule groups. 
# Add a rule to a rule group
$DiffOps = @(
    @{
        op = 'add'
        path = '/rules/0'
        value = @{
            name = 'Allow HTTPS'
            action = 'ALLOW'
            direction = 'IN'
            protocol = '6'
            local_port = @{ start = '443'; end = '443' }
        }
    }
)

Edit-FalconFirewallGroup -Id <rulegroup_id> -DiffOperation $DiffOps -Comment "Added HTTPS rule"

Parameters

DiffOperation
object[]
required
Array of hashtables containing rule or rule group changes with properties: from, op, path, valueAccepted op values: add, remove, replace
Comment
string
Audit log comment
RuleId
string[]
Firewall rule family values or temp_id for new rules
RuleVersion
string[]
Firewall rule version values or ‘null’ for new rules
Id
string
required
Rule group identifier
Validate
switch
Perform validation instead of modifying rule group

Remove-FalconFirewallGroup

Remove Falcon Firewall Management rule groups. 
Remove-FalconFirewallGroup -Id <rulegroup_id> -Comment "No longer needed"

Firewall Rules

Get-FalconFirewallRule

Search for Falcon Firewall Management rules. 
# Get rules for a specific policy in precedence order
Get-FalconFirewallRule -PolicyId <policy_id>

# Search for rules by filter
Get-FalconFirewallRule -Filter "name:'*Web*'" -Detailed

Parameters

Id
string[]
Rule identifier(s)
PolicyId
string
Return rules in precedence order for a specific policy
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Offset
int32
Position to begin retrieving results
After
string
Pagination token
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results retrieved

Network Locations

Get-FalconFirewallLocation

Search for Falcon Firewall Management locations. 
Get-FalconFirewallLocation -Filter "enabled:true" -Detailed

Parameters

Id
string[]
Location identifier(s)
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search
Sort
string
Property and direction to sort results
Limit
int
Maximum number of results per request

New-FalconFirewallLocation

Create Falcon Firewall Management locations. 
# Create location with network identifiers
$Location = @{
    Name = "Office Network"
    Description = "Corporate office location"
    Enabled = $true
    DefaultGateway = @('192.168.1.1')
    DnsServer = @('192.168.1.10', '192.168.1.11')
    DhcpServer = @('192.168.1.1')
}

New-FalconFirewallLocation @Location

Parameters

CloneId
string
Clone an existing location
AddFwRule
boolean
Include firewall rules from existing location (when using CloneId)
Name
string
required
Location name
Description
string
Location description
Enabled
boolean
Location enablement status
ConnectionType
object
Wired or wireless connection types with associated properties
DefaultGateway
string[]
Default gateway IP address(es) or CIDR block(s)
DhcpServer
string[]
DHCP server IP address(es) or CIDR block(s)
DnsServer
string[]
DNS server IP address(es) or CIDR block(s)
HostAddress
string[]
Host IP address(es) or CIDR block(s)
DnsResolutionTarget
object[]
Target IP/CIDR with optional domain name
HttpsReachableHost
object[]
Target domain name using trusted certificate
IcmpRequestTarget
object[]
Pingable IP address(es) or CIDR block(s)
Comment
string
Audit log comment

Edit-FalconFirewallLocation

Modify Falcon Firewall Management locations. 
Edit-FalconFirewallLocation -Id <location_id> -Name "Updated Office Network" -Enabled $true

Remove-FalconFirewallLocation

Remove Falcon Firewall Management locations. 
Remove-FalconFirewallLocation -Id <location_id>

Firewall Events

Get-FalconFirewallEvent

Search for Falcon Firewall Management events. 
Get-FalconFirewallEvent -Filter "status:'blocked'" -Detailed

Parameters

Id
string[]
Event identifier(s)
Filter
string
Falcon Query Language expression to limit results
Query
string
Generic substring search
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Offset
int32
Position to begin retrieving results
After
string
Pagination token
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results retrieved

Use Cases

Configure Web Server Firewall

# Create rule group for web server
$Rules = @(
    @{
        name = 'Allow HTTP'
        action = 'ALLOW'
        direction = 'IN'
        protocol = '6'
        local_port = @{ start = '80'; end = '80' }
    },
    @{
        name = 'Allow HTTPS'
        action = 'ALLOW'
        direction = 'IN'
        protocol = '6'
        local_port = @{ start = '443'; end = '443' }
    }
)

$RuleGroup = New-FalconFirewallGroup -Name "Web Server" -Enabled $true `
    -Platform windows -Rule $Rules -Description "HTTP/HTTPS traffic"

# Apply to policy
$Policy = Get-FalconFirewallSetting -Id <policy_id>
Edit-FalconFirewallSetting -Id $Policy.id -RuleGroupId @($RuleGroup.id) -Enforce $true

Monitor Blocked Traffic

# Get blocked events from last hour
$OneHourAgo = (Get-Date).AddHours(-1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
$BlockedEvents = Get-FalconFirewallEvent -Filter "status:'blocked'+created_timestamp:>'$OneHourAgo'" -Detailed

# Analyze blocked connections
$BlockedEvents | Group-Object -Property local_port | Select-Object Name, Count | Sort-Object Count -Descending

Manage Network Locations

# Create location for remote office
$RemoteOffice = New-FalconFirewallLocation -Name "Remote Office" `
    -DefaultGateway @('10.20.1.1') `
    -DnsServer @('10.20.1.10') `
    -Enabled $true

# Set location precedence
Set-FalconFirewallLocationPrecedence -Id @($Location1.id, $Location2.id, $RemoteOffice.id)
Requires Firewall management: Read scope for read operations and Firewall management: Write scope for modifications.

Build docs developers (and LLMs) love

Get started for freeTalk to us