Netsh Commands for Windows Firewall with Advanced Security

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Netshadvfirewall is a command-line tool for Windows Firewall with Advanced Security that helps with the creation, administration, and monitoring of Windows Firewall and IPsec settings and provides an alternative to console-based management. This can be useful in the following situations:

  • When deploying Windows Firewall with Advanced Security settings to computers on a wide area network (WAN), commands can be used interactively at the Netsh command prompt to provide better performance than gnraphical utilities when used across slow-speed network links.

  • When deploying Windows Firewall with Advanced Security settings to a large number of computers, commands can be used in batch mode at the Netsh command prompt to help script and automate recurring administrative tasks that must be performed.

You must have the required permissions to run the netsh advfirewall commands:

  • If you are a member of the Administrators group, and User Account Control is enabled on your computer, then run the commands from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.

  • If you are a member of the Network Operators group then you can run the commands from any command prompt.

  • If you are a not a member of Administrators or Network Operators, and have not been delegated any other permissions to run this command, then you can run only those commands that display, but do not change settings.

Note

The netsh advfirewall context is only available on computers that are running Microsoft® Windows Vista® or later versions of Windows. IPsec or firewall policies created by using this context cannot be used to configure computers that are running Windows Server 2003 or earlier versions of Windows.
To use a command line to configure Windows Firewall or IPsec on computers that are running Windows Server 2003 or earlier versions of Windows, you must use a utility that is designed for the appropriate operating system. For example, to use the command line to configure IPsec policies on computers that are running Windows XP, use IPsecCmd.exe, which is provided on the Windows XP CD, in the \Support\Tools folder. To use the command line to configure IPsec policies on computers that are running Windows 2000, use IPsecPol.exe, which is provided with the Windows 2000 Server Resource Kit. Run these commands only on the operating systems for which they were designed. Running them on Windows Vista or later versions of Windows is not supported.

Important

The netsh firewall context is supplied only for backward compatibility. We recommend that you do not use this context on a computer that is running Windows Vista or a later version of Windows, because by using it you can create and modify firewall rules only for the domain and private profiles. Earlier versions of Windows only supported a domain and standard profile. On Windows Vista and later, the standard profile maps to the private profile and domain continues to map to the domain profile. Rules for the public profile can only be manipulated when the computer is actually attached to a public network and the command is run against the "current" profile.
Starting in Windows® 7 and Windows Server® 2008 R2, running any command in the firewall context produces the following message:
IMPORTANT: “netsh firewall” is deprecated; use “netsh advfirewall firewall” instead. For more information on using “netsh advfirewall firewall” commands instead of “netsh firewall”, see KB article 947709 at https://go.microsoft.com/fwlink?linkid=121488.

For general information about netsh, see Netsh Overview and Enter a Netsh Context.

For information on how to interpret netsh command syntax, see Formatting Legend.

The available contexts for managing Windows Firewall with Advanced Security are:

Netsh AdvFirewall context

The following commands are available at the netsh advfirewall> prompt.

To start the advfirewall context at an elevated command prompt, type netsh, press ENTER, then type advfirewall and press ENTER.

To view the command syntax, click a command:

  • dump

  • export

  • import

  • reset

  • set

  • show

The following commands change to subcontexts of the netsh advfirewall context. To see the list of commands available in each context, click a command:

Important

The commands in the various contexts can be used to modify Windows Firewall and IPsec policy in several different storage locations, such as the local policy store, or a Group Policy object (GPO) stored in Active Directory®. To ensure that you are modifying the policy you intend, use the set store command. For more information, see set store.

dump

Important

This command is available for some netsh contexts, but is not implemented for the netsh advfirewall context or any of its three subcontexts. It produces no output, but also generates no error. When the dump command is used from the root context, no Windows Firewall or IPsec configuration information is included in the output.

export

Exports the Windows Firewall with Advanced Security configuration in the current store to a file. This file can be used with the import command to restore the Windows Firewall with Advanced Security service configuration to a store on the same or to a different computer. The Windows Firewall with Advanced Security configuration on which the export command works is determined by the set store command. This command is the equivalent to the Export Policy command in the Windows Firewall with Advanced Security MMC snap-in.

Syntax

exportPath ] FileName

Parameters

  • Path ] FileName
    Required. Specifies, by name, the file where the Windows Firewall with Advanced Security configuration will be written. If the path, file name, or both contain spaces, quotation marks must be used. If you do not specify Path then the command places the file in your current folder. The recommended file name extension is .wfw.

Example

In the following example, the command exports the complete Windows Firewall with Advanced Security service configuration to the file C:\temp\wfas.wfw.

export c:\temp\wfas.wfw

import

Imports a Windows Firewall with Advanced Security service configuration from a file to the local service. The configuration file is created by using export command. This command is equivalent to the Import Policy command in the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in.

Syntax

importPath ] FileName

Parameters

  • Path ] FileName
    Required. Specifies, by name, the file from which the Windows Firewall with Advanced Security configuration will be imported. If the path, the file name, or both contain spaces, quotation marks must be used. If you do not specify Path, then the command looks in the current folder for the file.

Remarks

Warning

Importing to the current store overwrites the existing contents of the store. The utility does not ask for confirmation before proceeding. Before you import a file into the current store, we recommend that you export the existing contents of the store to a different file.

Important

Exported policy files contain a version number. Computers that are running Windows Vista without a service pack create policies that are marked version 2.0. Later versions of Windows create policies that are marked with higher version numbers. For example, Windows Vista with Service Pack 1 (SP1) and Windows Server 2008 create policies that are marked version 2.1. If you take export a policy from a computer that supports version 2.1 and import that file to a computer that supports only version 2.0 policies, then any policy elements that are unique to version 2.1 and not supported in version 2.0, such a reference to a Suite B algorithm, are silently dropped. This can result in a policy that is not complete and does not function as expected. We recommend that if you create a policy on a later version of Windows and import it to an earlier version of Windows that you ensure that you reference only features supported by the earlier version of Windows, and that you thoroughly test the imported policy before deploying it.

Example

In the following example, the command imports the complete Windows Firewall with Advanced Security service configuration from the file c:\temp\wfas.wfw.

import c:\temp\wfas.wfw

reset

Restores Windows Firewall with Advanced Security to all of its default settings and rules. Optionally, it first backs up the current settings by using the export command to a configuration file. This command is equivalent to the Restore Defaults command in the Windows Firewall with Advanced Security MMC snap-in.

  • If the current focus of your commands is the local computer object, then the default settings and rules immediately take effect on the computer.

  • If the current focus of your commands is a GPO, then this command resets all policy settings in that object to Not Configured, and deletes all connection security and firewall rules from that object only. Changes do not take place until that policy is refreshed on those computers to which the policy applies. To use the Netsh tool to modify a GPO rather than the local computer's configuration store, see set store.

Syntax

resetexportPath ]FileName ]

Parameters

  • exportPath ]FileName ]
    Specifies that the current configuration is backed up to the specified file before Windows Firewall with Advanced Security is reset to all default configuration settings and rules. If you do not specify Path, then the command places the file in your current folder. The recommended file name extension is .wfw.

Example

In the following example, the command exports the complete Windows Firewall with Advanced Security configuration to the file c:\Temp\wfas.wfw, and then resets the Windows Firewall with Advanced Security configuration to its default configuration settings and rules.

reset export c:\Temp\wfas.wfw

set

Configures settings that apply globally, or to the per-profile configurations of Windows Firewall with Advanced Security.

The Set commands available at the netsh advfirewall> prompt are:

  • set {ProfileType}

  • set global

  • set store

set {ProfileType}

Configures options for the profile associated with the specified network location type.

Important

Windows Vista and Windows Server 2008 use only one profile at a time, regardless of the number and types of networks to which you are connected. The references to “current” profile refer to the single firewall profile currently active on the computer.
Windows 7 and Windows Server 2008 R2 support multiple profiles at a time, one for each network connection. References to the “current” profile include all firewall profiles that are currently active on the computer.

To see which firewall profiles are currently active on your computer, use the netsh advfirewall show currentprofile command. The set {ProfileType} command is equivalent to using the Windows Firewall with Advanced Security Properties page, with the tabs for Domain, Private, and Public profiles.

Note

When a computer running Windows Vista or Windows Server 2008 is connected to multiple networks, the profile type that Windows Firewall with Advanced Security uses is the one that is expected to be more protective of your computer. For example, if your computer is connected to both a Public network and a Domain network, then Windows Firewall with Advanced Security on Windows Vista and Windows Server 2008 will use the profile associated with the Public network location type, because it is expected to contain more restrictive and protective settings than the Domain profile. The list of network location types in order of expected increasing restrictiveness is domain, private, and then public. We recommend that you maintain that expected order when you modify the profiles so that you do not unexpectedly use a less protective profile when you are connected to less secure network location type.

Syntax

set ProfileTypeParameter Value

Parameters

  • ProfileType
    Required. Can be any one of the following:

    • allprofiles

    • currentprofile

    • domainprofile

    • privateprofile

    • publicprofile

  • Parameter Value
    Required. Parameter can be one of the following:

    • set {ProfileType} state

    • set {ProfileType} firewallpolicy

    • set {ProfileType} settings

    • set {ProfileType} logging

    See the details for each command for syntax and valid values.

set {ProfileType} state

Configures the overall operational state of Windows Firewall with Advanced Security.

Syntax

set ProfileTypestateon | off | notconfigured }

Parameters

  • on
    Enable Windows Firewall with Advanced Security when the specified profile is active.
  • off
    Disable Windows Firewall with Advanced Security when the specified profile is active.
  • notconfigured
    Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

Remarks

  • The default state for all profiles on computers that are running Windows Vista or later versions of Windows is on, for both new installations and upgrades.

  • The default state for all profiles on computers that are running a new installation of Windows Server 2008 or Windows Server 2008 R2 is on. For computers that were upgraded from an earlier version of Windows Server, the state of Windows Firewall with Advanced Security is preserved from the state of Windows Firewall on the previously installed operating system. If Windows Firewall was enabled when the upgrade was started, then Windows Firewall with Advanced Security is enabled for all profiles when the upgrade is completed. If Windows Firewall was disabled when the upgrade was started, then Windows Firewall with Advanced Security is disabled for all profiles when the upgrade is completed.

Example

To turn Windows Firewall with Advanced Security on for all profiles:

set allprofiles state on

set {ProfileType} firewallpolicy

Configures the inbound and outbound firewall filtering behavior that is used when traffic does not match any firewall rule currently enabled on the computer.

Syntax

set ProfileTypefirewallpolicy InboundPolicy**,**OutboundPolicy

Parameters

  • InboundPolicy
    Required. Must be one of the following values:

    • blockinbound. Blocks inbound network traffic that does not match an inbound rule.

    • blockinboundalways. Blocks all inbound network traffic, including traffic that matches an inbound rule. This effectively blocks all unsolicited inbound network traffic into the computer. Only traffic that is sent in response to an outbound request is allowed.

    • allowinbound. Allows all inbound network traffic, whether or not it matches an inbound rule.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

  • OutboundPolicy
    Required. Must be one of the following values:

    • blockoutbound. Block outbound network traffic that does not match an outbound rule.

    • allowoutbound. Allow all outbound network traffic, whether or not it matches an outbound rule.

    • notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

Remarks

  • The default value for firewallpolicy is blockinbound,allowoutbound.

Example

To set the behavior for the current network profile to block unsolicited inbound traffic, but allow outbound traffic:

set currentprofile firewallpolicy blockinbound, allowoutbound

set {ProfileType} settings

Configures general settings related to Windows Firewall and IPsec that are specific for each profile.

Syntax

set ProfileTypesettings SettingNameenable | disable | notconfigured }

Parameters

SettingName is one of the items in the following table:

  • localfirewallrules

    • enable. Firewall rules defined by the local administrator are merged with firewall rules from GPOs and are applied to the computer.

    • disable. Rules defined by the local administrator are ignored, and only firewall rules from GPOs are applied to the computer.

    • notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting when managing a computer is enable. When managing a GPO, the default setting is notconfigured.

  • localconsecrules

    • enable. IPsec connection security rules defined by the local administrator are merged with connection security rules from GPOs and are applied to the computer.

    • disable. Rules defined by the local administrator are ignored, and only connection security rules from GPOs are applied to the computer.

    • notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting for managing a computer is enable. When managing a GPO, the default setting is notconfigured.

  • inboundusernotification

    • enable. Windows notifies the user whenever a program or service starts listening for inbound connections.

    • disable. Windows does not notify the user whenever a program or service starts listening for inbound connections.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    On Windows Vista and Windows 7, the default value when managing a computer is enable.

    On Windows Server 2008 and Windows Server 2008 R2, the default value when managing a computer is disable.

    When managing a GPO, the default setting for both operating systems is notconfigured.

  • remotemanagement

    • enable. Users with appropriate permissions on remote computers can manage the Windows Firewall with Advanced Security settings on this computer. This is equivalent to enabling the "Windows Firewall Remote Management" rule group for the profile.

    • disable. The Windows Firewall with Advanced Security settings on this computer cannot be managed from a remote computer.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    To use netsh to manage a remote computer, use the set machine command. For more information, see Netsh Commands for All Contexts.

    The default setting for managing a computer is disable. When managing a GPO, the default setting is notconfigured.

  • unicastresponsetomulticast

    • enable. The computer can receive unicast responses to outgoing multicast or broadcast messages.

    • disable. The computer discards unicast responses to outgoing multicast or broadcast messages.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting for managing a computer is enable. When managing a GPO, the default setting is notconfigured.

Examples

To enable the local computer to be managed by another computer when the local computer is connected using the Private profile:

set privateprofile settings remotemanagement enable

To prevent the computer from accepting inbound unicast responses to outbound multicast traffic in the currently active profile:

set currentprofile settings unicastresponsetomulticast disable

set {ProfileType} logging

Configures firewall logging settings related to Windows Firewall with Advanced Security.

Syntax

set ProfileTypelogging SettingName Value

Parameters

SettingName is one of the items in the following table:

  • allowedconnections
    Value can be one of the following:

    • enable. Causes Windows to write an entry to the log whenever an incoming or outgoing connection is fully established, meaning the TCP 3-way handshake is completed.

    • disable. No logging for allowed connections.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting for managing a computer is disable. When managing a GPO, the default setting is notconfigured.

  • droppedconnections
    Value can be one of the following:

    • enable. Causes Windows to write an entry to the log whenever an incoming or outgoing connection is prevented by policy.

    • disable. No logging for dropped connections.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting for managing a computer is disable. When managing a GPO, the default setting is notconfigured.

  • filename
    Value is the path and filename of the file to which Windows writes log entries.

    notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting for managing a computer is %windir%\system32\logfiles\firewall\pfirewall.log. When managing a GPO, the default setting is notconfigured.

Important

When you use the MMC snap-in or this netsh command to specify the log location directly on the local computer, the folder is automatically given the required permissions for the service to successfully write the log files. However, when you use Group Policy to configure a log somewhere other than the default location, the permissions are not automatically configured. If you are configuring the setting for a computer that is running Windows Vista or later version of Windows, and you specify a location other than the default, you must ensure that the Windows Firewall service has permissions to write to that location.

## To grant write permissions for the log folder to the Windows Firewall service

1.  Locate the folder that you specified for the logging file, right-click it, and then click **Properties**.

2.  Select the **Security** tab, and then click **Edit**.

3.  Click **Add**, in **Enter object names to select**, type **NT SERVICE\\mpssvc**, and then click **OK**.

4.  In the **Permissions** dialog box, verify that MpsSvc has **Write** access, and then click **OK**.
  • maxfilesize
    Value is a number from 1 to 32767 that specifies in kilobytes the maximum file size of the log.

    notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting for managing a computer is 4096. When managing a GPO, the default setting is notconfigured.

Remarks

  • No IPsec related information is collected in the packet log. The log collects firewall related information only.

Examples

To configure a Windows Firewall with Advanced Security log file at c:\logs\firewall.log that can grow to a maximum size of approximately 1 megabyte:

set currentprofile logging filename c:\logs\firewall.log

set currentprofile logging maxfilesize 1024

To log all dropped connections for all network profiles:

set allprofiles logging droppedconnections enable

set global

Configures properties that apply to the firewall and IPsec settings, no matter which network profile is currently in use.

The set global command supports the following options:

  • set global statefulftp

  • set global ipsec

  • set global mainmode

set global statefulftp

Configures how Windows Firewall with Advanced Security handles FTP traffic that uses an initial connection on one port to request a data connection on a different port. This affects both active and passive FTP.

  • With active FTP, the client initiates a connection to the server on TCP port 21 and includes a PORT command that indicates to the FTP server the port number on which it should respond. A typical firewall on the client would block this new connection as unsolicited inbound traffic since the packets to the new port are not in response to a request from that port.

  • With passive FTP, the client initiates a connection to the server on TCP port 21 and includes the PASV command. The server responds on TCP port 21 with a port number that the client must use for subsequent data transfer. The client then initiates a connection to the server on the specified port. A typical firewall on the FTP server would block this new incoming data connection as unsolicited inbound traffic since the packets received at the new port are not in response to a request from that port.

When statefulftp is enabled, the firewall examines the PORT and PASV requests for these other port numbers and then allows the corresponding data connection to the port number that was requested.

Syntax

set global statefulftpenable | disable | notconfigured }

Parameters

statefulftp can be set to one of the following values:

  • enable
    The firewall tracks the port numbers specified in PORT command requests and in the responses to PASV requests, and then allows the incoming FTP data traffic entering on the requested port number.
  • disable
    This is the default value. The firewall does not track outgoing PORT commands or PASV responses, and so incoming data connections on the PORT or PASV requested port is blocked as an unsolicited incoming connection.
  • notconfigured
    Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

Remarks

  • The default setting when managing a computer running Windows Vista or Windows 7 is enable. The default setting when managing a computer running Windows Server 2008 or Windows Server 2008 R2 is disable. When managing a GPO, the default setting is notconfigured.

Examples

  • To configure Windows Firewall with Advanced Security to allow FTP data traffic through Windows Firewall when using either PORT or PASV commands:

    set global statefulftp enable

set global ipsec

Configures global IPsec options.

Syntax

set global ipsecSettingName Value

Parameters

SettingName is one of the items in the following table:

  • strongcrlcheck
    Specifies whether IPsec checks certificates used in authentication against a certificate revocation list (CRL), and how it reacts to a certificate that is found to be on a CRL.

    Value can be one of the following:

    • 0. Specifies that IPsec does not perform any CRL checking.

    • 1. Specifies that IPsec authentication fails only if the certificate is found to be revoked.

    • 2. Specifies that IPsec authentication fails if there is any error during CRL checking, including a failure to retrieve the CRL.

    • notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting when managing a local computer is 1. When managing a GPO, the default value is notconfigured.

  • saidletimemin
    An integer from 5 to 60 that specifies the number of minutes that a security association (SA) can stay idle before it is deleted. Once deleted, a new SA must be established before computers under the scope of the original SA can communicate again.

    notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting when managing a local computer is 5 (minutes). When managing a GPO, the default value is notconfigured.

  • defaultexemptions
    Specifies the protocols to be exempted from IPsec requirements. Value can be one of, or a comma separated list of, the following items:

    • none. No protocols are exempted.

    • neighbordiscovery. Exempt IPv6 Neighbor Discovery protocol traffic.

    • icmp. Exempt ICMP (both IPv4 and IPv6) protocol traffic. This option is available on computers that are running Windows 7 or Windows Server 2008 R2.

    • dhcp. Exempt DHCP (both IPv4 and IPv6) protocol traffic. This option is available on computers that are running Windows 7 or Windows Server 2008 R2.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting when managing a local computer that is running Windows 7 or Windows Server 2008 R2 is neighbordiscovery,dhcp. For computers that are running earlier versions of Windows, the default is neighbordiscovery. When managing a GPO, the default value is notconfigured.

  • ipsecthroughnat
    Specifies whether IPsec can configure a security association (SA) when one or both computers involved are behind a network address translation (NAT) device. Value can be one of:

    • never. Specifies that an SA cannot be negotiated if either computer is behind a NAT device.

    • serverbehindnat. Specifies that an SA can be negotiated if only the server is on a private subnet behind a NAT device.

    • serverandclientbehindnat. Specifies that an SA can be negotiated if either or both of the computers are on private subnets behind NAT devices.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting when managing a local computer is Never. When managing a GPO, the default value is notconfigured.

  • authzcomputergrp
    Specifies the computer accounts or groups of computer accounts that are authorized to establish tunnel connections to the local computer that match this rule. This setting is valid on computers that are running Windows 7 or Windows Server 2008 R2 only, and is ignored on earlier versions of Windows. Value can be one of:

    • none. Specifies that access to the tunnel is not restricted based on computer account.

    • <SDDL string>. A string that identifies computer or group accounts and the permissions granted or denied to those accounts. See the Remarks section for more information.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

  • authzusergrp
    Specifies the user accounts or groups of user accounts that are authorized to establish tunnel connections to the local computer that match this rule. This setting is valid on computers that are running Windows 7 or Windows Server 2008 R2 only, and is ignored on earlier versions of Windows. Value can be one of:

    • none. Specifies that access to the tunnel is not restricted based on user account.

    • <SDDL string>. A string that identifies user or group accounts and the permissions granted or denied to those accounts. See the Remarks section for more information.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

Remarks

  • For more information about SDDL strings and their format, see "Security Descriptor String Format" (https://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.

    One way to find the SDDL strings for computer, user, or group accounts is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. If the accounts of interest are domain accounts, you must run the snap-in on a computer that is joined to the domain with the accounts. Be sure to disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then click the Add button to find the computer or machine group account of interest. You can also select the Only allow connections from these users, and then click the Add button to find the user or group account of interest. After creating the rule, you can use the command **netsh advfirewall firewall show rule name=**rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.

Examples

  • To configure IPsec to reject a connection attempt when certificate-based authentication fails, or if the CRL check encounters any error:

    set global ipsec strongcrlcheck 2

  • To configure IPsec to delete an SA after 15 minutes:

    set global ipsec saidletimemin 15

set global mainmode

Configures global options that control how IPsec performs Main Mode negotiations.

Syntax

set global mainmodeSettingName Value

Parameters

SettingName is one of the items in the following table:

  • mmkeylifetime
    Specifies the number of minutes and number of sessions established for a Main Mode SA before it expires and must be renegotiated. The format is:

    nummin,numsess

    A value of 0 for either means that the SA does not expire based on the type specified. For example, the values 480min,0sess indicate that the SA expires every eight hours, but does not expire because of a certain number of sessions established.

    notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default value is 480min,0sess.

  • mmsecmethods
    Specifies the Diffie-Hellman key exchange group, integrity, and encryption protocols that are offered in IPsec negotiations with other computers. The format is either:

    • keyexch**:enc-integrity[,enc-integrity][,**…]

      Where:

      keyexch is one of:

      dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384

      enc is one of:

      des | 3des | aes128 | aes192 | aes256

      integrity is one of:

      md5 | sha1 | sha256 | sha384

      You can enter multiple combinations of enc-integrity algorithms that use the same keyexch algorithm, by following the keyexch entry with the first enc-integrity pair, followed by additional pairs that are separated by commas.

    • default. When managing the local computer policy store, this entry is equivalent to entering the following entry:

      dhgroup2:aes128-sha1,dhgroup2:3des-sha1

      When you are managing a GPO, this option behaves similarly to the notconfigured option, allowing the highest precedence policy that applies to the computer, and that does specify an mmsecmethods value to control the setting. If none of the GPOs or the local computer policy store sets the value, then the computer uses the value string displayed above.

    • notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default value is dhgroup2:aes128-sha1,dhgroup2:3des-sha1.

Note

We recommend that you do not use DHGroup1, DES, or MD5. They are no longer considered secure, and are provided for backward compatibility purposes only.

  • mmforcedh
    Specifies that IPsec uses Diffie-Hellman exchanges to protect the main mode key exchange when AuthIP is used. This provides stronger security for the key exchange.

    Value is either yes, no or notconfigured.

    notconfigured is valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default setting is no.

    This option is available only on computers that are running Windows 7 or Windows Server 2008 R2.

Examples

  • To configure IPsec to expire a Main Mode SA after four hours or 1000 sessions:

    set global mainmode mmkeylifetime 240min,1000sess

  • To configure IPsec to use a specific Main Mode set:

    set global mainmode mmsecmethods dhgroup2:des-md5,3des-sha1

  • To configure IPsec to use the default Main Mode set:

    set global mainmode mmsecmethods default

  • To configure IPsec to use DH for AuthIP as well as IKE set:

    set global mainmode mmforcedh yes

set store

Specifies where changes made by subsequent netsh advfirewall commands are stored. When you first start the netsh comand, you are by default working with the local computer's policy store (set store=local).

To configure the policy store on a remote machine, you must use the set machine command. For more information, see the topic "Set Machine" in Netsh Commands for All Contexts.

Syntax

set storelocal | **gpo = **ComputerName | gpo = localhost | **gpo = domain\**GPOName | **gpo = domain\**GPOUniqueID }

Parameters

  • local
    Specifies that changes from subsequent commands are applied to the policy store on the local computer.
  • ****gpo = ComputerName
    Specifies that changes from subsequent commands are applied to the computer with the indicated name in its local Group Policy object.

Note

The local GPO is separate from the local computer's policy store. It is stored on the local computer, not in Active Directory, and is merged with the Active Directory applied Group Policy objects when they are applied to the computer.

  • gpo = localhost
    Specifies that changes from subsequent commands are applied to a special Group Policy object that exists on the local computer. Changes made to the GPO are stored, but are never applied to the active configuration of the computer. Once the localhost GPO is configured, you can then use the export command to extract the configuration into a file that can then be applied to the active configuration of another computer, or to a different GPO by using the export command.
  • ****gpo = Domain\GPOName
    Specifies that changes from subsequent commands are applied to the Group Policy object stored on domain Domain, and named GPOName.
  • ****gpo = domain\GPOUniqueID
    Specifies that changes from subsequent commands are applied to the Group Policy object stored on domain Domain, and identified by the GUID GPOUniqueID.

Remarks

  • You must stay in the same interactive netsh session otherwise the store setting is lost.

  • A domain name needs to be fully specified, including its Domain Name System (DNS) zone.

Examples

Set the policy store to the GPO on computer1:

set store gpo=computer1

Set the policy store to the GPO called laptops in the office.example.com domain:

set store gpo=office.example.com\laptops

Set the policy store to the GPO with a specific GUID in the office domain:

set store gpo=office.example.com\{842082DD-7501-40D9-9103-FE3A31AFDC9B}

show

Displays settings that apply globally, or to the per-profile configurations of Windows Firewall with Advanced Security.

The show commands available at the netsh advfirewall> prompt are:

  • show {ProfileType}

  • show global

  • show store

show {ProfileType}

Displays the currently configured options for a specified profile. This command displays information that is presented on the Windows Firewall with Advanced Security Properties page, with the tabs for Domain, Private, and Public profiles. For more information about network location types and profiles, see the introduction to set {ProfileType}.

Syntax

Show ProfileTypeParameter ]

Parameters

  • ProfileType
    Required. The value can be one of the following:

    • allprofiles

    • currentprofile

    • domainprofile

    • privateprofile

    • publicprofile

  • Parameter ]
    If not specified, then all of the following information is displayed:

    • state. Displays whether the Windows Firewall is enabled or not for the specified profile. See set {ProfileType} state.

    • firewallpolicy. Displays the handling rules configured in the specified profile for inbound and outbound network traffic that does not match a separately defined firewall rule. See set {ProfileType} firewallpolicy.

    • settings. Displays the general settings configured in the specified profile. See set {ProfileType} settings.

    • logging. Displays the logging settings configured in the specified profile. See set {ProfileType} logging.

Examples

To display all settings for all profiles:

show allprofiles

To display the firewall state for the current profile:

show currentprofile state

To display the current profile, and all of its settings:

show currentprofile

show global

Displays the configuration of the current policy store for properties that apply to the firewall and IPsec settings, no matter which profile is currently in use.

Syntax

show global [ { ipsec | mainmode | statefulftp } ]

Parameters

  • [{ipsec|mainmode|statefulftp}]
    The value can be one of the following. If not specified, then all of the following information is displayed:

    • ipsec. Displays the current configuration of global IPsec options.

    • mainmode. Displays the current configuration of options that control how IPsec performs Main Mode negotiations.

    • statefulftp. Displays the current configuration of the option which controls how Windows Firewall with Advanced Security handles FTP network traffic. For more information, see set global statefulftp.

Examples

To display global IPsec configuration options:

show global ipsec

To display all global configuration options:

show global

show store

Displays where changes made by subsequent netsh advfirewall commands are stored.

Syntax

show store

Parameters

None.

Examples

To display the policy store currently being used by netsh advfirewall:

show store