Netsh AdvFirewall Consec Commands

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Typing the command consec at the netsh advfirewall context changes to the netsh advfirewall consec context, where you can view, create, and modify connection security rules that specify how connections are protected by using IPsec. This context is the command-line equivalent to the Connection Security Rules node of the Windows Firewall with Advanced Security MMC snap-in.

To view the syntax of commands available in the Consec context, click a command:

  • dump

  • add

  • delete

  • set

  • show

dump

Important

This command is available for some netsh contexts, but is not implemented for the netsh advfirewall context or any of its three subcontexts. It produces no output, but also generates no error. When the dump command is used from the root context, no Windows Firewall or IPsec configuration information is included in the output.

add

In the netsh advfirewall consec context, the add command only has one variation, the add rule command.

add rule

Adds a connection security rule that defines IPsec requirements for network connections that matches the specified criteria.

Syntax

add rule

name = RuleName

endpoint1 = Addresses

endpoint2 = Addresses

action = { requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication }

description = DescriptionOfRule ]

mode = { transport | tunnel } ]

enable = { yes | no } ]

profile = { public | private | domain | any } [ , ...] ]

type = { dynamic | static } ]

localtunnelendpoint = { IPAddress | any } ]

remotetunnelendpoint = { IPAddress | any } ]

port1 = { any | Integer or Range } [ ,… ] ]

port2 = { any | Integer or Range } [ ,… ] ]

protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer } ]

interfacetype = { any | wireless | lan | ras } ]

auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ , ...] } ]

auth1psk = PreSharedKey ]

[ **auth1ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } ] [ | ... ]" ]

auth1healthcert = { yes | no } ]

[ **auth1ecdsap256ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap256healthcert = { yes | no } ]

[ **auth1ecdsap384ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap384healthcert = { yes | no } ]

auth2 = { userkerb | userntlm | usercert | computercert | computercertecdsap256 | computercertecdsap384 | usercertecdsap256 | usercertecdsap384 | anonymous | [ , ...] } ]

[ **auth2ca = "**CANamecertmapping: yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]

[ **auth2ecdsap256ca = "**CANamecertmapping: yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]

[ **auth2ecdsap384ca = "**CANamecertmapping: yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]

qmpfs = { dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]

qmsecmethods = [ authnoencap:integrity [ +Lifemin ] [ +datakb ] ; ] ah:Integrity+esp:Integrity-Encryption+[Lifemin]+[Datakb] | default ]

exemptipsecprotectedconnections = { yes | no } ]

applyauthz = { yes | no } ]

Parameters

  • ****name=RuleName
    Required. Specifies the name of this connection security rule. The name should be unique, and cannot be "all."
  • ****endpoint1=**Addresses **endpoint2=Addresses
    Required. Specifies the computers that are subject to the requirements of this rule. Computers that match endpoint1 can communicate with computers that match endpoint2 only when the requirements of this rule are satisfied. Endpoint1 and endpoint2 can be any of the following values:

    • any. Matches a computer with any IPv4 or IPv6 address.

    • localsubnet. Matches any computer that is on the same subnet as the local computer.

    • dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.

    • IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.

    • IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.

    Multiple entries can be specified for either endpoint1 or endpoint2 by separating them with a comma. Do not include any spaces in the completed comma separated text.

  • ****action = requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication }
    Required. Specifies whether authentication is requested or required for connections that match the rule. Action can be one of the following values:

    • requireinrequestout. Specifies that the local computer must successfully authenticate all inbound network connections that match this rule. If the authentication is not successful, then the inbound network traffic is discarded. The local computer attempts to authenticate any outbound network connections that match this rule, but allows the connection if the authentication attempt fails.

    • requestinrequestout. Specifies that the local computer attempts to authenticate any inbound or outbound network connection that matches this rule, but allows the connection if the authentication attempt fails.

    • requireinrequireout. Specifies that the local computer requires successful IPsec negotiation for all inbound and outbound network connections that match this rule. If an authentication attempt fails, then the network connection is prevented, and any related network traffic is discarded.

    • requireinclearout. Valid for tunnel mode rules only. Specifies that the local computer requires successful IPsec tunnel negotiation for all inbound network connections that match this rule, but permits outbound non-IPsec protected connections. Only new outbound connections are sent in clear text; replies to network traffic that arrived through the tunnel are sent back through the tunnel.

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

  - **noauthentication.** Specifies that the local computer does not attempt authentication for any network connections that match this rule. This option is typically used to grant IPsec exemptions for network connections that do not need to be protected by IPsec, but would otherwise match other rules that could cause the connection to be dropped.  
      
  • **[ **description = DescriptionOfRule ]
    Provides information about the connection security rule.
  • **[ **mode = transport | tunnel } ]
    Specifies whether this connection security rule defines an IPsec transport mode connection, or an IPsec tunnel mode connection.

    If mode is not specified, the default is transport.

  • **[ **enable = yes | no } ]
    Specifies whether the rule is currently enabled.

    If enable is not specified, the default is yes.

  • **[ **profile = public | private | domain | any | [ ,... ] } ]
    Specifies the profile(s) to which the connection security rule is assigned. The rule is active on the local computer only when the specified profile is currently active.

    If profile is not specified, the default is any.

  • **[ **type = dynamic | static } ]
    Specifies how the rule is applied to the current session and whether the rule is stored. The value can be one of the following:

    • dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not stored in any policy container and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

    • static. The rule is stored in the policy container currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer. If the computer's local policy store is the active store, then the rule is immediately applied.

    If type is not specified, the default is static.

  • localtunnelendpoint = { IPAddress | any } ]
    Required and valid only if mode = tunnel. Specifies the IP address of the computer or gateway device that sends traffic from computers that match endpoint1 to computers that match endpoint2. The traffic is sent from this IP address to the device identified as the remotetunnelendpoint. This value must use the same type of IP address as the remotetunnelendpoint, either IPv4 or IPv6.

    In Windows 7 and Windows Server 2008 R2 only, this value can also be any. When applied to a client computer, this option supports connection via a tunnel to a remote gateway or host regardless of the IP address of the local computer.

  • remotetunnelendpoint = { IPAddress | any } ]
    Required and valid only if mode = tunnel. Specifies the IP address of the computer or gateway device that sends traffic from computers that match endpoint2 to computers that match endpoint1. The traffic is sent from this remote IP address to the local gateway identified as the localtunnelendpoint. This value must use the same type of IP address as the localtunnelendpoint, either IPv4 or IPv6.

    In Windows 7 and Windows Server 2008 R2 only, this value can also be any. When applied to a host or gateway computer, this option supports connection via a tunnel from a remote client with any IP address.

  • **[ **port1 = any | Integer } [ ,… ] ]
    Specifies the port number of network traffic coming from endpoint1 computers that is subject to the requirements of this rule. The port value can be an individual number, a range, such as 5000-5020, or a comma-separated list of numbers and ranges. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port1 is set to a value other than any, then the protocol value must be set to tcp or udp.

    If port1 is not specified, the default is any.

Note

This setting is not displayed in the Windows Firewall with Advanced Security MMC snap-in in versions of Windows earlier than Windows 7.

  • **[ **port2 = any | Integer } [ ,… ] ]
    Specifies the port number of network traffic arriving at endpoint2 computers that is subject to the requirements of this rule. The port values can be an individual number, a range, such as 5000-5020, or a comma-separated list of numbers and ranges. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port2 is set to a value other than any, then the protocol value must be set to tcp or udp.

    If port2 is not specified, the default is any.

Note

This setting is not displayed in the Windows Firewall with Advanced Security MMC snap-in in versions of Windows earlier than Windows 7.

  • **[ **protocol = any | tcp | udp | icmpv4 | icmpv6 | Integer }
    Specifies the protocol of network traffic that is subject to the requirements of this rule. If a port number is identified by using port1 or port2, then protocol must be set to tcp or udp. The values icmpv4 and icmpv6 are typically used to create a rule that exempts ICMP network traffic from the IPsec requirements of another rule.

    If protocol is not specified, the default is any.

Note

This setting is not displayed in the Windows Firewall with Advanced Security MMC snap-in in versions of Windows earlier than Windows 7.

  • **[ **interfacetype = any | wireless | lan | ras } ]
    Specifies that only network connections made through the indicated interface types are subject to the requirements of this rule. Using this parameter allows you to specify different authentication requirements for each of the three main network types. The value must be one of the following:

    • any. This rule is applied to network connections made through any of the interface types.

    • wireless. This rule is applied only when the network connection is through a wireless network.

    • lan. This rule is applied only when the network connection is through a wired LAN adapter.

    • ras. This rule is applied only when the network connection is through a RAS interface, such as a VPN or dial-up network connection.

    If interfacetype is not specified, the default is any.

  • **[ **auth1 = computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,...] } ]
    Specifies the methods offered for main mode first authentication during IPsec negotiations. Multiple values can be included by separating them with commas. Do not include any spaces. If the negotiation uses IKE, the first match between the two computers is attempted. If it fails, the negotiation fails. If the negotiation uses AuthIP, then each match is tried in order, until one succeeds. If they all fail, then the negotiation fails. Windows uses IKE when it can, and uses AuthIP if you specify any options that are not supported by IKE.

    For computers to communicate by using this rule, one of the specified authentication methods must be successful unless anonymous is specified, indicating that first authentication is optional.

    The value can be any of the following:

    • computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

    • computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

    • computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. The preshared key is stored in plaintext. We strongly recommend the use of a more secure authentication method.

    • computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

    • anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk.

  • auth1psk = PreSharedKey ]
    Required only if computerpsk is included in the auth1 parameter. Specifies the preshared key value that is used for authentication if the computerpsk option is negotiated. The value is stored in plaintext, and we recommend that you do not use preshared key authentication.
  • auth1ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies RSA-signed certificate authentication options for main mode first authentication, and is valid only if auth1 includes computercert. Multiple certificates can be referenced by separating each entry by using the '|' character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

    • CAName
      Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.
    • ****certmapping:yes | no }
      Specifies whether to enable certificate-to-account mapping.
    • ****excludecaname:yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
    • ****catype:root | intermediate }
      Specifies the type of CA that issued the certificate. The value can be root or intermediate. If not specified, the default is root.
  • **[ **auth1healthcert = yes | no } ]
    Specifies that the computer certificate specified in auth1ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercert.

    If auth1healthcert is not specified, the default is no.

  • auth1ecdsap256ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 256-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertecdsap256. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap256healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap256ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap256.
  • auth1ecdsap384ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 384-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertedcsap384. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap384healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap384ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap384.
  • **[ **auth2 = userkerb | userntlm | usercert | usercertecdsap256 | usercertecdsap384 | computercert | computercertecdsap256 | computercertecdsap384 | anonymous | [ ,... ] } ]
    Specifies the methods for main mode second authentication offered during IPsec negotiations. Use of a second authentication causes the negotiation to use AuthIP instead of IKE. Multiple values can be included by separating them with commas. They are attempted in the order displayed. The first successful method is the one used.

    If auth1 contains computerpsk, then you cannot use auth2.

    For computers to communicate by using this rule one of the specified authentication methods must be successful, unless anonymous is specified, indicating that second authentication is optional.

    The value can be any of the following:

    • userkerb. This method uses the Kerberos v5 protocol to authenticate the user against an account in an Active Directory domain.

    • userntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the user against an account in an Active Directory domain.

    • usercert. This method uses a user certificate issued by a Certification Authority (CA).

    • usercertecdsap256. This method uses a user certificate issued by a CA that is signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm (ECDSA).

    • usercertecdsap384. This method uses a user certificate issued by a CA that is signed with the 384-bit version of the ECDSA.

    • computercert. This method uses a computer health certificate issued by a Network Access Protection (NAP) server on the domain and that is signed with the default RSA algorithm.

    • computercertecdsap256. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 256-bit version of the ECDSA.

    • computercertecdsap384. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 384-bit version of the ECDSA.

    • anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last.

Note

auth2 cannot be used if auth1 contains computerpsk.
Credentials used in auth2 must be all user-based, or all computer-based. You cannot mix them.

  • auth2ca = "CANamecertmapping:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies certificate authentication options for main mode second authentication, and is valid only if auth2 specifies the use of an RSA-signed certificate. Multiple certificates can be referenced by separating each entry by a '|' character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

    • CAName
      Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.
    • ****certmapping:yes | no }
      Specifies whether to enable certificate-to-account mapping.
    • ****catype:root | intermediate }
      Specifies the type of CA that issued the certificate. The value can be root or intermediate. If not specified, the default is root.
  • auth2ecdsap256ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 256-bit ECDSA signed certificate options for main mode second authentication, and is valid only if auth2 includes computercertecdsap256 or usercertecdsap256. The parameters of this option are identical to the authca2 option described above.
  • auth2ecdsap384ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 384-bit ECDSA signed certificate options for main mode second authentication, and is valid only if auth2 includes computercertecdsap384 or usercertecdsap384. The parameters of this option are identical to the authca2 option described above.
  • **[ **qmpfs = dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]
    Specifies the method used to establish quick mode perfect forward secrecy. If mainmode is specified, then the key exchange specified for main mode is used.

    If qmpfs is not specified, the default is none.

  • **[ **qmsecmethods = { [ authnoencap:integrity [ +Lifemin ] [ +datakb ] ; ] ah:Integrity+esp:Integrity-Encryption+Lifemin ] +Datakb ] [ ,... ] | default } ]
    Specifies one or more quick mode security suites, separated by commas. There must be no spaces included. The value is defined by one of the following formats:

    • authnoencap:integrity [ +Lifemin ] [ +datakb ] ; ]ah:Integrity+esp:Integrity-Encryption[+Lifemin][+Datakb]

    Where:

    • authnoencap
      Include this option and its parameters up to the semicolon (;) if you want to support connections that are authenticated, but not encapsulated by ESP or AH. This option is useful for connections that must be processed by network monitoring equipment, such as intrusion detection systems, that cannot process AH or ESP protected network packets. After authentication completes, the rest of the network packets associated with the connection are sent in clear text.

      Security Note
      Network packets sent by using this option are not protected by any of the IPsec mechanisms that help ensure integrity of the packet during transit, and all data is sent in clear text.

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.
You must include at least one combination that uses AH or ESP.

<!-- end list -->

  - ***Integrity***  
    Specifies an integrity algorithm. *Integrity* can be **md5**, **sha1**, **sha256**, **aesgmac128**, **aesgmac192**, **aesgmac256**, **aesgcm128**, **aesgcm192**, **aesgcm256**, or **none**.
    
    To specify that you do not want to use AH, do not include the **ah:***Integrity* portion of the parameter.
    
    MD5 and SHA1 are available on all supported versions of Windows. The other integrity algorithms are supported only on Windows Vista with Service Pack 1 and later versions of Windows.

<!-- end list -->

  - ***Encryption***  
    Specifies the encryption algorithm used. *Encryption* can be **des**, **3des**, **aes128**, **aes192**, **aes256**, **aesgcm128**, **aesgcm192**, **aesgcm256**, or **none**.
    
    DES and 3DES are available on all supported versions of Windows. The other integrity algorithms are supported only on Windows Vista with Service Pack 1 and later versions of Windows.

<!-- end list -->

  - ***Life***   
    Specifies the session key lifetime in minutes. The default value is 60 minutes.

<!-- end list -->

  - ***Data***  
    Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.

<!-- end list -->

  - **Default**. When managing the local computer policy store, this entry is equivalent to entering the following entry (line breaks are included only for clarity):  
      
    **AH:SHA1+60min+100000kb,**  
      
    **ESP:SHA1-None+60min+100000kb,**  
      
    **ESP:SHA1-AES128+60min+100000kb,**  
      
    **ESP:SHA1-3DES+60min+100000kb**  
      
    When you are managing a Group Policy object, this option behaves similarly to the **notconfigured** option, allowing the highest precedence policy that applies to the computer, and that does specify a **qmsecmethods** value to control the setting. If none of the Group Policy objects or the local computer policy store sets the value, then the computer uses the value displayed above.  
      
  • exemptipsecprotectedconnections = { yes | no } ]
    Specifies that network traffic sent to a tunnel endpoint that is already IPsec protected does not have to be encapsulated again. This option can improve network performance in the case where network traffic that is already end-to-end protected by other connection security rules.

    Security Note
    This option could result in a downgrade of security if the transport mode rules use weaker security algorithms than the tunnel mode rules. This can be mitigated by ensuring that transport mode rules on your enterprise network have equally strong security algorithms as any tunnel mode rules.

Note

This option applies only to tunnel mode connection security rules

Note

This option is valid only on computers that are running Windows 7 or Windows Server 2008 R2 only.

  • applyauthz = { yes | no } ]
    This option applies to tunnel mode rules only. Specifies that only users and computers that are authorized to use the tunnel can establish a connection by using this rule. Authorized users and computers can be specified by using the netsh advfirewall set global ipsec command with the authzcomputergrp or authzusergrp parameters.

Remarks

  • Do not create a connection security rule with the name all. Doing this creates a conflict with the netsh option to select all connection security rules (for example, delete rule name=all).

  • Rules that specify port ranges can be created or modified by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

  • The algorithms to support ECDSA certificate signatures are available only on computers that are running Windows Vista with Service Pack 1 (SP1) or later versions of Windows.

  • Rules that specify a catype for a certificate can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules that specify intermediate CAs that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

  • When running netsh on a computer that is running Windows Vista or Windows Server 2008 and specifying a computer certificate for auth2, then you must also specify the parameter auth2healthcert=yes. This parameter is not required on computers that are running later versions of Windows.

  • When mode=tunnel, you must specify both tunnel endpoints.

  • When mode=tunnel, on a computer that is running Windows Vista or Windows Server 2008, you must specify action=requireinrequireout. On computers that are running Windows 7 or Windows Server 2008 R2, you can specify action=requireinrequireout, action=requireinclearout, or action=noauthentication.

  • When mode=tunnel on a computer that is running Windows 7 or Windows Server 2008 R2, you can specify both tunnel endpoints as any only if both endpoint1 and endpoint2 are specified and not any.

  • When mode=tunnel and action=noauthentication, then both tunnel endpoints must be set to any.

  • At least one main mode authentication method must be specified, unless action=noauthentication, in which case no authentication method can be specified.

  • Do not make main mode first and second authentication methods both optional as this is equivalent to disabling authentication.

  • Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote (\')

  • The ability to set quick mode integrity and encryption offerings on a per-rule basic is available only by using the netsh add rule and set rule commands. The Windows Firewall with Advanced Security MMC snap-in allows you to set the per-machine default quick mode integrity and encryption settings, but provides no means to configure them on a per-rule basis.

  • qmpfs and authnoencap cannot be combined in the same rule.

  • We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backward compatibility only.

Examples

  • The following command creates a rule that could be used in a domain isolation scenario, where incoming traffic is only permitted from other domain member computers.

    add rule name="Domain Isolation Rule" endpoint1=any endpoint2=any action=requireinrequestout

  • The following command creates a similar domain isolation rule, but uses a custom quick mode proposal that includes multiple quick mode suites, separated by commas. The first quick mode suite illustrates how to include both AH and ESP protocols in a single suite. The second suite illustrates how to specify the use of the AH protocol only. The third suite illustrates how to specify the use of the ESP protocol only, and uses the none keyword to specify not to include an encryption option. The final suite illustrates how to use the none keyword to specify that ESP is used with an encryption protocol, but with no integrity protocol. The last suite also illustrates how to set a custom SA timeout using both time and data amount values.

    add rule name="Domain Isolation Custom QM Rule" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des,ah:sha1,esp:sha1-none,esp:none-aes256+30min+50000kb

  • The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local computer (1.1.1.1) attached to a public network to a second computer through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is integrity checked using ESP/SHA1, and encrypted using ESP/3DES.

    add rule name="My Tunnel" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des

  • The following command creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authentication for outbound connections, but allows an outbound connection if authentication is not successful. Note that multiple certificates are separated by a vertical bar (|) character, and that the single quotes around the certificate names must be prefaced with the backslash (\) character to be interpreted correctly.

    add rule name="Authenticate with Certificates Rule" endpoint1=any endpoint2=any action=requireinrequestout auth1=computercert auth1ca="C=US,O=MSFT,CN=\'Microsoft Root Authority\'|C=US,O=MYORG,CN=\'My Organizations Root Certificate\'"

  • The following command creates a rule that requires a first (computer) authentication and attempts an optional second (user) authentication:

    Add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous

delete

In the netsh advfirewall consec context, the Delete command only has one variation, the Delete Rule command.

delete rule

Deletes all connection security rules that match the specified criteria.

Syntax

delete rule

name =all | RuleName }

[ **type = **{ dynamic | static } ]

[ **profile = **{ public | private | domain | any | [ ,... ] } ]

[ **endpoint1 = **Addresses ]

[ **endpoint2 = **Addresses ]

[ **port1 = **{ any | Integer or Range } [ ,… ] ]

[ **port2 = **{ any | Integer or Range } [ ,… ] ]

[ **protocol = **{ any | tcp | udp | icmpv4 | icmpv6 | Integer } ]

Parameters

  • ****name = all | RuleName }
    Required. You can specify one of the following values:

    • The rule name of the connection security rule you want deleted. Only the rule with the specified name is deleted.

    • all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all connection security rules are deleted.

  • **[ **type = dynamic | static } ]
    Specifies that only rules of the selected type are deleted. The value can be either dynamic or static.
  • **[ **profile = public | private | domain | any | [ ,... ] } ]
    Specifies that only rules assigned to the specified profile(s) are deleted.

    If profile is not specified, the default is any.

  • **[ **endpoint1 = **Addresses ] [ **endpoint2 = Addresses ]
    Specifies that only rules that match the IP addresses, ranges, subnets, or server types are deleted.

    Endpoint1 and endpoint2 can be any of the following values:

    • IPAddress. Specifies an IPv4 or IPv6 address.

    • IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

    • One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.

    You can specify multiple entries for either endpoint1 or endpoint2 by separating them with a comma.

  • **[ **port1 = **{ any | Integer } ] [ **port2 = any | Integer } ]
    Specifies that only rules that match the port numbers indicated are deleted.
  • **[ **protocol = any | tcp | udp | icmpv4 | icmpv6 | Integer } ]
    Specifies that only rules that match the indicated protocol values are deleted.

Remarks

  • If multiple rules are found that match the specified criteria, then they are all deleted.

  • Rules that specify port ranges can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

Examples

  • The following example deletes a rule based on its exact name:

    Delete rule name="rule1"

  • The following example deletes all dynamic rules from all profiles:

    delete rule name=all type=dynamic

set

In the netsh advfirewall consec context, the set command only has one variation, the Set Rule command.

set rule

Modifies an existing connection security rule identified by name, or found by matching the specified criteria. Criteria that precede the keyword new identify the rule(s) to be modified. Criteria that follow the keyword new indicate properties that are modified or added.

Syntax

set rule

name =all | RuleName }

[ **type = **{ dynamic | static } ]

[ **profile = **{ public | private | domain | any | [ ,... ] } ]

[ **endpoint1 = **Addresses ]

[ **endpoint2 = **Addresses ]

[ **port1 = **{ any | Integer } [ ,… ] ]

[ **port2 = **{ any | Integer } [ ,… ] ]

[ **protocol = **{ any | tcp | udp | icmpv4 | icmpv6 | Integer } ]

new

[ **name = **NewRuleName ]

[ **profile = **{ public | private | domain | any | [ ,... ] } ]

[ **description = **NewRuleDescription ]

[ **mode = **{ transport | tunnel } ]

[ **endpoint1 = **Addresses ]

[ **endpoint2 = **Addresses ]

[ **action = **{ requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication } ]

[ **enable = **{ yes | no } ]

[ **type = **{ dynamic | static } ]

localtunnelendpoint = { IPAddress | any } ]

remotetunnelendpoint = { IPAddress | any } ]

[ **port1 = **{ any | Integer } [ ,… ] ]

[ **port2 = **{ any | Integer } [ ,… ] ]

[ **protocol = **{ any | tcp | udp | icmpv4 | icmpv6 | Integer } ]

[ **interfacetype = **{ any | wiresless | lan | ras } ]

[ **auth1 = **{ computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,... ] } ]

[ **auth1psk = **PreSharedKey ]

auth1ca = "CANamecertmapping:yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } ] [ |... ]" ]

[ **auth1healthcert = **{ yes |no } ]

[ **auth1ecdsap256ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap256healthcert = { yes | no } ]

[ **auth1ecdsap384ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap384healthcert = { yes | no } ]

[ **auth2 = **{ userkerb | userntlm | usercert | computercert | computercertecdsap256 | computercertecdsap384 | usercertecdsap256 | usercertecdsap384 | anonymous | [ ,... ] } ]

auth2ca = "CANamecertmapping:yes | no } ] [ catype: { root | intermediate } ] [ |... ]" ]

[ **auth2ecdsap256ca = "**CANamecertmapping: yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]

[ **auth2ecdsap384ca = "**CANamecertmapping: yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]

[ **qmpfs = **{ dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]

qmsecmethods = [ authnoencap:integrity[+Lifemin] [+datakb];] ah:Integrity+esp:Integrity-Encryption**+[Lifemin**]+[Datakb] | default ]

exemptipsecprotectedconnections = { yes | no } ]

applyauthz = { yes | no } ]

Parameters

  • ****name =all | RuleName }
    Required. Specifies the rule name assigned to an existing rule that you want to modify. If name=all, then all rules that match all other criteria listed before the new keyword are modified.

    If name=all, and no other parameters are included before the new keyword, then all rules are modified as indicated.

  • **[ **type = dynamic | static } ]
    Specifies that only matching rules of the indicated type are modified. The value of type can be either dynamic or static.
  • **[ **profile = public | private | domain | any | [ ,... ] } ]
    Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify more than one profile, then only rules that include the exact same list of profiles match.
  • **[ **endpoint1 = **Addresses ] [ **endpoint2 = Addresses ]
    Specifies that only rules that match the IP addresses, ranges, subnets, or server types are modified.

    Endpoint1 and endpoint2 can be any of the following values:

    • any. Matches a computer with any IP address.

    • localsubnet. Matches any computer that is on the same IP subnet as the local computer.

    • dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.

    • IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.

    • IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

    • IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.

    Multiple entries can be specified for either endpoint1 or endpoint2 by separating them with a comma. Do not include any spaces in the completed comma separated text.

  • port1 = { any | Integer } [ ,… ] ] [ port2 = { any | Integer } [ ,… ] ]
    Specifies that only rules that match the port numbers indicated are modified. The port value can be an individual number, a range, such as 5000-5020, or a comma-separated list of numbers and ranges.
  • protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer }
    Specifies that only rules that match the indicated protocol values are modified.
  • new
    Any parameter that precedes this keyword is used to find a match for the rules that are modified. Any parameter that follows this keyword indicates a value that is modified in the rules that match the specified criteria.
  • name = NewRuleName ]
    Specifies a new name for the connection security rule. The name should be unique, and cannot be "all".
  • profile = { public | private | domain | any | [ ,... ] } ]
    Specifies the profile(s) to which the connection security rule is assigned. The rule is applied only when the specified profile is currently active.
  • description = DescriptionOfRule ]
    Provides information about the connection security rule.
  • mode = { transport |tunnel } ]
    Specifies whether this connection security rule defines an IPsec transport mode connection, or an IPsec tunnel mode connection.
  • **[ endpoint1 = Addresses ] [ **endpoint2 =Addresses ]
    Specifies the computers that are subject to the requirements of this rule. Computers that match endpoint1 can communicate with computers that match endpoint2 only when the requirements of this rule are satisfied.

    Endpoint1 or endpoint2 can be any of the keywords, addresses, subnets, ranges, or server types described in the endpoint1 and endpoint2 description that precede the new keyword above.

  • action = { requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication }
    Specifies whether authentication is requested or required for connections that matches the rule. Action can be one of the following values:

    • requireinrequestout. Specifies that the local computer requires successful authentication for all inbound network connections that match this rule. If the authentication is not successful, then the inbound network traffic is discarded. The local computer attempts to authenticate any outbound network connections that match this rule, but still allows the connection if the authentication attempt fails.

    • requestinrequestout. Specifies that the local computer attempts to authenticate any inbound or outbound network connection that matches this rule, but still allows the connection if the authentication attempt fail.

    • requireinrequireout. Specifies that the local computer requires successful IPsec negotiation for all inbound and outbound network connections that match this rule. If an authentication attempt fails, then the network connection is prevented, and any related network traffic is discarded.

    • requireinclearout. Valid for tunnel mode rules only. Specifies that the local computer requires successful IPsec tunnel negotiation for all inbound network connections that match this rule, but permits outbound non-IPsec protected connections. Only new outbound connections are sent in clear text; replies to network traffic that arrived through the tunnel are sent back through the tunnel.

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

  - **noauthentication.** Specifies that the local computer does not attempt authentication for any network connections that match this rule. This option is typically used to grant IPsec exemptions for network connections that do not need to be protected by IPsec, but would otherwise match other rules that could cause the connection to be dropped.  
      
  • enable = { yes | no } ]
    Specifies whether the rule is currently enabled.
  • type = { dynamic | static } ]
    Specifies how the rule is applied to the current session and whether the rule is stored. The value can be one of the following:

    • dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not saved in any store and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

    • static. The rule is saved in the store currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer.

  • localtunnelendpoint = { IPAddress | any } ]
    Required and valid only if mode = tunnel. Specifies the IP address of the computer gateway device that sends traffic from computers that match endpoint1 to computers that match endpoint2. The traffic is sent from this IP address to the gateway identified as the remotetunnelendpoint. This value must use the same type of IP address as the remotetunnelendpoint, either IPv4 or IPv6.

    In Windows 7 and Windows Server 2008 R2 only, this value can also be any. When applied to a client computer, this option supports connection via a tunnel to a remote gateway or host regardless of the IP address of the local computer.

  • remotetunnelendpoint = { IPAddress | any } ]
    Required and valid only if mode = tunnel. Specifies the IP address of the computer or gateway device that sends traffic from computers that match endpoint2 to computers that match endpoint1. The traffic is sent from this remote IP address to the local gateway identified as the localtunnelendpoint. This value must use the same type of IP address as the localtunnelendpoint, either IPv4 or IPv6.

    In Windows 7 and Windows Server 2008 R2 only, this value can also be any. When applied to a host or gateway computer, this option supports connection via a tunnel from a remote client with any IP address.

  • port1 = { any | Integer } [ ,… ] ]
    Specifies the port number of network traffic coming from endpoint1 computers that is subject to the requirements of this rule. The port value can be an individual number, a range, such as 5000-5020, or a comma-separated list of numbers and ranges. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port1 is set to a value other than any, then the protocol value must be set to tcp or udp.
  • port2 = { any | Integer } [ ,… ] ]
    Specifies the port number of network traffic arriving at endpoint2 computers that is subject to the requirements of this rule. The port value can be an individual number, a range, such as 5000-5020, or a comma-separated list of numbers and ranges. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port2 is set to a value other than any, then the protocol value must be set to tcp or udp.

Note

This setting is not displayed on the Windows Firewall with Advanced Security MMC snap-in in versions of Windows earlier than Windows 7.

  • **[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer } **
    Specifies the protocol of network traffic that is subject to the requirements of this rule. If a port number is identified by using port1 or port2, then protocol must be set to tcp or udp.
  • interfacetype = { any | wireless | lan | ras } ]
    Specifies that only network connections made through the indicated interface types are subject to the requirements of this rule. Using this parameter allows you to specify different authentication requirements for each of the three main network types. The value can be one of the following:

    • any. The requirements of this rule are applied to network connections made through any of the interface types.

    • wireless. The requirements of this rule are applied only when the network connection is through a wireless network.

    • lan. The requirements of this rule are applied only when the network connection is through a wired LAN adapter.

    • ras. The requirements of this rule are applied only when the network connection is through a RAS interface, such as a VPN or dial-up network connection.

  • auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,... ] } ]
    Specifies the methods offered for main mode first authentication during IPsec negotiations. Multiple values can be included by separating them with commas. Do not include any spaces. If the negotiation uses IKE, the first match between the two computers is attempted. If it fails, the negotiation fails. If the negotiation uses AuthIP, then each match is tried in order, until one succeeds. If they all fail, then the negotiation fails. Windows uses IKE when it can, and uses AuthIP if you specify any options that are not supported by IKE.

    For computers to communicate by using this rule, one of the specified authentication methods must be successful unless anonymous is specified, indicating that first authentication is optional.

    The value can be any of the following:

    • computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

    • computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

    • computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. We strongly recommend the use of a more secure authentication method.

    • computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

    • anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk

  • auth1psk = PreSharedKey ]
    Required and valid only if computerpsk is included in the auth1 parameter. Specifies the preshared key value that is used for authentication if the computerpsk option is negotiated.
  • auth1ca = "CANamecertmapping:yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies RSA-signed certificate authentication options for main mode first authentication, and is valid only if auth1 includes computercert. Multiple certificates can be referenced by separating each entry by using the vertical bar (|) character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

    • CAName
      Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on as required.
    • ****certmapping:yes | no }
      Specifies whether to enable certificate-to-account mapping.
    • ****excludecaname:yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
    • ****catype:root | intermediate }
      Specifies the type of CA that issued the certificate. The value can be root or intermediate. If not specified, the default is root.
  • auth1healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercert.
  • auth1ecdsap256ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 256-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertecdsap256. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap256healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap256ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap256.
  • auth1ecdsap384ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 384-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertedcsap384. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap384healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap384ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap384.
  • auth2 = { userkerb | userntlm | usercert | usercertecdsap256 | usercertecdsap384 | computercert | computercertecdsap256 | computercertecdsap384 | anonymous | [ ,... ] } ]
    Specifies the methods for Main Mode second authentication offered during IPsec negotiations. Using auth2 results in the negotiating being performed by using the AuthIP protocol instead of the IKE protocol. Multiple values can be included by separating them with commas. They are attempted in the order displayed. The first successful method is the one used.

    If auth1 contains computerpsk, then you cannot use auth2.

    For computers to communicate by using this rule one of the specified authentication methods must be successful unless anonymous is specified, indicating that second authentication is optional.

    The value can be any of the following:

    • userkerb. This method uses the Kerberos v5 protocol to authenticate the user account.

    • userntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the user account.

    • usercert. This method uses a user certificate issued by a Certification Authority (CA).

    • usercertecdsap256. This method uses a user certificate issued by a CA that is signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm (ECDSA).

    • usercertecdsap384. This method uses a user certificate issued by a CA that is signed with the 384-bit version of the ECDSA.

    • computercert. This method uses a computer health certificate issued by a Network Access Protection (NAP) server on the domain.

    • computercertecdsap256. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 256-bit version of the ECDSA.

    • computercertecdsap384. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 384-bit version of the ECDSA.

    • anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last.

  • auth2ca ="CANamecertmapping:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies certificate authentication options for main mode second authentication, and is valid only if auth2 specifies the use of an RSA-signed certificate. Multiple certificates can be referenced by separating each entry by a vertical bar (|) character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

    • CAName
      Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.
    • certmapping:{ yes | no }
      Specifies whether to enable certificate-to-account mapping.
    • ****catype:root | intermediate }
      Specifies the type of CA that issued the certificate. The value can be root or intermediate. If not specified, the default is root.
  • auth2ecdsap256ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 256-bit ECDSA signed certificate options for main mode second authentication, and is valid only if auth2 includes computercertecdsap256 or usercertecdsap256. The parameters of this option are identical to the authca2 option described above.
  • auth2ecdsap384ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 384-bit ECDSA signed certificate options for main mode second authentication, and is valid only if auth2 includes computercertecdsap384 or usercertecdsap384. The parameters of this option are identical to the authca2 option described above.
  • qmpfs = { dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]
    Specifies the method used to establish main mode perfect forward secrecy. If mainmode is specified, then the main mode key exchange settings are used.
  • qmsecmethods = {[authnoencap:integrity[+Lifemin] [+datakb**];] ah:Integrity+esp:Integrity-Encryption[+Lifemin][+Datakb][,...] | default } ]**
    Specifies one or more quick mode security suites, separated by commas. There must be no spaces included. The value is defined by one of the following formats:

    • [authnoencap:integrity+Lifemin ] [ +datakb ] ; ]ah:Integrity+esp:Integrity-Encryption[+Lifemin][+Datakb][,…]

    Where:

    • authnoencap
      Include this option and its parameters up to the semicolon (;) if you want to support connections that are authenticated, but not encapsulated by ESP or AH. This option is useful for connections that must be processed by network monitoring equipment, such as intrusion detection systems, that cannot process AH or ESP protected network packets. After authentication completes, the rest of the network packets associated with the connection are sent in clear text.

      Security Note
      Network packets sent by using this option are not protected by any of the IPsec mechanisms that help ensure integrity of the packet during transit, and all data is sent in clear text.

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.
You must include at least one combination that uses AH or ESP.

<!-- end list -->

  - ***Integrity***  
    Specifies an integrity algorithm. *Integrity* can be **md5**, **sha1**, **sha256**, **aesgmac128**, **aesgmac192**, **aesgmac256**, **aesgcm128**, **aesgcm192**, **aesgcm256**, or **none**.
    
    To specify that you do not want to use AH, do not include the **ah:***Integrity* portion of the parameter.
    
    MD5 and SHA1 are available on all supported versions of Windows. The other integrity algorithms are supported only on Windows Vista with Service Pack 1 and later versions of Windows.

<!-- end list -->

  - ***Encryption***  
    Specifies the encryption algorithm used. *Encryption* can be **des**, **3des**, **aes128**, **aes192**, **aes256**, **aesgcm128**, **aesgcm192**, **aesgcm256**, or **none**.
    
    DES and 3DES are available on all supported versions of Windows. The other integrity algorithms are supported only on Windows Vista with Service Pack 1 and later versions of Windows.

<!-- end list -->

  - ***Life***  
    Specifies the session key lifetime in minutes. The default value is 60 minutes.

<!-- end list -->

  - ***Data***  
    Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.

<!-- end list -->

  - **Default**. When managing the local computer policy store, this entry is equivalent to entering the following entry (line breaks are included only for clarity):  
      
    **AH:SHA1 +60min+100000kb,**  
      
    **ESP:SHA1-None+60min+100000kb,**  
      
    **ESP:SHA1-AES128+60min+100000kb,**  
      
    **ESP:SHA1-3DES+60min+100000kb**  
      
    When you are managing a Group Policy object, this option behaves similarly to the **notconfigured** option, allowing the highest precedence policy that applies to the computer, and that does specify an **qmsecmethods** value to control the setting. If none of the Group Policy objects or the local computer policy store sets the value, then the computer uses the value string displayed above.  
      
  • exemptipsecprotectedconnections = { yes | no } ]
    Specifies that network traffic sent to a tunnel endpoint that is already IPsec protected does not have to be encapsulated again. This option can improve network performance in the case where network traffic that is already end-to-end protected by other connection security rules.

    Security Note
    This option could result in a downgrade of security if the transport mode rules use weaker security algorithms than the tunnel mode rules. This can be mitigated by ensuring that transport mode rules on your enterprise network have equally strong security algorithms as any tunnel mode rules.

Note

This option applies only to tunnel mode connection security rules

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

  • applyauthz = { yes | no } ]
    This option applies to tunnel mode rules only. Specifies that only users and computers that are authorized to use the tunnel can establish a connection by using this rule. Authorized users and computers can be specified by using the netsh advfirewall set global ipsec command with the authzcomputergrp or authzusergrp parameters.

Note

This option is valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

Remarks

  • If multiple rules match the criteria you specify, then all matching rules are updated with the changes included in the command.

  • Any parameters available after the new keyword that you do not include are not modified by the command.

  • Do not modify a connection security rule to use the name all. Doing this creates a conflict with the netsh option to select all connection security rules (for example, delete rule name=all).

  • Rules that specify port ranges can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

  • The algorithms to support ECDSA certificate signatures are available only on computers that are running Windows Vista with Service Pack 1 (SP1) or later versions of Windows.

  • Rules that specify a catype for a certificate can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules that specify intermediate CAs that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

  • When running netsh on a computer that is running Windows Vista or Windows Server 2008 and specifying a computer certificate for auth2, then you must also specify the parameter auth2healthcert=yes. This parameter is not required on computers that are running later versions of Windows.

  • If you change mode to tunnel, you must specify both tunnel endpoints.

  • When mode=tunnel, on a computer that is running Windows Vista or Windows Server 2008, you must specify action=requireinrequireout. On computers that are running Windows 7 or Windows Server 2008 R2, you can specify action=requireinrequireout, action=requireinclearout, or action=noauthentication.

  • When mode=tunnel and action=noauthentication, then both tunnel endpoints must be set to any.

  • When mode=tunnel on a computer that is running Windows 7 or Windows Server 2008 R2, you can specify both tunnel endpoints as any only if both endpoint1 and endpoint2 are specified and not any.

  • In auth1, computerpsk and computerntlm cannot be used together.

  • In auth1, computerpsk and anonymous cannot be used together.

  • At least one main mode first authentication method must be specified, unless action=noauthentication.

  • Do not make main mode first and second authentication methods both optional as this is equivalent to disabling authentication.

  • The ability to set quick mode integrity and encryption offerings on a per-rule basic is available only by using the netsh add rule and set rule commands. The Windows Firewall with Advanced Security MMC snap-in allows you to set the per-machine default Quick Mode authentication and encryption settings, but provides no means to configure them on a per-rule basis.

  • qmpfs and authnoencap cannot be combined in the same rule.

  • We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backwards compatibility only.

  • Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote ( \' )

Examples

  • The following command renames "Rule1" to "Rule2":

    set rule name="Rule1" new name="Rule2"

  • The following command changes a rule to use a different action, and assumes that the other parameters required by the new action value were already set:

    set rule name="Rule3" new action=requestinrequestout

show

In the netsh advfirewall consec context, the show command only has one variation, the Show Rule command.

show rule

Displays existing connection security rules.

Syntax

show rule

name = { all | RuleName }

profile = { public | private | domain | any } [ ,... ] ]

type = { dynamic | static } ]

verbose ]

Parameters

  • name = { all | RuleName }
    Required. Specifies the rule name assigned to an existing rule that you want to display. If name=all, then all rules that match the other criteria are displayed.

    If name=all, and no other parameters are included, then all rules are displayed.

  • profile = { public | private | domain | any | [ ,... ] } ]
    Specifies that you only want those rules that match the specified profile(s) displayed. If you specify more than one profile, then only rules that include the exact same list of profiles match.

    If you do not specify profile, the default is any.

  • type = { dynamic | static } ]
    Specifies that you only want those rules of the selected type displayed.

    • If you select dynamic, the rules displayed are from the currently active configuration.

    • If you select static, the rules displayed are from the current store, as determined by the set store command.

    If you do not specify type, the default is static.

  • verbose ]
    Specifies that you want additional details for each rule displayed.

Examples

  • The following command displays all currently defined rules in the current store:

    show rule name=all

  • The following command displays all static rules in the current store:

    show rule name=all type=static