Edit firewall rule scope with PowerShell

One of our managed server customer frequently asked me to add an IP address to the scope of a firewall. Specially when they were still testing and did not want HTTP/HTTPS to be open for everyone.

Recent versions of PowerShell have Cmdlets that you can use to manage firewall rules. To set the scope you can use Set-NetFirewallAddressFilter Cmdlet. You use it like this.

Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress

This works well and fast. The only problem is that it also overwrites everything that is already in the RemoteAddress list. To add an IP address you need to get the current value first, then add the new IP address to that value and finally set the new scope.

To make my life more easier I created a function to do all this. It is essentially a wrapper around Set-NetFirewallAddressFilter. And you can use it the same way.

Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses
function Add-MvaNetFirewallRemoteAdressFilter {
This function adds one or more ipaddresses to the firewall remote address filter
With the default Set-NetFirewallAddressFilter you can set an address filter for a firewall rule. You can not use it to
add a ip address to an existing address filter. The existing address filter will be replaced by the new one.
The Add-MvaNetFirewallRemoteAdressFilter function will add the ip address. Which is very usefull when there are already
many ip addresses in de address filter.
.PARAMETER fwAddressFilter
This parameter conntains the AddressFilter that you want to change. It accepts pipeline output from the command
.PARAMETER IPaddresses
This parameter is mandatory and can contain one or more ip addresses. You can also use a subnet.
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses
Add a single IP address to the remote address filter of the firewall rule 'Test-Rule'
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses,,
Add multiple IP address to the remote address filter of the firewall rule 'Test-Rule'
You need to be Administator to manage the firewall.
[Parameter(ValueFromPipeline = $true,
Mandatory = $True)]
# Parameter help description
[Parameter(Position = 0,
Mandatory = $True,
HelpMessage = "Enter one or more IP Addresses.")]
process {
try {
#Get the current list of remote addresses
[string[]]$remoteAddresses = $fwAddressFilter.RemoteAddress
Write-Verbose -Message "Current address filter contains: $remoteAddresses"
#Add new ip address to the current list
if ($remoteAddresses -in 'Any', 'LocalSubnet', 'LocalSubnet6', 'PlayToDevice') {
$remoteAddresses = $IPAddresses
else {
$remoteAddresses += $IPAddresses
#set new address filter
$fwAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress $remoteAddresses -ErrorAction Stop
Write-Verbose -Message "New remote address filter is set to: $remoteAddresses"
catch {