Using the Netsh Advfirewall Command-line Tool
Updated: January 5, 2010
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Netsh is a command-line tool you can use to configure settings for network components. In Windows Vista and later versions of Windows, you can configure Windows Firewall with Advanced Security settings through a series of commands in the Netsh advfirewall context. By using Netsh, you can create scripts to configure a set of Windows Firewall with Advanced Security settings automatically, create rules, monitor connections, and display the configuration and status of Windows Firewall with Advanced Security.
To use Netsh to configure advanced firewall commands, you must run it from an elevated command prompt.
Click Start and then click All Programs.
Right-click the Command prompt icon and then click Run as administrator.
At the User Account Control Prompt, click Continue.
To enter the Netsh advfirewall context, at the command prompt, type:
When you enter the Netsh context, the command prompt will display the netsh prompt. At the netsh prompt, enter the advfirewall context by typing:
After you are in the advfirewall context, you can type specific commands. Commands include the following:
export. Exports the current firewall policy to a file.
help. Displays a list of available commands.
import. Imports a policy from the specified file.
reset. Restores Windows Firewall with Advanced Security to the default policy.
show. Shows the properties for a particular profile. For example:
- show allprofiles
- show domainprofile
- show privateprofile
- show publicprofile
- show allprofiles
In addition to the commands available for the advfirewall context, advfirewall also supports four subcontexts. To enter a subcontext, type the name of the subcontext at the Netsh advfirewall prompt. The available subcontexts are:
consec. Allows you to view and configure computer security connection rules.
firewall. Allows you to view and configure firewall rules.
mainmode. Allows you to view and configure main mode configuration rules. This option is available only on computers that are running Windows 7 or Windows Server 2008 R2.
monitor. Allows you to view the currently defined firewall and IPsec rules, and which rules are active because they are assigned to the currently active profiles. You can also view the main mode and quick mode security associations for active connections on the computer, and the security options that were negotiated when they were created.
|In any Netsh context, you can type help to view a full list of commands, including commands specific to a context. For information and syntax on using a particular command, type <commandname> /?.|
The netsh firewall context (separate from the netsh advfirewall firewall context) is provided only for backwards-compatibility with earlier versions of Windows. The firewall context works on computers that are running Windows® 7, Windows Server® 2008 R2, Windows Vista®, and Windows Server® 2008, but it does not allow you to manage or interact with any of the firewall features that are new to those newer versions of Windows. This context does not allow you to work remotely on a computer to directly configure its firewall.
We recommend that you instead use the advfirewall firewall context unless you are using this tool in a mixed environment and must maintain backwards-compatibility with earlier versions of Windows. To use the new firewall features that are included with Windows Vista and later versions of Windows, you must use the advfirewall firewall context instead.
Starting with Windows 7 and Windows Server 2008 R2, if you run any command in the firewall context, the command still works, but is accompanied by the message:
IMPORTANT: “netsh firewall” is deprecated; use “netsh advfirewall firewall” instead. For more information on using “netsh advfirewall firewall” commands instead of “netsh firewall”, see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488.
For more information about the Netsh commands for firewall and connection security, see Netsh Commands for Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?linkid=111237).