Action

Applies To: Windows Server 2008

Action

Use this wizard page to specify the action Windows Firewall with Advanced Security will take for incoming or outgoing packets that match the firewall rule criteria.

Allow the connection

Use this option to allow a connection that matches all specified criteria. This option will allow connections no matter if they have been protected by using IPsec, as defined by a connection security rule.

Allow the connection if it is secure

Use this option to specify that only connections that are protected by using IPsec are allowed. These settings are defined in a connection security rule. Connections from computers or users that do not match the criteria in this rule will be filtered according to another rule or according to the settings for the active profile.

When you choose this option, the Users and Computers page is automatically added to the wizard. You can use this page to specify the users or computers to whom you want to grant access, or leave the page blank to allow access to all users and computers. If you choose to specify users or computers, you must use an authentication method that includes user or computer information as appropriate because Windows Firewall with Advanced Security will use the authentication method from the connection security rule to match the users and computers you specify. For example, for computers, you can use Computer (Kerberos V5) or Computer Certificate with certificate-to-account mapping enabled. If you do not specify users or computers, you can use any authentication method.

Require the connection to be encrypted

Use this option to require that all communications that match the rule criteria use data encryption as defined in a connection security rule. If the peer computer does not support data encryption, then the connection is blocked. Windows Firewall with Advanced Security uses the Data Protection settings on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.

Override block rules

Use this option to allow the connections that match this firewall rule to override any Block firewall rules. This option is also known as authenticated bypass. Normally, rules that explicitly block connections have priority over rules that allow connections. If you use this option, the connection is allowed even if another rule blocks the connection. This option is most often used for vulnerability scanners. If you do not use this option, any Block firewall rules that match the same firewall rule criteria will take precedence and the connections will be blocked. If you select this option, you must specify at least one computer or computer group for authorization on the Users and Computers page of the wizard.

Note

The Override block rules option is not for outbound firewall rules.
Also, if you have configured Inbound connections to be Block all connections under State on the Windows Firewall with Advanced Security Properties dialog box, then the connections will be blocked, regardless of this option's setting.

Block the connection

Use this option to explicitly block communications with peers when the packet information matches the firewall rule criteria. The block action takes precedence over the allow action, unless the Override block rules option is selected when the firewall rule is created.

Adjusting these settings after creating the firewall rule

You can also adjust these settings in the Firewall Rule Properties dialog box in the Inbound Rules and Outbound Rules nodes. To change the action for a rule, right click the rule, select Properties, and then use the General tab.

Additional references

Firewall Rules

Users and Computers

Advanced Integrity and Encryption