Windows Firewall Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this section

  • Windows Firewall Tools

  • Windows Firewall Group Policy Settings

  • Windows Firewall Automated Installation Tools and Settings

  • Windows Firewall Scripting Reference

  • Netsh Commands for Windows Firewall

  • Windows Firewall Log File and Security Log Settings

Windows Firewall Tools

The following tools are associated with Windows Firewall.

Firewall.cpl: Windows Firewall Control Panel Tool

Category

Control Panel tool included in the operating system.

Version compatibility

Available on Windows XP with Service Pack 2 (SP2) and Windows Server 2003 with Service Pack 1 (SP1).

You can use Windows Firewall in Control Panel to configure Windows Firewall settings on a local computer. This includes enabling and disabling Windows Firewall, specifying the type of information that is written to the Windows Firewall log file, and configuring the way Windows Firewall handles network traffic to and from specific programs, services, and ports.

Gpedit.msc: Group Policy Object Editor

Category

Microsoft Management Console (MMC) snap-in included in the operating system.

Version compatibility

Available on Windows 2000, Windows XP, and Windows Server 2003.

You can use the Group Policy Object Editor to configure Windows Firewall Group Policy settings. Windows Firewall Group Policy settings are configured on a per-computer basis and are stored in Administrative Templates (.adm files). You can configure Windows Firewall Group Policy settings on a local Group Policy object (GPO) or an Active Directory GPO. Group Policy settings that are configured on a local GPO are applied to the local computer only. Group Policy settings that are configured on an Active Directory GPO can be linked to an Active Directory container, such as a domain, organizational unit, or site.

Gpmc.msc: Group Policy Management Console

Category

MMC snap-in included in the operating system.

Version compatibility

Available on Windows XP with SP2 and Windows Server 2003 with SP1. Also available for download for Windows XP with SP1 and Windows Server 2003.

You can use the Group Policy Management Console (GPMC) to manage GPOs that contain Group Policy settings for Windows Firewall. This includes managing GPOs for multiple domains and sites within one or more forests. This snap-in uses a simplified user interface (UI) with drag-and-drop support. It can be used to perform many other administrative tasks, such as backup, restore, import, copy, and reporting of GPOs.

Netsh.exe: Netsh

Category

Command-line tool included in the operating system.

Version compatibility

Runs on Windows XP and the Windows Server 2003 family.

You can use the Netsh Firewall context to monitor and configure Windows Firewall settings. Several new commands have been added to the Netsh Firewall context for Windows Server 2003 with SP1. The new commands correspond to new Windows Firewall configuration settings.

You can also use Netsh to apply Windows Firewall settings that are stored in a Netfw.inf file. For more information, see “Windows Firewall Netfw.inf Settings” later in this section.

Windows Firewall Group Policy Settings

If your organization uses Group Policy, use the Windows Firewall Group Policy settings to configure Windows Firewall. The Group Policy Object Editor (Gpedit.msc) provides access to the Windows Firewall settings. The settings are stored within the Group Policy Object Editor at Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall.

The following table lists the Windows Firewall Group Policy settings:

Setting Description

Windows Firewall: Allow authenticated IPSec bypass

Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport.

Windows Firewall: Protect all network connections

Turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows Server 2003 with SP1.

Windows Firewall: Do not allow exceptions

Specifies that Windows Firewall blocks all unsolicited incoming messages. This Group Policy setting overrides all other Windows Firewall settings that allow such messages.

Windows Firewall: Define program exceptions

Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.

Windows Firewall: Allow local program exceptions

Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list.

Windows Firewall: Allow remote administration exception

Allows remote administration of this computer using administrative tools such as MMC and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.

Windows Firewall: Allow file and printer sharing exception

Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.

Windows Firewall: Allow ICMP exceptions

Defines the set of Internet Control Message Protocol (ICMP) message types allowed by Windows Firewall. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you do not enable the “Allow inbound echo request” message type, Windows Firewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages sent by Ping running on this computer.

Windows Firewall: Allow Remote Desktop exception

Allows this computer to receive Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389.

Windows Firewall: Allow UPnP framework exception

Allows this computer to receive unsolicited UPnP messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869 and UDP port 1900.

Windows Firewall: Prohibit notifications

Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list.

Windows Firewall: Allow logging

Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.

Windows Firewall: Prohibit unicast response to multicast or broadcast requests

Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.

Windows Firewall: Define port exceptions

Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.

Windows Firewall: Allow local port exceptions

Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list.

Windows Firewall Automated Installation Tools and Settings

There are two automated installation technologies that you can use to deploy or configure Windows Firewall. One technology uses an information file known as Netfw.inf to automate the configuration of Windows Firewall settings. The other technology uses an unattended installation answer file to automate the configuration of Windows Firewall settings.

Windows Firewall Netfw.inf Settings

You can use the Windows Firewall information file (Netfw.inf) to deploy Windows Firewall in a corporate environment; however, this automated installation technology is typically used by OEMs to configure new computers in a manufacturing environment.

The Netfw.inf file configures Windows Firewall by modifying registry settings. To configure a Netfw.inf file, you must use standard .inf file structure and syntax.

The Netfw.inf file is found in the following location: %windir%\Inf\Netfw.inf.

Note

When you restore Windows Firewall default settings, the settings that are specified in Netfw.inf are reapplied to your computer and all existing settings are deleted.

The following is an example of a Netfw.inf file:

[version]
Signature = "$Windows NT$"
DriverVer = MM/DD/YYYY,1.2.3456.7890

[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile

[ICF.AddReg.DomainProfile]

[ICF.AddReg.StandardProfile]

Note

The first two sections contain version and configuration information and do not need to be modified. The sections that require modification are [ICF.AddReg.DomainProfile] and [ICF.AddReg.StandardProfile].

[ICF.AddReg.DomainProfile]

This section is used for defining changes to Windows Firewall’s default configuration when a computer is connected to a network that contains its domain.

[ICF.AddReg.StandardProfile]

This section is used for defining changes to Windows Firewall’s default configuration when a computer is not connected to a network that contains its domain. If a computer is not a member of a domain, then Windows Firewall will always enforce the configuration stored in the standard profile.

Configuration Options

The following settings can be defined in the Windows Firewall Netfw.inf file:

  • Operational mode

  • Disable notifications

  • Block unicast responses to multicast and broadcast packets

  • Enable remote administration

  • Allow ICMP messages

  • Open ports

  • Allow programs

Note

All of the settings defined in the Windows Firewall Netfw.inf file will be applied to all of the computer’s network interfaces; you cannot use the Netfw.inf file to open ports or allow ICMP messages for individual interfaces. In addition, you cannot use the Netfw.inf file to define logging settings.

Operational Mode

Windows Firewall can be placed in one of the three operational modes by adding the following entries to the Netfw.inf file:

Mode Section Entry

On

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile",
"DoNotAllowExceptions",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile",
"EnableFirewall",0x00010001,1

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile",
"DoNotAllowExceptions",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile",
"EnableFirewall",
0x00010001,0x00000001

Off

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile",
"DoNotAllowExceptions",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile",
"EnableFirewall",0x00010001,1

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile",
"DoNotAllowExceptions",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile",
"EnableFirewall",0x00010001,1

Off with no excep-tions

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile",
"DoNotAllowExceptions", 0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile",
"EnableFirewall",0x00010001,0

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile",
"DoNotAllowExceptions",0x00010001,0
HKLM,"SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile",
"EnableFirewall",0x00010001,0
Disable Notifications

Add the following entries to the Windows Firewall Netfw.inf file to disable notifications:

Section Entry

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
DomainProfile","DisableNotifications",
0x00010001,1

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
StandardProfile","DisableNotifications",
0x00010001,1
Block Unicast Responses to Multicast and Broadcast Packets

Add the following entries to the Windows Firewall Netfw.inf file to disable unicast responses to multicast and broadcast packets:

Section Entry

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
DomainProfile",
"DisableUnicastResponsesToMulticastBroadcast",
0x00010001,1

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
StandardProfile",
"DisableUnicastResponsesToMulticastBroadcast",
0x00010001,1
Enable Remote Administration

Add the following entries to the Windows Firewall Netfw.inf file to enable remote administration:

Section Entry

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
DomainProfile\RemoteAdminSettings",
"Enabled",0x00010001,1

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
StandardProfile\RemoteAdminSettings",
"Enabled",0x00010001,1

Add the following entries to the Windows Firewall Netfw.inf file to define the default scope for remote administration:

Section Entry

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
DomainProfile\RemoteAdminSettings",
"RemoteAddresses",0x00000000,scope

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
StandardProfile\RemoteAdminSettings",
"RemoteAddresses",0x00000000,scope
Scope Definition

You can define the set of IP addresses from which unsolicited incoming traffic is allowed when you enable remote administration, open a port, or allow a program. This set of IP addresses from which unsolicited incoming traffic is allowed is referred to as the scope of the exception. There are three options when defining the scope for a Windows Firewall exception:

  • All IP Addresses – This is the default scope for a Windows Firewall exception and it allows unsolicited incoming traffic that matches the exception from any computer. In the Windows Firewall Netfw.inf file, making an entry’s scope element an asterisk ("*") will result in a scope of all IP addresses for the entry.

  • Local Subnet Only – This scope allows unsolicited incoming traffic that matches the exception from any computer on the same subnet as the network connection on which the traffic was received through Windows Firewall, while dropping unsolicited incoming traffic from all other computers. When a computer’s subnet changes, the set of allowed IP addresses dynamically changes to match the new subnet. In the Windows Firewall Netfw.inf file, making an entry’s scope element LocalSubnet will result in a local subnet only scope for the entry.

  • Custom – This scope is a list of IPv4 addresses and address ranges that typically correspond to subnets. Unsolicited incoming traffic that matches the exception and originates from a computer with an IPv4 address in the defined list is allowed through Windows Firewall. Unsolicited incoming traffic from computers with IPv4 addresses that are not in the list is dropped. A custom scope can include the local subnet (using the LocalSubnet string), IPv4 addresses, and IPv4 address ranges, but cannot include IPv6 addresses or IPv6 address ranges. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length (w.x.y.z/n). When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24).

Note

Do not use spaces between the entries in the list of sources or the entire list will be ignored and Windows Firewall will use the default scope of any source IPv4 address.

Allow ICMP Messages

Add the following entries to the Windows Firewall Netfw.inf file to allow certain ICMP messages:

Section Entry

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
DomainProfile\IcmpSettings",
"ICMP Message Type",0x00010001,1

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
StandardProfile\IcmpSettings",
"ICMP Message Type",0x00010001,1

The following table lists the permitted values for certain ICMP message types:

ICMP Message Type Number Description

AllowOutboundPacketTooBig

2

When an IPv6 packet is too large to be forwarded, data will be dropped and a computer will reply to the sender with a “Packet Too Big” message.

AllowOutboundDestinationUnreachable

3

Data that fails to reach this computer due to an error will be discarded and reported with a “Destination Unreachable” message that explains the failure.

AllowOutboundSourceQuench

4

When the rate of a transmission exceeds a computer’s ability to process incoming data, data will be dropped and the sender will be asked to transmit more slowly.

AllowRedirect

5

Data sent from a computer will be rerouted.

AllowInboundEchoRequest

8

Messages sent to a computer will be repeated back to the sender. This is commonly used for troubleshooting (for example, to ping a computer).

AllowInboundRouterRequest

10

A computer will respond to router discovery messages.

AllowOutboundTimeExceeded

11

When a computer discards a packet because its hop count was exceeded or it ran out of time to assemble fragments of a packet, it will reply to the sender with a “Time Exceeded” message.

AllowOutboundParameterProblem

12

When a computer discards data it has received due to a problematic header, it will reply to the sender with a “Parameter Problem” error message.

AllowInboundTimestampRequest

13

Data sent to a computer can be responded to with a confirmation message indicating the time that the data was received.

AllowInboundMaskRequest

17

A computer will listen for and respond to requests for a network subnet mask.

Open Ports

Add the following entries to the Windows Firewall Netfw.inf file to add static ports to the exceptions list:

Section Entry

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
DomainProfile\GloballyOpenPorts\List",
"port number:protocol",0x00000000,
"port number:protocol:scope:mode:port’s
friendly name"

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
StandardProfile\GloballyOpenPorts\List",
"port number:protocol",0x00000000,"port
number:protocol:scope:mode:port’s
friendly name"

In the two preceding entries, the following elements must be defined:

  • Port Number – A port is specified by the combination of a protocol and a port number. The port number must be between 1 and 65535, inclusively.

  • Protocol – A protocol is specified by the combination of a protocol and a port number. The protocol must be either TCP or UDP.

  • Scope – See “Scope Definition” earlier in this section.

  • Mode – The two permitted values for this element are enabled and disabled. If a port’s entry is enabled, the port is statically opened in Windows Firewall. If a port’s entry is disabled, the port is not statically opened in Windows Firewall.

  • Port’s Friendly Name – This is the description that will be used to represent the entry in Windows Firewall in Control Panel. It should provide an indication of why the port is statically opened, such as “Web Server (TCP 80)” or “Telnet Server (TCP 23).”

Allow Programs

Add the following entries to the Windows Firewall Netfw.inf file to add programs to the exceptions list:

Section Entry

[ICF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
DomainProfile\AuthorizedApplications\List",
"program’s image path",0x00000000,
”program’s image path:scope:mode:program’s
friendly name”

[ICF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List",
"program’s image path",0x00000000,
”program’s image path:scope:mode:program’s
friendly name”

In the two preceding entries, the following elements must be defined:

Program’s Image Path – This is the fully qualified path for the file to be added to Windows Firewall’s default exception list. It may include environmental variables, such as %ProgramFiles%.

Scope – See “Scope Definition” earlier in this section.

Mode –The two permitted values for this element are enabled and disabled. If a program’s entry is enabled, ports for the program are dynamically opened in Windows Firewall. If a program’s entry is disabled, ports for the program are not dynamically opened in Windows Firewall.

Program’s Friendly Name – This is the name that will be used to represent the entry in the Windows Firewall user interface. It should include the product name and publisher, such as MSN Messenger version 6.1.

Windows Firewall Unattended Installation

You can use an unattended installation answer file, such as Unattend.txt, to automate the configuration of Windows Firewall settings during an unattended installation. Unattended installation is typically used in a corporate environment when you are configuring new computers or deploying a new operating system.

To configure Windows Firewall settings during an unattended installation, you must include the [WindowsFirewall] section along with one or more of the following user-defined sections in your answer file:

  • [WindowsFirewall.profile_name]

  • [WindowsFirewall.program_name]

  • [WindowsFirewall.service_name]

  • [WindowsFirewall.portopening_name]

  • [WindowsFirewall.icmpsetting_name]

Important

Applications that are not already installed cannot be added using unattended setup. You must use Netfw.inf to add applications.

Note

When you restore Windows Firewall default settings, any settings that you specified in an answer file are deleted and are not restored. To restore the Windows Firewall settings that you configured during installation with an answer file, you must configure the settings manually.

[WindowsFirewall]

The [WindowsFirewall] section contains entries for specifying the log file settings and which user-defined profiles to use.

The [WindowsFirewall] section contains the following entries:

Entry Description

Profiles

Specifies the names of the user-defined profiles to use for configuring Windows Firewall (domain, standard, or both domain and standard).

LogFile

Specifies the location and file name of the Windows Firewall log file. By default, the log file is named Pfirewall.log.

LogSize

Specifies the maximum size of the Windows Firewall log file.

LogDroppedPackets

Specifies whether to log dropped packets to the Windows Firewall log file.

LogConnections

Specifies whether to log connections to the Windows Firewall log file.

[WindowsFirewall.profile_name]

The [WindowsFirewall.profile_name] section is a user-defined section that is referenced by the [WindowsFirewall] section to make changes to Windows Firewall's default configuration.

The [WindowsFirewall.profile_name] section contains the following entries:

Entry Description

Type

Specifies the type of profile to use for changing the default configuration of Windows Firewall.

Mode

Specifies whether to enable or disable Windows Firewall.

Exceptions

Specifies whether to enable or disable the Windows Firewall exceptions list.

Notifications

Specifies whether to enable or disable notifications.

MulticastBroadcastResponse

Specifies whether to enable or disable multicast and broadcast packets.

AllowedPrograms

Specifies a list of programs that will not be blocked by Windows Firewall.

Services

Specifies a list of services that will not be blocked by Windows Firewall.

PortOpenings

Specifies a list of open ports that will not be blocked by Windows Firewall.

IcmpSettings

Specifies a list of ICMP message types that will not be blocked by Windows Firewall.

[WindowsFirewall.program_name]

The [WindowsFirewall.program_name] section is a user-defined section that can be used to add programs to the Windows Firewall exceptions list.

The [WindowsFirewall.program_name] section contains the following entries:

Entry Description

Program

Specifies the path of a program to be added to the exceptions list. This is a required entry.

Name

Specifies the name of a program to be added to the exceptions list. This is a required entry.

Mode

Specifies whether to enable or disable an entry in the exceptions list.

Scope

Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified exception (program, service). Mode must be set to 1 (on).

Addresses

Specifies the addresses for an entry in the exceptions list.

[WindowsFirewall.service_name]

Windows Firewall opens static ports used by services in the exceptions list of the current profile. Only services that actually require unsolicited, incoming traffic should be added to the exceptions list. You must add the [WindowsFirewall.service_name] section in the [WindowsFirewall.profile_name] section.

The [WindowsFirewall.service_name] section contains the following entries:

Entry Description

Type

Specifies the type of service to use for changing the default configuration of Windows Firewall.

Mode

Specifies whether to enable or disable an entry in the exceptions lists.

Scope

Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified exception. The value of the Mode entry must equal 1 (on).

Addresses

Specifies the addresses for an entry in the exceptions list.

[WindowsFirewall.portopening_name]

A static port may need to be opened for a Windows service to receive unsolicited, incoming traffic. To support these scenarios, you can add static ports to the Windows Firewall exceptions list by using the [WindowsFirewall.portopening_name] section. You must add this section to the [WindowsFirewall.profile_name] section.

The [WindowsFirewall.portopening_name] section contains the following entries:

Entry Description

Protocol

Specifies the protocol of a port. The protocol must be either TCP or UDP.

Port

Specifies the port number. The port number must be between 1 and 65535, inclusive.

Name

Specifies the friendly name of a port to be added to the exceptions list. This descriptive name is used to represent the entry for Windows Firewall in Control Panel.

Mode

Specifies whether to enable or disable an entry in the exceptions list.

Scope

Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified exception. The value of the Mode entry must equal 1 (on).

Addresses

Specifies the addresses for an entry in the exceptions list.

[WindowsFirewall.icmpsetting_name]

The default configuration for Windows Firewall blocks all ICMP message types; however, you can modify this behavior by adding entries to the Windows Firewall exceptions list that enable certain ICMP message types. You must include the [WindowsFirewall.icmpsetting_name] section in the [WindowsFirewall.profile_name] section.

The [WindowsFirewall.icmpsetting_name] section contains the following entries:

Entry Description

Type

Specifies the type of ICMP message to enable.

Mode

Specifies whether to enable or disable the ICMP message type.

Windows Firewall Scripting Reference

This section describes the methods and properties associated with Windows Firewall scripting. You can use them in a script, such as Microsoft Visual Basic Scripting Edition (VBScript) or JScript, to configure Windows Firewall settings. All of these methods and properties are implemented in the Hnetcfg.dll. They are grouped in this section according to the following categories:

  • Policy

  • Profile

  • Remote administration

  • ICMP

  • Port

  • Application

  • Service

Policy

The following table lists the scripting properties used to access a Windows Firewall policy:

Property Description

LocalPolicy

A read-only element that accesses the local firewall policy. This property is retrieved through the HNetCfg.FwMgr COM Object.

Profile

The following table lists the scripting methods and properties used to access and configure a Windows Firewall profile:

Method or Property Description

AuthorizedApplications

A read-only element that accesses the collection of authorized applications in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

CurrentProfile

A read-only element that accesses the current Windows Firewall profile. This property is retrieved through the HNetCfg.FwMgr COM Object (LocalPolicy property).

CurrentProfileType

A read-only element that accesses the type of Windows Firewall profile currently in effect. This property is retrieved through the HNetCfg.FwMgr COM Object.

ExceptionsNotAllowed

A read-write element that accesses a Boolean value which is TRUE if Windows Firewall should not allow exceptions. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

FirewallEnabled

A read-write element that accesses a Boolean value which is TRUE if Windows Firewall is enabled. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

GetProfileByType

Gets the Windows Firewall profile of the requested type. This method is retrieved through the HNetCfg.FwMgr COM Object (LocalPolicy property).

GloballyOpenPorts

A read-only element that accesses the collection of globally-opened ports in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

IcmpSettings

A read-only element that accesses the ICMP settings in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

NotificationsDisabled

A read-write element that accesses a Boolean value which is TRUE if interactive notifications are disabled. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

RemoteAdminSettings

Accesses the object that contains the remote administration settings. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

Services

A read-only element that accesses the collection of services in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

Type

A read-only element that accesses the type of a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

UnicastResponsesToMulticastBroadcastDisabled

A read-write element that accesses a Boolean value which is TRUE if Windows Firewall should not allow unicast responses to multicast and broadcast traffic. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

Remote Administration

The following table lists the scripting properties used to access the settings that control remote administration:

Property Description

Enabled

A read-write element that accesses a Boolean value which is TRUE if the settings controlling remote administration are currently enabled. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property).

IpVersion

A read-write element that accesses the IP version for which remote administration is authorized. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property).

RemoteAddresses

Accesses the set of remote addresses from which remote administration is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property).

Scope

A read-write element that controls the network scope from which remote administration is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property).

ICMP

The following table lists the scripting methods and properties used to access and configure the settings controlling ICMP packets:

Method or Property Description

AllowInboundEchoRequest

A read-write element that accesses a Boolean value which is TRUE if InboundEchoRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowInboundMaskRequest

A read-write element that accesses a Boolean value which is TRUE if InboundMaskRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowInboundRouterRequest

A read-write element that accesses a Boolean value which is TRUE if InboundRouterRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowInboundTimestampRequest

A read-write element that accesses a Boolean value which is TRUE if InboundTimestampRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowOutboundDestinationUnreachable

A read-write element that accesses a Boolean value which is TRUE if OutboundDestinationUnreachable is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowOutboundPacketTooBig

A read-write element that accesses a Boolean value which is TRUE if OutboundPacketTooBig is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowOutboundParameterProblem

A read-write element that accesses a Boolean value which is TRUE if OutboundParameterProblem is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowOutboundSourceQuench

A read-write element that accesses a Boolean value which is TRUE if OutboundSourceQuench is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowOutboundTimeExceeded

A read-write element that accesses a Boolean value which is TRUE if OutboundTimeExceeded is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

AllowRedirect

A read-write element that accesses a Boolean value which is TRUE if Redirect is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property).

IsIcmpTypeAllowed

Determines whether the specified ICMP type is allowed. This method is retrieved through the HNetCfg.FwMgr COM Object.

Note

All of the methods and properties associated with ICMP are common to both IPv4 and IPv6.

Port

The following table lists the scripting methods and properties used to access and configure a port that has been opened in Windows Firewall:

Method or Property Description

_NewEnum

Returns an object supporting IEnumVARIANT that can be used to iterate through all the ports in a collection. This property is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property].

Add

Adds a new port to a collection. This method is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property].

BuiltIn

A read-only element that accesses a Boolean value which is TRUE if a port is defined by the system. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

Count

A read-only element yielding the number of items in a collection of ports. This property is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property].

Enabled

A read-write element that accesses a Boolean value which is TRUE if the settings for a port are currently enabled. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

IpVersion

A read-write element that accesses the IP version of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

IsPortAllowed

Determines whether an application can listen for inbound traffic on a specified port. This method is retrieved through the HNetCfg.FwMgr COM Object.

Item

Returns a specified port if it is within a collection. This method is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property].

Name

A read-write element that accesses the friendly name of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

Port

A read-write element that accesses the port number of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

Protocol

A read-write element that accesses the protocol type setting of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

RemoteAddresses

Accesses a set of remote addresses from which a port can listen for traffic. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

Remove

Removes a port from a collection. This method is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property].

Scope

A read-write element that controls the network scope from which a port can listen for traffic. This property is retrieved through the HNetCfg.FWOpenPort COM Object.

Application

The following table lists and gives a short description of the scripting methods and properties used to access and configure an application that has been added to the Windows Firewall exceptions list.

Method or Property Description

_NewEnum

Returns an object supporting IEnumVARIANT that can be used to iterate through all the applications in a collection. This property is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property).

Add

Adds a new application to a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property).

Count

A read-only element yielding the number of items in a collection of applications. This property is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property).

Enabled

A read-write element that accesses a Boolean value which is TRUE if the settings for an application are currently enabled. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object.

IpVersion

A read-write element that accesses the IP version for an application. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object.

IsPortAllowed

Determines whether an application can listen for inbound traffic on a specified port. This method is retrieved through the HNetCfg.FwMgr COM Object.

Item

Returns a specified application if it is within a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property).

Name

A read-write element that accesses the friendly name of an application. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object.

ProcessImageFileName

A read-write element that accesses the process image file name of an application. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object.

RemoteAddresses

Accesses the set of remote addresses from which an application can listen for traffic. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object.

Remove

Removes an application from a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property).

Scope

A read-write element that controls the network scope from which an application can listen for traffic. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object.

Service

The following table lists the scripting methods and properties used to access and configure a service that has been authorized to listen through Windows Firewall:

Method or Property Description

_NewEnum

Returns an object supporting IEnumVARIANT that can be used to iterate through all the services in a collection. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

Count

A read-only element yielding the number of items in a collection of services. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

Customized

A read-only element that indicates whether at least one of the ports associated with a service has been customized. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

Enabled

A read-write element that accesses a Boolean value which is TRUE if all ports associated with the service are enabled. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

GloballyOpenPorts

A read-only element that accesses the collection of globally-opened ports associated with a service. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

Item

Returns a specified service if it is within a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (Services property).

Name

A read-only element that accesses the friendly name of a service. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

RemoteAddresses

Accesses the set of remote addresses from which a service can listen for traffic. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

Scope

A read-write element that controls the network scope from which a service can listen. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

Services

A read-only element that accesses the collection of services in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method).

Type

A read-only element that accesses the type of a service. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property).

For more information about Windows Firewall interfaces, see MSDN.

Netsh Commands for Windows Firewall

You can run these commands from the Windows Server 2003 family command prompt or from the command prompt for the netsh firewall context. For these commands to work at the Windows Server 2003 family command prompt, you must type netsh firewall before typing commands and parameters as they appear in the following syntax. There might be functional differences between netsh context commands on Windows 2000 and the Windows Server 2003 family.

You cannot use the netsh firewall commands to remotely configure Windows Firewall settings, and you cannot use the dump command to create a script based on the current Windows Firewall configuration.

To view help for a command at the command prompt, type the following:

CommandName**/?**

where CommandName is the name of the command.

  • add allowedprogram

  • add portopening

  • delete allowedprogram

  • delete portopening

  • set allowedprogram

  • set icmpsetting

  • set logging

  • set multicastbroadcastresponse

  • set notifications

  • set opmode

  • set portopening

  • set service

  • show (all commands)

add allowedprogram

The add allowedprogram command is used to add a program-based exception.

Syntax

add allowedprogram [[program =] path] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]

Parameters
  • [[program =] path] Specifies the path and file name of a program to be added to the exceptions list. This is a required entry.
  • [[name =] name] Specifies the name of a program to be added to the exceptions list. This is a required entry.
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable a program. This is an optional entry.
    • ENABLE - Allow through Windows Firewall (default).

    • DISABLE - Do not allow through Windows Firewall.

  • [[scope =] {ALL|SUBNET|CUSTOM}] Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified program. This is an optional entry.
    • ALL - Allow all traffic through Windows Firewall (default).

    • SUBNET - Allow only local network (subnet) traffic through Windows Firewall.

    • CUSTOM - Allow only specified traffic through Windows Firewall.

  • [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

Remarks

scope must be CUSTOM to specify addresses.

Examples

The following examples show how the add allowedprogram command and preceding parameters can be used to add a program-based exception:

add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE

add allowedprogram C:\MyApp\MyApp.exe MyApp DISABLE

add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLED

add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = DISABLE

add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLE scope = CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

add portopening

The add portopening command is used to create a port-based exception.

Syntax

add portopening [[protocol =] {TCP|UDP|ALL}] [[port =] 1-65535] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]

Parameters
  • [[protocol =] {TCP|UDP|ALL}] Specifies the protocol of a port. The protocol must be TCP, UDP, or all. This is a required entry.
    • TCP - Transmission Control Protocol (TCP).

    • UDP - User Datagram Protocol (UDP).

    • ALL - All protocols.

  • [[port =] 1-65535**]** Specifies the port number. The port number must be between 1 and 65535, inclusive. This is a required entry.
  • [[name =] name] Specifies the friendly name of a port to be added to the exceptions list. This descriptive name is used to represent the entry for Windows Firewall in Control Panel. This is a required entry.
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable a port in the exceptions lists. This is an optional entry.
    • ENABLE - Allow through Windows Firewall (default).

    • DISABLE - Do not allow through Windows Firewall.

  • [[scope =] {ALL|SUBNET|CUSTOM}] Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified port. This is an optional entry.
    • ALL - Allow all traffic through Windows Firewall (default).

    • SUBNET - Allow only local network (subnet) traffic through Windows Firewall.

    • CUSTOM - Allow only specified traffic through Windows Firewall.

  • [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

  • [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks

profile and interface cannot be specified together; scope and interface cannot be specified together. scope must be CUSTOM to specify addresses.

Examples

The following examples show how the add portopening command and preceding parameters can be used to create a port-based exception:

add portopening TCP 80MyWebPort

add portopening UDP 500IKE ENABLE ALL

add portopening ALL 53DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

add portopening protocol = TCP port = 80name = MyWebPort

add portopening protocol = UDP port = 500name = IKE mode = ENABLE scope = ALL

add portopening protocol = ALL port = 53name = DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

delete allowedprogram

The delete allowedprogram command is used to delete an existing program-based exception.

Syntax

delete allowedprogram [[program =] path [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]

Parameters
  • [[program =] path Specifies the path and file name of the program to be deleted from the exceptions list. This is a required entry.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used for configuring Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

Examples

The following examples show how the delete allowedprogram command and preceding parameters can be used to delete an existing program-based exception:

delete allowedprogram C:\MyApp\MyApp.exe

delete allowedprogram program = C:\MyApp\MyApp.exe

delete portopening

The delete portopening command is used to delete a port-based exception.

Syntax

delete portopening [[protocol =] {TCP|UDP|ALL}] [[port =] 1-65535] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]

Parameters
  • [[protocol =] {TCP|UDP|ALL}] Specifies the protocol of the port to be deleted from the exceptions list. The protocol must be TCP, UDP, or all. This is a required entry.
    • TCP - Transmission Control Protocol (TCP).

    • UDP - User Datagram Protocol (UDP).

    • ALL - All protocols.

  • [[port =] 1-65535**]** Specifies the number of the port to be deleted from the exceptions list. The port number must be between 1 and 65535, inclusive. This is a required entry.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used for configuring Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

  • [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks

profile and interface cannot be specified together.

Examples

The following examples show how the delete portopening command and preceding parameters can be used to delete a port-based exception:

delete portopening TCP 80

delete portopening UDP 500

delete portopening protocol = TCP port = 80

delete portopening protocol = UDP port = 500

set allowedprogram

The set allowedprogram command is used to modify the settings of a program-based exception.

Syntax

set allowedprogram [[program =] path] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]

Parameters
  • [[program =] path] Specifies the path and file name of a program to be added to the exceptions list. This is a required entry.
  • [[name =] name] Specifies the name of a program to be added to the exceptions list. This is a required entry.
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable a program. This is an optional entry.
    • ENABLE - Allow through Windows Firewall (default).

    • DISABLE - Do not allow through Windows Firewall.

  • [[scope =] {ALL|SUBNET|CUSTOM}] Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified program. This is an optional entry.
    • ALL - Allow all traffic through Windows Firewall (default).

    • SUBNET - Allow only local network (subnet) traffic through Windows Firewall.

    • CUSTOM - Allow only specified traffic through Windows Firewall.

  • [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

Remarks

scope must be CUSTOM to specify addresses.

Examples

The following examples show how the set allowedprogram command and preceding parameters can be used to modify the settings of a program-based exception:

set allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE

set allowedprogram C:\MyApp\MyApp.exe MyApp DISABLE

set allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

set allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLED

set allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = DISABLE

set allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLE scope = CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

set icmpsetting

The set icmpsetting command is used to specify Internet Control Message Protocol (ICMP) traffic that has been added to the exceptions list.

Syntax

set icmpsetting [[type =] {2|3|4|5|8|9|11|12|13|17|ALL}] [[mode =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]

Parameters
  • [[type =] {2|3|4|5|8|9|11|12|13|17|ALL}] Specifies the type of ICMP message to enable. This is a required entry.
    • 2 - Allow outbound packet too big.

    • 3 - Allow outbound destination unreachable.

    • 4 - Allow outbound source quench.

    • 5 - Allow redirect.

    • 8 - Allow inbound echo request.

    • 9 - Allow inbound router request.

    • 11 - Allow outbound time exceeded.

    • 12 - Allow outbound parameter problem.

    • 13 - Allow inbound timestamp request.

    • 17 - Allow inbound mask request.

    • ALL - All types.

  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable the ICMP message type. This is an optional entry.
    • ENABLE - Allow through Windows Firewall (default).

    • DISABLE - Do not allow through Windows Firewall.

  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

  • [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks

profile and interface cannot be specified together; type 2 and interface cannot be specified together.

Examples

The following examples show how the set icmpsetting command and preceding parameters can be used to specify ICMP traffic that has been added to the exceptions list:

set icmpsetting 8

set icmpsetting 8ENABLE

set icmpsetting ALL DISABLE

set icmpsetting type = 8

set icmpsetting type = 8mode = ENABLE

set icmpsetting type = ALL mode = DISABLE

set logging

The set logging command is used to specify Windows Firewall logging options.

Syntax

set logging [[filelocation =] path] [[maxfilesize =] 1-32767] [[droppedpackets =] {ENABLE|DISABLE}] [[connections =] {ENABLE|DISABLE}]

Parameters
  • [[filelocation =] path] Specifies the location and file name of the Windows Firewall log file. By default, the log file is named Pfirewall.log. This is a required entry.
  • [[maxfilesize =] 1-32767**]** Specifies the maximum size (in kilobytes) of the Pfirewall.log file. This is an optional entry.
  • [[droppedpackets =] {ENABLE|DISABLE}] Specifies whether to log dropped packets to the Pfirewall.log file. This is an optional entry.
    • ENABLE - Log.

    • DISABLE - Do not log.

  • [[connections =] {ENABLE|DISABLE}] Specifies whether to log connections to the Pfirewall.log file. This is an optional entry.
    • ENABLE - Log.

    • DISABLE - Do not log.

Remarks

At least one parameter must be specified.

Examples

The following examples show how the set logging command and preceding parameters can be used to specify Windows Firewall logging options:

set logging %windir%\pfirewall.log 4096

set logging %windir%\pfirewall.log 4096ENABLE

set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096

set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096droppedpackets = ENABLE

set multicastbroadcastresponse

The set multicastbroadcastresponse command is used to specify the unicast response to a multicast or broadcast request.

Syntax

set multicastbroadcastresponse [[mode =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]

Parameters
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable multicast and broadcast packets. This is a required entry.
    • ENABLE - Allow responses to multicast/broadcast traffic through Windows Firewall.

    • DISABLE - Do not allow responses to multicast/broadcast traffic through Windows Firewall.

  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

Examples

The following examples show how the set multicastbroadcastresponse command and preceding parameters can be used to specify the unicast response to a multicast or broadcast request:

set multicastbroadcastresponse ENABLE

set multicastbroadcastresponse DISABLE

set multicastbroadcastresponse mode = ENABLE

set multicastbroadcastresponse mode = DISABLE

set notifications

The set notifications command is used to specify the behavior of Windows Firewall notifications.

Syntax

set notifications [[mode =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]

Parameters
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable notifications. This is a required entry. ENABLE - Allow notifications from Windows Firewall. DISABLE - Do not allow notifications from Windows Firewall.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

Examples

The following examples show how the set notifications command and preceding parameters can be used to specify the behavior of Windows Firewall notifications:

set notifications ENABLE

set notifications DISABLE

set notifications mode = ENABLE

set notifications mode = DISABLE

set opmode

The set opmode command is used to specify the operating mode of Windows Firewall, either globally or for a specific connection (interface).

Syntax

set opmode [[mode =] {ENABLE|DISABLE}] [[exceptions =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]

Parameters
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable Windows Firewall. This is a required entry. ENABLE - Enable Windows Firewall. DISABLE - Disable Windows Firewall.
  • [[exceptions =] {ENABLE|DISABLE}] Specifies whether to enable or disable the Windows Firewall exceptions list. This is a required entry. ENABLE - Enable the Windows Firewall exceptions list. DISABLE - Disable the Windows Firewall exceptions list.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

  • [[interface =] name] Interface name (optional).
Remarks

profile and interface cannot be specified together; exceptions and interface cannot be specified together.

Examples

The following examples show how the set opmode command and preceding parameters can be used to specify the operating mode of Windows Firewall:

set opmode ENABLE

set opmode ENABLE DISABLE

set opmode mode = ENABLE

set opmode mode = ENABLE exceptions = DISABLE

set portopening

The set portopening command is used to modify the settings of a port-based exception.

Syntax

set portopening [[protocol =] {TCP|UDP|ALL}] [[port =] 1-65535] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]

Parameters
  • [[protocol =] {TCP|UDP|ALL}] Specifies the protocol of a port. The protocol must be TCP, UDP, or all. This is a required entry.
    • TCP - Transmission Control Protocol (TCP).

    • UDP - User Datagram Protocol (UDP).

    • ALL - All protocols.

  • [[port =] 1-65535**]** Specifies the port number. The port number must be between 1 and 65535, inclusive. This is a required entry.
  • [[name =] name] Specifies the friendly name of a port to be added to the exceptions list. This descriptive name is used to represent the entry for Windows Firewall in Control Panel. This is a required entry.
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable a port in the exceptions lists. This is an optional entry.
    • ENABLE - Allow through Windows Firewall (default).

    • DISABLE - Do not allow through Windows Firewall.

  • [[scope =] {ALL|SUBNET|CUSTOM}] Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified port. This is an optional entry.
    • ALL - Allow all traffic through Windows Firewall (default).

    • SUBNET - Allow only local network (subnet) traffic through Windows Firewall.

    • CUSTOM - Allow only specified traffic through Windows Firewall.

  • [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

  • [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks

profile and interface cannot be specified together; scope and interface cannot be specified together. scope must be CUSTOM to specify addresses.

Examples

The following examples show how the set portopening command and preceding parameters can be used to modify the settings of a port-based exception:

set portopening TCP 80MyWebPort

set portopening UDP 500IKE ENABLE ALL

set portopening ALL 53DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

set portopening protocol = TCP port = 80name = MyWebPort

set portopening protocol = UDP port = 500name = IKE mode = ENABLE scope = ALL

set portopening protocol = ALL port = 53name = DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

set service

The set service command is used to enable or disable the predefined file and printer sharing, remote administration, Remote Desktop, and UPnP exceptions.

Syntax

set service [[type =] {FILEANDPRINT|REMOTEADMIN|REMOTEDESKTOP|UPNP|ALL}] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]

Parameters
  • [[type =] {FILEANDPRINT|REMOTEADMIN|REMOTEDESKTOP|UPNP|ALL}] Specifies the type of service to enable. This is a required entry. FILEANDPRINT - File and printer sharing. REMOTEADMIN - Remote administration. REMOTEDESKTOP - Remote assistance and remote desktop. UPNP - UPnP framework. ALL - All types.
  • [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable a service. This is a required entry. ENABLE - Allow through Windows Firewall (default). DISABLE - Do not allow through Windows Firewall.
  • [[scope =] {ALL|SUBNET|CUSTOM}] Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified service. This is an optional entry.
    • ALL - Allow all traffic through Windows Firewall (default).

    • SUBNET - Allow only local network (subnet) traffic through Windows Firewall.

    • CUSTOM - Allow only specified traffic through Windows Firewall.

  • [[addresses =] addresses Specifies the custom scope addresses in the exceptions list. This is an optional entry.
  • [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
    • CURRENT - Current profile (default).

    • DOMAIN - Domain profile.

    • STANDARD - Standard profile.

    • ALL - All profiles.

Remarks

scope is ignored if mode is DISABLE. scope must be CUSTOM to specify addresses.

Examples

The following examples show how the set service command and preceding parameters can be used to enable or disable the predefined service exceptions:

set service FILEANDPRINT

set service REMOTEADMIN ENABLE SUBNET

set service REMOTEDESKTOP ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

set service type = FILEANDPRINT

set service type = REMOTEADMIN mode = ENABLE scope = SUBNET

set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

show (all commands)

The following show commands are used to display the current configuration of Windows Firewall:

Command Description

show allowedprogram

Displays the programs that have been added to the exceptions list.

show config

Displays the local configuration information.

show currentprofile

Displays the current profile.

show icmpsetting

Displays the ICMP settings.

show logging

Displays the logging settings.

show multicastbroadcastresponse

Displays multicast or broadcast response settings.

show notifications

Displays the current settings for notifications.

show opmode

Displays the operational mode.

show portopening

Displays the ports that have been added to the exceptions list.

show service

Displays the services.

show state

Displays the current state information.

Remarks

To use the show command parameter, [[verbose =] {ENABLE|DISABLE}], to display more detailed information about the configuration, set the parameter to ENABLE. Verbose mode is disabled by default.

Examples

show state

show state verbose = ENABLE

Windows Firewall Log File and Security Log Settings

Windows Firewall records event data in two locations: the Event Viewer security log and the Windows Firewall log file. Event Viewer security log entries provide a record of Windows Firewall configuration changes, startup status, and behavior. The Windows Firewall log file entries provide a record of network traffic events, such as dropped packets and successful connections. Neither of the logging mechanisms provides intrusion detection or security breach alerting.

Security Log Entries

Windows Firewall writes entries to the security log when a computer is started and when a program or system service attempts to listen for unsolicited incoming traffic but is blocked. These entries provide information about the status and configuration of Windows Firewall, including information about the applications and ports that permit traffic through Windows Firewall. These entries also provide information about which ports and protocols a program or system services is trying to use so you can configure the necessary exceptions in Windows Firewall. These security log entries are viewed with Event Viewer, which can filter the entries by Event IDs. The Event IDs associated with Windows Firewall are in the range of 848 through 861.

Note

Windows Firewall events are written to the event log any time the Windows Firewall/Internet Connection Sharing service is running, even if Windows Firewall is turned off (disabled).

The following table lists the Event IDs associated with Windows Firewall:

Event ID Description

848

Displays the startup configuration of Windows Firewall.

849

Displays an application exception configuration.

850

Displays a port exception configuration.

851

Displays a change made to the application exceptions list.

852

Displays a change made to the application exceptions list.

853

Displays a change made to the Windows Firewall operation mode.

854

Displays a change made to Windows Firewall logging settings.

855

Displays a change made to ICMP settings.

856

Displays a change made to the Windows Firewall: Prohibit unicast response to multicast or broadcast requests Group Policy setting.

857

Displays a change made to the remote administration setting.

858

Displays Windows Firewall Group Policy settings have been applied.

859

Displays Windows Firewall Group Policy settings have been removed.

860

Displays a change made to a profile.

861

Displays an application or service attempting to listen for incoming traffic.

Event ID 848

The following table lists the entries associated with Event ID 848:

Entry Possible Values Notes

Group Policy applied

Yes/No

Specifies whether Group Policy is applied.

Profile used

Domain/Local

Specifies if the profile is from the domain or the local computer.

Interface

All interfaces/<interface name>

Specifies the network adapter (interface) to which the settings apply.

Operational mode

On/Off/On with no exceptions

Specifies which mode Windows Firewall is in.

File and Printer Sharing

Enabled/Disabled

Specifies whether File and Printer Sharing is enabled or disabled in the exceptions list.

Remote Desktop

Enabled/Disabled

Specifies whether Remote Desktop is enabled or disabled in the exceptions list.

UPnP Framework

Enabled/Disabled

Specifies whether UPnP is enabled or disabled in the exceptions list.

Allow remote administration

Enabled/Disabled

Specifies whether Remote Assistance is enabled or disabled in the exceptions list.

Allow unicast responses to multicast/broadcast traffic

Enabled/Disabled

Specifies whether Windows Firewall will allow unicast traffic that is in response to multicast or broadcast traffic through Windows Firewall.

Log dropped packets

Enabled/Disabled/“-”

Specifies the log file setting.

Log successful connections

Enabled/Disabled/“-”

Specifies the log file setting.

Allow incoming echo request

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow incoming timestamp request

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow incoming mask request

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow incoming router request

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow outgoing destination unreachable

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow outgoing source quench

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow outgoing parameter problem

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow outgoing time exceeded

Enabled/Disabled/“-”

Specifies the ICMP setting.

Allow redirect

Enabled/Disabled/“-”

Specifies the ICMP setting.

Note

The hyphen (“-”) is used to indicate that this setting has not been configured.

Event ID 849

The following table lists the entries associated with Event ID 849:

Entry Possible Values Notes

Policy origin

Local Policy/Group Policy

Specifies whether the application was added to the exceptions list through local policies or domain-wide Group Policy.

Profile used

Standard/Domain

Specifies the profile in which the application is listed as an exception.

Name

<file name>

Specifies the display name, if any, of the executable file.

Path

<path>

Specifies the path to the application.

State

Enabled/Disabled

Specifies whether the application is enabled or disabled in the exceptions list.

Scope

All interfaces/Local subnet/<custom scope>

Specifies the conditions under which the application is processed as an exception.

Event ID 850

The following table lists the entries associated with Event ID 850:

Entry Possible Values Notes

Policy origin

Local Policy/Group Policy

Specifies whether the port was added to the exceptions list through local policies or domain-wide Group Policy.

Profile used

Standard/Domain

Specifies the profile in which the port is listed as an exception.

Interface

All interfaces/<interface name>

Specifies the network adapter (interface) to which the settings apply.

Name

<name>

Specifies the name of the port.

Port number

<port number>

Specifies the number of the port.

Protocol

TCP/UDP

Specifies the protocol of the port.

State

Enabled/Disabled

Specifies whether the port is enabled or disabled in the exceptions list.

Scope

All interfaces/Local subnet/<custom scope>

Specifies the conditions under which the port is processed as an exception.

Event ID 851

The following table lists the entries associated with Event ID 851:

Entry Possible Values Notes

Policy origin

Local policy/Group Policy

Specifies whether the change was made through local policies or domain-wide Group Policy.

Profile changed

Standard/Domain

Specifies the profile in which the change occurred.

Change type

Add/Remove/Modify

Specifies whether the application was added or removed from the exceptions list, or whether exception list settings were modified for the application.

New Settings: Name

<name>

Specifies the new display name, if any, of the executable file.

New Settings: Path

<path>

Specifies the new path to the application.

New Settings: State

Enabled/Disabled

Specifies whether the application is currently enabled or disabled in the exceptions list.

New Settings: Scope

All interfaces/Local subnet/<custom scope>

Specifies the new conditions under which the application is processed as an exception.

Old Settings: Name

<name>

Specifies the old display name, if any, of the executable file.

Old Settings: Path

<path>

Specifies the old path to the application.

Old Settings: State

Enabled/Disabled

Specifies whether the application was previously enabled or disabled in the exceptions list.

Old Settings: Scope

All interfaces/Local subnet/<custom scope>

Specifies the old conditions under which the application was processed as an exception.

Event ID 852

The following table lists the entries associated with Event ID 852:

Entry Possible Values Notes

Policy origin

Local policy/Group Policy

Specifies whether the change was made through local policies or domain-wide Group Policy.

Profile changed

Standard/Domain

Specifies the profile in which the change occurred.

Change type

Add/Remove/Modify

Specifies whether the port was added or removed from the exceptions list, or whether exception list settings were modified for the port.

Interface

All interfaces/<interface name>

Specifies the network adapter (interface) to which the settings apply.

New Settings: Name

<name>

Specifies the new name of the port.

New Settings: Port number

<port number>

Specifies the new number of the port.

New Settings: Protocol

TCP/UDP

Specifies the new protocol of the port.

New Settings: State

Enabled/Disabled

Specifies whether the port is enabled or disabled in the exceptions list.

New Settings: Scope

All interfaces/Local subnet/<custom scope>

Specifies the new conditions under which the port is processed as an exception.

Old Settings: Name

<name>

Specifies the old name of the port.

Old Settings: Port number

<port number>

Specifies the old number of the port.

Old Settings: Protocol

TCP/UDP

Specifies the old protocol of the port.

Old Settings: State

Enabled/Disabled

Specifies whether the port was previously enabled or disabled in the exceptions list.

Event ID 853

The following table lists the entries associated with Event ID 853:

Entry Possible Values Notes

Policy origin

Local policy/Group Policy

Specifies whether the change was made through local policies or domain-wide Group Policy.

Profile changed

Standard/Domain

Specifies the profile in which the change occurred.

Interface

All interfaces/interface name

Specifies the network adapter (interface) to which the new setting applies.

New Setting: Operation mode

On/On with no exceptions/Off

Specifies which mode Windows Firewall is in currently.

Old Setting: Operation mode

On/On with no exceptions/Off

Specifies which mode Windows Firewall was in previously.

Event ID 854

The following table lists the entries associated with Event ID 854:

Entry Possible Values Notes

Policy origin

Local policy/Group Policy

Specifies whether the change was made through local policies or domain-wide Group Policy.

Profile changed

Standard/Domain

Specifies the profile in which the change occurred.

New Settings: Log dropped packets

Enabled/Disabled/“-”

Specifies the new log file setting.

New Settings: Log successful connections

Enabled/Disabled/“-”

Specifies the new log file setting.

Old Setting: Log dropped packets

Enabled/Disabled/“-”

Specifies the old log file setting.

Old Setting: Log successful connections

Enabled/Disabled/“-”

Specifies the old log file setting.

Note

The hyphen (“-”) is used to indicate that this setting has not been configured.

Event ID 855

The following table lists the entries associated with Event ID 855:

Entry Possible Values Notes

Policy origin

Local policy/Group Policy

Specifies whether the change was made through local policies or domain-wide Group Policy.

Profile changed

Standard/Domain

Specifies the profile in which the change occurred.

Interface

All interfaces/interface name

Specifies the network adapter (interface) to which the new setting applies.

New Setting: Allow incoming echo request

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow incoming timestamp request

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow incoming mask request

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow incoming router request

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow outgoing destination unreachable

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow outgoing source quench

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow outgoing parameter problem

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow outgoing time exceeded

Enabled/Disabled/“-”

Specifies the new ICMP setting.

New Setting: Allow redirect

Enabled/Disabled/“-”

Specifies the new ICMP setting.

Old Setting: Allow incoming echo request

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow incoming timestamp request

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow incoming mask request

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow incoming router request

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow outgoing destination unreachable

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow outgoing source quench

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow outgoing parameter problem

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow outgoing time exceeded

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Old Setting: Allow redirect

Enabled/Disabled/“-”

Specifies the old ICMP setting.

Note

The hyphen (“-”) is used to indicate that this setting has not been configured.

Event ID 856

The following table lists the entries associated with Event ID 856:

Entry Possible Values Notes

Unicast response to multicast broadcasts is

On/Off

Specifies whether the option is enabled or disabled.

Event ID 857

The following table lists the entries associated with Event ID 857:

Entry Possible Values Notes

Policy origin

Local policy/Group policy

Specifies whether the change was made through local policies or domain-wide Group Policy.

Profile changed

Standard/Domain

Specifies the profile in which the change occurred.

New setting: Allow remote administration

Enabled/Disabled

Specifies whether the option is enabled or disabled.

Old setting: Allow remote administration

Enabled/Disabled

Specifies whether the option is enabled or disabled.

Event ID 858

Note

There are no entries associated with Event ID 858.

Event ID 859

Note

There are no entries associated with Event ID 859.

Event ID 860

The following table lists the entries associated with Event ID 860:

Entry Possible Values Notes

Active profile

Standard/Domain

Specifies if the profile has switched from standard to domain, or vice versa.

Event ID 861

The following table lists the entries associated with Event ID 861:

Entry Possible Values Notes

Name

<name>

Specifies the name of the application or service.

Path

<path>

Specifies the path to the application or service.

Process identifier

<process identifier>

Specifies the identifier (label) used to determine the process involved in the listening activity.

User account

<user account>

Specifies the user's account.

User domain

<user domain>

Specifies the user's domain.

Service

Yes/No

Specifies whether the listener is a service.

RPC server

Yes/No

Specifies whether the listener is on an RPC server.

IP version

IPv4/IPv6

Specifies the IP version of the application or service.

IP protocol

TCP/UDP

Specifies the IP protocol being used by the application or service.

Port number

<port number>

Specifies the port being used by the application or service.

Allowed

Yes/No

Specifies if the application or service is allowed to listen for unsolicited incoming network traffic.

User notified

Yes/No

Specifies whether the user was notified of the listening activity.

Windows Firewall Log File Entries

When the Windows Firewall log file is enabled, Windows Firewall generates a plaintext security log file (Pfirewall.log), which is found in %Windir%\pfirewall.log. The security log has two sections: the header and the body.

The following table lists the entries contained in the header:

Item Description Example

#Version:

Displays which version of the Windows Firewall security log is installed.

1.5

#Software:

Displays the name of the security log.

Microsoft Windows Firewall

#Time:

Indicates that all of the timestamps in the log are in local time.

Local

#Fields:

Displays a static list of fields that are available for security log entries, if data is available. These fields are listed in the following table.

Note   The hyphen (-) is used for fields for which no information is available.

src-ip

The body is the report of information gathered about traffic or attempts to cross Windows Firewall. The body of the security log is a dynamic list; new entries appear at the bottom of the log.

The following table lists the information contained in the body of the log file:

Item Description Example

Date

Displays the year, month, and day that the recorded transaction occurred. Dates are recorded in the format:

YYYY-MM-DD

2001-01-27

Time

Displays the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the format:

HH:MM:SS

21:36:59

Action

Displays which operation was observed by Windows Firewall. The options available are OPEN, OPEN-INBOUND, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that occurred but were not recorded in the log.

OPEN

Protocol

Displays the protocol that was used for the communication. The options available are TCP, UDP, ICMP, and a protocol number for packets that are not TCP, UDP, or ICMP.

TCP

src-ip

Displays the source IP address (the IP address of the computer attempting to establish communications).

192.168.0.1

dst-ip

Displays the destination IP address of a communication attempt.

192.168.0.1

src-port

Displays the source port number of the sending computer. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -.

4039

dst-port

Displays the port number of the destination computer. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -.

53

size

Displays the packet size, in bytes.

60

tcpflags

Displays the TCP control flags found in the TCP header of an IP packet:

  • Ack Acknowledgment field significant

  • Fin No more data from sender

  • Psh Push function

  • Rst Reset the connection

  • Syn Synchronize sequence numbers

Urg Urgent Pointer field significant

FAP

tcpsyn

Displays the TCP sequence number in the packet.

1315819770

tcpack

Displays the TCP acknowledgement number in the packet.

2515999782

tcpwin

Displays the TCP window size, in bytes, in the packet.

64240

icmptype

Displays a number that represents the Type field of the ICMP message.

8

icmpcode

Displays a number that represents the Code field of the ICMP message.

0

info

Displays an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action will result in an entry of the number of events that occurred but were not recorded in the log from the time of the last occurrence of this event type.

23

Path

Displays the direction of the communication. The options available are SEND, RECEIVE, FORWARD, and UNKNOWN.

RECEIVE