Invoke-IcingaCheckFirewall reports NotConfigured on Windows Server 2025 with GPO-managed firewall

[B3RN0UT]

Describe the bug

Invoke-IcingaCheckFirewall reports a critical state on Windows Server 2025 when the Windows Firewall is managed by Group Policy.

The check reports all firewall profiles as NotConfigured, although the effective firewall state is enabled for Domain, Private and Public profiles.

The issue appears to be related to the plugin using Get-NetFirewallProfile without specifying -PolicyStore ActiveStore.

On the affected system, the default policy store returns NotConfigured, while the effective active policy store returns True.

To Reproduce

1. Install Icinga for Windows on a Windows Server 2025 system with Windows Firewall managed through Group Policy.

2. Verify the default firewall profile state:

Get-NetFirewallProfile | Select-Object Name, Enabled

Output:

Name    Enabled
----    -------
Domain  NotConfigured
Private NotConfigured
Public  NotConfigured

3. Verify the effective firewall profile state using the Active Policy Store:

Get-NetFirewallProfile -PolicyStore ActiveStore | Select-Object Name, Enabled

Output:

Name    Enabled
----    -------
Domain     True
Private    True
Public     True

4. Verify the effective firewall state using netsh:

netsh advfirewall show allprofiles

Relevant output:

Domain Profile Settings:
State                                 ON

Private Profile Settings:
State                                 ON

Public Profile Settings:
State                                 ON

5. Run the Icinga for Windows firewall check:

Import-Module icinga-powershell-framework
Import-Module icinga-powershell-plugins

Invoke-IcingaCheckFirewall `
    -FirewallProfile Domain,Private,Public `
    -Enabled `
    -Verbosity 3

Output:

[CRITICAL] Firewall profiles [CRITICAL] Firewall Profile Domain, Firewall Profile Private, Firewall Profile Public (All must be [OK])
\_ [CRITICAL] Firewall Profile Domain: Value NotConfigured is not matching threshold Enabled
\_ [CRITICAL] Firewall Profile Private: Value NotConfigured is not matching threshold Enabled
\_ [CRITICAL] Firewall Profile Public: Value NotConfigured is not matching threshold Enabled

6. Inspect the implementation of the check:

(Get-Command Invoke-IcingaCheckFirewall).Definition

Relevant code:

$FirewallData = (Get-NetFirewallProfile -Name $singleprofile -ErrorAction SilentlyContinue);

$FirewallCheck = New-IcingaCheck `
    -Name "Firewall Profile $singleprofile" `
    -Value $FirewallData.Enabled

The check currently reads the default policy store, which returns NotConfigured on Windows Server 2025 systems where Windows Firewall is managed through Group Policy.

The effective firewall state is available through:

Get-NetFirewallProfile -PolicyStore ActiveStore

which correctly returns:

Domain     True
Private    True
Public     True

Possible root cause

Invoke-IcingaCheckFirewall currently uses:

Get-NetFirewallProfile -Name $singleprofile

On Windows Server 2025 with GPO-managed firewall profiles this returns:

NotConfigured

while the effective state is available via:

Get-NetFirewallProfile -PolicyStore ActiveStore

which correctly returns:

True

for all enabled firewall profiles.

Expected behavior

The check should evaluate the effective firewall state.

On systems where the firewall is managed by Group Policy, the effective state can be retrieved with:

Get-NetFirewallProfile -PolicyStore ActiveStore

Expected result:

Domain  Enabled
Private Enabled
Public  Enabled

The check should return OK when the effective firewall state is enabled.

Your Environment

• Version used (icinga2 --version):
  Icinga Master: r2.16.1-1
  Windows Agent: v2.16.1
  icinga-powershell-framework: 1.14.2
  icinga-powershell-plugins: 1.14.1

• Operating System and version:
  Icinga Master: Debian 12
  Windows Server 2025 OsBuildNumber: 26100