export [Path]FileName

[Path]FileName

Required. Specifies, by name, the file where the Windows Firewall with Advanced Security configuration will be written. If the path, file name, or both contain spaces, quotation marks must be used. If you do specify Path then the command places the file in your current folder. The recommended file name extension is .wfw.

In the following example, the command exports the complete Windows Firewall with Advanced Security service configuration to the file C:\temp\wfas.wfw.

export c:\temp\wfas.wfw

import [Path]FileName

[Path]FileName

Required. Specifies, by name, the file from which the Windows Firewall with Advanced Security configuration will be imported. If the path, the file name, or both contain spaces, quotation marks must be used. If you do not specify Path, then the command looks in the current folder for the file.

In the following example, the command imports the complete Windows Firewall with Advanced Security service configuration from the file c:\temp\wfas.wfw.

import c:\temp\wfas.wfw

reset [export [Path]FileName]

[Export [Path]FileName]

Specifies that the current configuration is backed up to the specified file before Windows Firewall with Advanced Security is reset to all default configuration settings and rules. If you do specify Path, then the command places the file in your current folder. The recommended file name extension is .wfw.

In the following example, the command exports the complete Windows Firewall with Advanced Security configuration to the file c:\Temp\wfas.wfw, and then resets the Windows Firewall with Advanced Security configuration to its default configuration settings and rules.

reset export c:\Temp\wfas.wfw

set ProfileType Parameter Value

ProfileType

Required. Can be any one of the following:

• allprofiles
  
  
• currentprofile
  
  
• domainprofile
  
  
• privateprofile
  
  
• publicprofile
  
  

Parameter Value

Required. Parameter can be one of the following:

• state
  
  
• firewallpolicy
  
  
• settings
  
  
• logging
  
  

See the details for each command for syntax and valid values.

set ProfileType state {on|off|notconfigured}

on

Enable Windows Firewall with Advanced Security when the specified profile is active.

off

Disable Windows Firewall with Advanced Security when the specified profile is active.

notconfigured

Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.

• The default state for all profiles on computers that are running Windows Vista is on, for both new installations and upgrades.
  
  
• The default state for all profiles on computers that are running a new installation of Windows Server 2008 is on. For computers that were upgraded to Windows Server 2008 from an earlier version of Windows Server, the state of Windows Firewall with Advanced Security is preserved from the state of Windows Firewall on the previously installed operating system. If Windows Firewall was enabled when the upgrade was started, then Windows Firewall with Advanced Security is enabled for all profiles when the upgrade is completed. If Windows Firewall was disabled when the upgrade was started, then Windows Firewall with Advanced Security is disabled for all profiles when the upgrade is completed.
  
  

To turn Windows Firewall with Advanced Security on for all profiles:

set allprofiles state on

set ProfileType firewallpolicy InboundPolicy,OutboundPolicy

InboundPolicy

Required. Must be one of the following values:

• blockinbound. Blocks inbound network traffic that does not match an inbound rule.
  
  
• blockinboundalways. Blocks all inbound network traffic, including traffic that matches an inbound rule. This effectively blocks all unsolicited inbound network traffic into the computer. Only traffic that is sent in response to an outbound request is allowed.
  
  
• allowinbound. Allows all inbound network traffic, whether or not it matches an inbound rule.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

OutboundPolicy

Required. Must be one of the following values:

• blockoutbound. Block outbound network traffic that does not match an outbound rule.
  
  
• allowoutbound. Allow all outbound network traffic, whether or not it matches an outbound rule.
  
  
• notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

• The default value for firewallpolicy is blockinbound,allowoutbound.
  
  

To set the behavior for the current network profile to block unsolicited inbound traffic, but allow outbound traffic:

set currentprofile firewallpolicy blockinbound, allowoutbound

set ProfileType settings SettingName {enable|disable|notconfigured}

SettingName is one of the items in the following table:

localfirewallrules

• enable. Firewall rules defined by the local administrator are merged with firewall rules from GPOs and are applied to the computer.
  
  
• disable. Rules defined by the local administrator are ignored, and only firewall rules from GPOs are applied to the computer.
  
  
• notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting when managing a computer is enable. When managing a GPO, the default setting is notconfigured.

localconsecrules

• enable. IPsec connection security rules defined by the local administrator are merged with connection security rules from GPOs and are applied to the computer.
  
  
• disable. Rules defined by the local administrator are ignored, and only connection security rules from GPOs are applied to the computer.
  
  
• notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting for managing a computer is enable. When managing a GPO, the default setting is notconfigured.

inboundusernotification

• enable. Windows notifies the user whenever a program or service starts listening for inbound connections.
  
  
• disable. Windows does not notify the user whenever a program or service starts listening for inbound connections.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

On Windows Vista, the default value when managing a computer is enable.On Windows Server 2008, the default value when managing a computer is disable. When managing a GPO, the default setting for both operating systems is notconfigured.

remotemanagement

• enable. Users with appropriate permissions on remote computers can manage the Windows Firewall with Advanced Security settings on this computer. This is equivalent to enabling the "Windows Firewall Remote Management" rule group for the profile.
  
  
• disable. The Windows Firewall with Advanced Security settings on this computer cannot be managed from a remote computer.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

To use netsh to manage a remote computer, use the set machine command. For more information, see Netsh Commands for All Contexts.The default setting for managing a computer is disable. When managing a GPO, the default setting is notconfigured.

unicastresponsetomulticast

• enable. The computer can receive unicast responses to outgoing multicast or broadcast messages.
  
  
• disable. The computer discards unicast responses to outgoing multicast or broadcast messages.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting for managing a computer is enable. When managing a GPO, the default setting is notconfigured.

To enable the local computer to be managed by another computer when the local computer is connected using the Private profile:

set privateprofile settings remotemanagement enable

To prevent the computer from accepting inbound unicast responses to outbound multicast traffic in the currently active profile:

set currentprofile settings unicastresponsetomulticast disable

set ProfileType logging SettingName Value

SettingName is one of the items in the following table:

allowedconnections

Value can be one of the following:

• enable. Causes Windows to write an entry to the log whenever an incoming or outgoing connection is allowed.
  
  
• disable. No logging for allowed connections.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting for managing a computer is disable. When managing a GPO, the default setting is notconfigured.

droppedconnections

Value can be one of the following:

• enable. Causes Windows to write an entry to the log whenever an incoming or outgoing connection is prevented by policy.
  
  
• disable. No logging for dropped connections.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting for managing a computer is disable. When managing a GPO, the default setting is notconfigured.

filename

Value is the path and filename of the file to which Windows writes log entries.notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.The default setting for managing a computer is %windir%\system32\logfiles\firewall\pfirewall.log. When managing a GPO, the default setting is notconfigured.

maxfilesize

Value is a number from 1 to 32767 that specifies in kilobytes the maximum file size of the log.notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.The default setting for managing a computer is 4096. When managing a GPO, the default setting is notconfigured.

• No IPsec related information is collected in the packet log. The log collects firewall related information only.
  
  
• When you use the MMC snap-in or this netsh command to specify the log location directly on the local computer, the folder is automatically given the required permissions for the service to successfully write the log files. However, when you use Group Policy to configure a log somewhere other than the default location, the permissions are not automatically configured. You must ensure that the account NT SERVICE\mpssvc is given Write access to the folder where you want the logs placed. For more information see article 929455 in the Microsoft Knowledge Base (fwlink to http://support.microsoft.com/kb/929455).
  
  

To configure a Windows Firewall with Advanced Security log file at c:\logs\firewall.log that can grow to a maximum size of approximately 1 megabyte:

set currentprofile logging filename c:\logs\firewall.log

set currentprofile logging maxfilesize 1024

To log all dropped connections for all network profiles:

set allprofiles logging droppedconnections enable

set global statefulftp {enable|disable|notconfigured}

statefulftp can be set to one of the following values:

enable

The firewall tracks the port numbers specified in PORT command requests and in the responses to PASV requests, and then allows the incoming FTP data traffic entering on the requested port number.

disable

This is the default value. The firewall does not track outgoing PORT commands or PASV responses, and so incoming data connections on the PORT or PASV requested port is blocked as an unsolicited incoming connection.

notconfigured

Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.

• The default setting when managing a computer running Windows Vista is enable. The default setting when managing a computer running Windows Server 2008 is disable. When managing a GPO, the default setting is notconfigured.
  
  

• To configure Windows Firewall with Advanced Security to allow FTP data traffic through Windows Firewall when using either PORT or PASV commands:
  
  set global statefulftp enable
  
  

set global ipsec SettingName Value

SettingName is one of the items in the following table:

strongcrlcheck

Specifies whether IPsec checks certificates used in authentication against a certificate revocation list (CRL), and how it reacts to a certificate that is found to be on a CRL.Value can be one of the following:

• 0. Specifies that IPsec does not perform any CRL checking.
  
  
• 1. Specifies that IPsec authentication fails only if the certificate is found to be revoked.
  
  
• 2. Specifies that IPsec authentication fails if there is any error during CRL checking, including a failure to retrieve the CRL.
  
  
• notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting when managing a local computer is 1. When managing aGPO, the default value is notconfigured.

saidletimemin

An integer from 5 to 60 that specifies the number of minutes than a security association (SA) can stay idle before it is deleted. Once deleted, a new SA must be established before computers under the scope of the original SA can communicate again.notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.The default setting when managing a local computer is 5 (minutes). When managing a GPO, the default value is notconfigured.

defaultexemptions

Specifies the protocols to be exempted from IPsec traffic. Value can be one of:

• none. No protocols are exempted.
  
  
• neighbordiscovery. Exempt only IPv6 Neighbor Discovery protocol traffic.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting when managing a local computer is neighbordiscovery. When managing a GPO, the default value is notconfigured.

ipsecthroughnat

Specifies whether IPsec can configure a security association (SA) when one or both computers involved are behind a network address translation (NAT) device. Value can be one of:

• never. Specifies that an SA cannot be negotiated if either computer is behind a NAT device.
  
  
• serverbehindnat. Specifies that an SA can be negotiated if only the server is on a private subnet behind a NAT device.
  
  
• serverandclientbehindnat. Specifies that an SA can be negotiated if either or both of the computers are on private subnets behind NAT devices.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default setting when managing a local computer is Never. When managing a GPO, the default value is notconfigured.

• To configure IPsec to reject a connection attempt when certificate-based authentication fails, or if the CRL check encounters any error:
  
  set global ipsec strongcrlcheck 2
  
  
• To configure IPsec to delete an SA after 15 minutes:
  
  set global ipsec saidletimemin 15
  
  

set global mainmode SettingName Value

SettingName is one of the items in the following table:

mmkeylifetime

Specifies the number of minutes and number of sessions established for a Main Mode SA before it expires and must be renegotiated. The format is:num min,numsessA value of 0 for either means that the SA does not expire based on the type specified. For example, the values 480min,0sess indicate that the SA expires every eight hours, but does not expire because of a certain number of sessions established.notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.The default value is 480min,0sess.

mmsecmethods

Specifies the Diffie-Hellman key exchange group, integrity, and encryption protocols that are offered in IPsec negotiations with other computers. The format is either:

• keyexch : enc - integrity[,enc-integrity][,…]
  
  Where:
  
  keyexch is one of:
  
  dhgroup1|dhgroup2|dhgroup14|ecdhp256|ecdhp384
  
  enc is one of:
  
  des|3des|aes128|aes192|aes256
  
  integrity is one of:
  
  md5|sha1
  
  You can enter multiple combinations of enc-integrity algorithms that use the same keyexch algorithm, by following the keyexch entry with the first enc-integrity pair, followed by additional pairs that are separated by commas.
  
  
• default. When managing the local computer policy store, this entry is equivalent to entering the following entry:
  
  dhgroup2:aes128-sha1,3des-sha1
  
  When you are managing a GPO, this option behaves similarly to the notconfigured option, allowing the highest precedence policy that applies to the computer, and that does specify an mmsecmethods value to control the setting. If none of the GPOs or the local computer policy store sets the value, then the computer uses the value string displayed above.
  
  
• notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the policy, which results in the policy not changing the value on the computer when the policy is applied.
  
  

The default value is dhgroup2:aes128-sha1, 3des-sha1.

Note
We recommend that you do not use DHGroup1, DES, or MD5. They are no longer considered secure, and are provided for backward compatibility purposes only.

To configure IPsec to expire a Main Mode SA after four hours or 1000 sessions:

set global mainmode mmkeylifetime 240min,1000sess

To configure IPsec to use a specific Main Mode set:

set global mainmode mmsecmethods dhgroup2:des-md5,3des-sha1

To configure IPsec to use the default Main Mode set:

set global mainmode mmsecmethods default

set store {local|gpo=ComputerName|gpo=Domain\GPOName|gpo=domain\GPOUniqueID}

local

Specifies that changes from subsequent commands are applied to the policy store on the local computer.

gpo= ComputerName

Specifies that changes from subsequent commands are applied to the computer with the indicated name in its local Group Policy object.

Note
The local GPO is separate from the local computer's policy store. It is stored on the local computer, not in Active Directory, and is merged with the Active Directory applied Group Policy objects when they are applied to the computer.

gpo= Domain \ GPOName

Specifies that changes from subsequent commands are applied to the Group Policy object stored on domain Domain, and named GPOName.

gpo= domain \ GPOUniqueID

Specifies that changes from subsequent commands are applied to the Group Policy object stored on domain Domain, and identified by the GUID GPOUniqueID.

• You must stay in the same interactive netsh session otherwise the store setting is lost.
  
  
• A domain name needs to be fully specified, including its Domain Name System (DNS) zone.
  
  

Set the policy store to the GPO on computer1:

set store gpo=computer1

Set the policy store to the GPO called laptops in the office.example.com domain:

set store gpo=office.example.com\laptops

Set the policy store to the GPO with a specific GUID in the office domain:

set store gpo=office.example.com\{842082DD-7501-40D9-9103-FE3A31AFDC9B}

Show ProfileType [Parameter]

ProfileType

Required. The value can be one of the following:

• allprofiles
  
  
• currentprofile
  
  
• domainprofile
  
  
• privateprofile
  
  
• publicprofile
  
  

[ Parameter ]

If not specified, then all of the following information is displayed:

• state. Displays whether the Windows Firewall is enabled or not for the specified profile. See set state.
  
  
• firewallpolicy. Displays the handling rules configured in the specified profile for inbound and outbound network traffic that does not match a separately defined firewall rule. See set firewallpolicy.
  
  
• settings. Displays the general settings configured in the specified profile. See set settings.
  
  
• logging. Displays the logging settings configured in the specified profile. See set logging.
  
  

To display all settings for all profiles:

show allprofiles

To display the firewall state for the current profile:

show currentprofile state

To display the current profile, and all of its settings:

show currentprofile

show global [{ipsec|mainmode|statefulftp}]

[{ipsec|mainmode|statefulftp}]

The value can be one of the following. If not specified, then all of the following information is displayed:

• ipsec. Displays the current configuration of global IPsec options.
  
  
• mainmode. Displays the current configuration of options that control how IPsec performs Main Mode negotiations.
  
  
• statefulftp. Displays the current configuration of the option which controls how Windows Firewall with Advanced Security handles FTP network traffic. For more information, see set global statefulftp.
  
  

To display global IPsec configuration options:

show global ipsec

To display all global configuration options:

show global

show store

None.

To display the policy store currently being used by netsh advfirewall:

show store

add rule name= RuleName endpoint1= Addresses endpoint2= Addresses action={requireinrequestout| requestinrequestout| requireinrequireout| noauthentication} [description=DescriptionOfRule] [mode={transport| tunnel}] [enable={yes|no}] [profile={public| private| domain| any}[,...]] [type={dynamic| static}] [localtunnelendpoint=IPAddress] [remotetunnelendpoint=IPAddress] [port1={any| Integer}] [port2={any| Integer}] [protocol={any| tcp| udp| icmpv4| icmpv6| Integer}] [interfacetype={any| wiresless| lan| ras}] [auth1={computerkerb| computercert| computerpsk| computerntlm| anonymous|[,...]}] [auth1psk=PreSharedKey] [auth1ca="CAName [certmapping:{yes|no}] [excludecaname:{yes|no}][|...]"] [auth1healthcert={yes|no}] [auth2={userkerb| userntlm| usercert| computercert | anonymous|[,...]}] [auth2ca="CAName [certmapping:{yes|no}][|...]"] [auth2healthcert={yes|no}] [qmpfs={dhgroup1| dhgroup2| dhgroup14| ecdhp256| ecdhp384| mainmode| none}] [qmsecmethods=ah:Integrity+esp:Integrity-Encryption+[Lifemin]+[Datakb]| default]

name= RuleName

Required. Specifies the name of this connection security rule. The name should be unique, and cannot be "all."

endpoint1= Addresses endpoint2= Addresses

Required. Specifies the computers that are subject to the requirements of this rule. Computers that match endpoint1 can communicate with computers that match endpoint2 only when the requirements of this rule are satisfied. Endpoint1 and endpoint2 can be any of the following values:

• any. Matches a computer with any IP address.
  
  
• localsubnet. Matches any computer that is on the same IP subnet as the local computer.
  
  
• dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.
  
  
• IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.
  
  
• IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

Multiple entries can be specified for either endpoint1 or endpoint2 by separating them with a comma. Do not include any spaces in the completed comma separated text.

action={requireinrequestout| requestinrequestout| requireinrequireout| noauthentication}

Required. Specifies whether authentication is requested or required for connections that match the rule. Action can be one of the following values:

• requireinrequestout. Specifies that the local computer must successfully authenticate all inbound network connections that match this rule. If the authentication is not successful, then the inbound network traffic is discarded. The local computer attempts to authenticate any outbound network connections that match this rule, but allows the connection if the authentication attempt fails.
  
  
• requestinrequestout. Specifies that the local computer attempts to authenticate any inbound or outbound network connection that matches this rule, but allows the connection if the authentication attempt fail.
  
  
• requireinrequireout. Specifies that the local computer requires successful IPsec negotiation for all inbound and outbound network connections that match this rule. If an authentication attempt fails, then the network connection is prevented, and any related network traffic is discarded.
  
  
• noauthentication. Specifies that the local computer does not attempt authentication for any network connections that match this rule. This option is typically used to grant IPsec exemptions for network connections that do not need to be protected by IPsec, but would otherwise match other rules that could cause the connection to be dropped.
  
  

[description=DescriptionOfRule]

Provides information about the connection security rule.

[mode={transport|tunnel}]

Specifies whether this connection security rule defines an IPsec transport mode connection, or an IPsec tunnel mode connection.If mode is not specified, the default is transport.

[enable={yes|no}]

Specifies whether the rule is currently enabled.If enable is not specified, the default is yes.

[profile={public| private| domain| any|[,...]}]

Specifies the profile(s) to which the connection security rule is assigned. The rule is only active on the local computer when the specified profile is the currently active profile.If profile is not specified, the default is any.

[type={dynamic|static}]

Specifies how the rule is applied to the current session and whether the rule is stored. The value can be one of the following:

• dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not stored in any policy container and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.
  
  
• static. The rule is stored in the policy container currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer. If the computer's local policy store is the active store, then the rule is immediately applied.
  
  

If type is not specified, the default is static.

[localtunnelendpoint=IPAddress]

Required and valid only if mode=tunnel. Specifies the IP address of the computer or gateway device that sends traffic from computers that match endpoint1 to computers that match endpoint2. The traffic is sent from this IP address to the device identified as the remotetunnelendpoint. This value must use the same type of IP address as the remotetunnelendpoint, either IPv4 or IPv6.

[remotetunnelendpoint=IPAddress]

Required and valid only if mode=tunnel. Specifies the IP address of the computer or gateway device that sends traffic from computers that match endpoint2 to computers that match endpoint1. The traffic is sent from this remote IP address to the local gateway identified as the localtunnelendpoint. This value must use the same type of IP address as the localtunnelendpoint, either IPv4 or IPv6

[port1={any|Integer}]

Specifies the port number of network traffic coming from endpoint1 computers that is subject to the requirements of this rule. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port1 is set to a value other than any, then the protocol value must be set to tcp or udp.If port1 is not specified, the default is any.

Note
This is an advanced setting and is not displayed in the Windows Firewall with Advanced Security MMC snap-in.

[port2={any|Integer}]

Specifies the port number of network traffic arriving at endpoint2 computers that is subject to the requirements of this rule. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port2 is set to a value other than any, then the protocol value must be set to tcp or udp.If port2 is not specified, the default is any.

Note
This is an advanced setting and is not displayed in the Windows Firewall with Advanced Security MMC snap-in.

[protocol={any| tcp| udp| icmpv4| icmpv6| Integer}

Specifies the protocol of network traffic that is subject to the requirements of this rule. If a port number is identified by using port1 or port2, then protocol must be set to tcp or udp. The values icmpv4 and icmpv6 are typically used to create a rule that exempts ICMP network traffic from the IPsec requirements of another rule.If protocol is not specified, the default is any.

Note
This is an advanced setting and is not displayed in the Windows Firewall with Advanced Security MMC snap-in.

[interfacetype={any| wireless| lan| ras}]

Specifies that only network connections made through the indicated interface types are subject to the requirements of this rule. Using this parameter allows you to specify different authentication requirements for each of the three main network types. The value must be one of the following:

• any. This rule is applied to network connections made through any of the interface types.
  
  
• wireless. This rule is applied only when the network connection is through a wireless network.
  
  
• lan. This rule is applied only when the network connection is through a wired LAN adapter.
  
  
• ras. This rule is applied only when the network connection is through a RAS interface, such as a VPN or dial-up network connection.
  
  

If interfacetype is not specified, the default is any.

[auth1={computerkerb| computercert| computerpsk| computerntlm| anonymous|[,...]}]

Specifies the methods offered for Main Mode first authentication during IPsec negotiations. Multiple values can be included by separating them with commas. Do not include any spaces. If the negotiation uses IKE, the first match between the two computers is attempted. If it fails, the negotiation fails. If the negotiation uses AuthIP, then each match is tried in order, until one succeeds. If they all fail, then the negotiation fails. Windows uses IKE when it can, and uses AuthIP if you specify any options that are not supported by IKE.For computers to communicate by using this rule, one of the specified authentication methods must be successful unless anonymous is specified, indicating that first authentication is optional.The value can be any of the following:

• computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.
  
  
• computercert. This method uses a computer certificate issued by a Certification Authority (CA).
  
  
• computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. The preshared key is stored in plaintext. We strongly recommend the use of a more secure authentication method.
  
  
• computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.
  
  
• anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk.
  
  

[auth1psk=PreSharedKey]

Required only if computerpsk is included in the auth1 parameter. Specifies the preshared key value that is used for authentication if the computerpsk option is negotiated. The value is stored in plaintext, and we recommend that you do not use preshared key authentication.

[auth1ca="CAName [certmapping:{yes|no}] [excludecaname:{yes|no}][|...]"]

Specifies certificate authentication options for Main Mode first authentication, and is valid only if auth1 includes computercert. Multiple certificates can be referenced by separating each entry by using the '|' character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

CAName

Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.

certmapping:{yes|no}

Specifies whether to enable certificate-to-account mapping.

excludecaname:{yes|no}

Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

[auth1healthcert={yes|no}]

Specifies that the computer certificate specified in auth1ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercert.If auth1healthcert is not specified, the default is no.

[auth2={userkerb| userntlm| usercert| computercert| anonymous|[,...]}]

Specifies the methods for Main Mode second authentication offered during IPsec negotiations. Use of a second authentication causes the negotiation to use AuthIP instead of IKE. Multiple values can be included by separating them with commas. They are attempted in the order displayed. The first successful method is the one used.If auth1 contains computerpsk, then you cannot use auth2.For computers to communicate by using this rule one of the specified authentication methods must be successful, unless anonymous is specified, indicating that second authentication is optional.The value can be any of the following:

• userkerb. This method uses the Kerberos v5 protocol to authenticate the user against an account in an Active Directory domain.
  
  
• userntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the user against an account in an Active Directory domain.
  
  
• usercert. This method uses a user certificate issued by a Certification Authority (CA).
  
  
• computercert. This method uses a computer health certificate issued by a Network Access Protection (NAP) server on the domain. You must specify auth2healthcert=yes to use this value.
  
  
• anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last.
  
  

Note
auth2 cannot be used if auth1 contains computerpsk.Credentials used in auth2 must be all user-based, or all computer-based. You cannot mix them.

[auth2ca="CAName [certmapping:{yes|no}][|...]"]

Specifies certificate authentication options for Main Mode second authentication, and is valid only if auth2 contains usercert or computercert. Multiple certificates can be referenced by separating each entry by a '|' character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

CAName

Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.

certmapping:{yes|no}

Specifies whether to enable certificate-to-account mapping.

[auth2healthcert={yes|no}]

Specifies that the computer certificate specified in auth2ca is a computer health certificate provided by a Network Access Protection (NAP) server on the domain. If auth2 includes computercert, then auth2healthcert must be yes. For all other cases, auth2healthcert must be no.If auth2healthcert is not specified, the default is no.

[qmpfs={dhgroup1| dhgroup2| dhgroup14| ecdhp256| ecdhp384| mainmode| none}]

Specifies the method used to establish Quick Mode perfect forward secrecy. If mainmode is specified, then the key exchange specified for Main Mode is used.If qmpfs is not specified, the default is none.

[qmsecmethods={ah:Integrity+esp:Integrity-Encryption+[Lifemin]+[Datakb][,...]| default}]

Specifies one or more Quick Mode security suites, separated by commas. There must be no spaces included. The value is defined by one of the following formats:

• ah: AHIntegrity +esp: EspIntegrity - Encryption[+Lifemin][+Datakb][,…]
  
  

Where:

AHIntegrity

Specifies an integrity algorithm for the AH protocol. Integrity can be MD5, SHA1. To specify that you do not want to use AH, do not include the ah:AHIntegrity portion of the parameter.

EspIntegrity

Specifies an integrity algorithm for the ESP protocol. Integrity can be MD5, SHA1, or none.

Encryption

Specifies the encryption algorithm used. Encryption can be des, 3des, aes128, aes192, aes256, or none.

Life

Specifies the session key lifetime in minutes. The default value is 60 minutes.

Data

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.

• Default. When managing the local computer policy store, this entry is equivalent to entering the following entry (line breaks are included only for clarity):
  
  AH:SHA1+60min+100000kb,
  
  ESP:SHA1-None+60min+100000kb,
  
  ESP:SHA1-AES128+60min+100000kb,
  
  ESP:SHA1-3DES+60min+100000kb
  
  When you are managing a Group Policy object, this option behaves similarly to the notconfigured option, allowing the highest precedence policy that applies to the computer, and that does specify a qmsecmethods value to control the setting. If none of the Group Policy objects or the local computer policy store sets the value, then the computer uses the value displayed above.
  
  

• Do not create a connection security rule with the name all. Doing this creates a conflict with the netsh option to select all connection security rules (for example, delete rule name=all).
  
  
• When mode=tunnel, you must specify both tunnel endpoints and you must specify action=requireinrequireout.
  
  
• At least one Main Mode authentication method must be specified, unless action=noauthentication.
  
  
• Do not make Main Mode first and second authentication methods both optional as this is equivalent to disabling authentication.
  
  
• Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote (\')
  
  
• The ability to set Quick Mode integrity and encryption offerings on a per-rule basic is available only by using the netsh add rule and set rule commands. The Windows Firewall with Advanced Security MMC snap-in allows you to set the per-machine default Quick Mode integrity and encryption settings, but provides no means to configure them on a per-rule basis.
  
  
• We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backward compatibility only.
  
  

• The following command creates a rule that could be used in a domain isolation scenario, where incoming traffic is only permitted from other domain member computers.
  
  add rule name="Domain Isolation Rule" endpoint1=any endpoint2=any action=requireinrequestout
  
  
• The following command creates a similar domain isolation rule, but uses a custom Quick Mode proposal that includes multiple Quick Mode suites, separated by commas. The first Quick Mode suite illustrates how to include both AH and ESP protocols in a single suite. The second suite illustrates how to specify the use of the AH protocol only. The third suite illustrates how to specify the use of the ESP protocol only, and uses the none keyword to specify not to include an encryption option. The final suite illustrates how to use the none keyword to specify that ESP is used with an encryption protocol, but with no integrity protocol. The last suite also illustrates how to set a custom SA timeout using both time and data amount values.
  
  add rule name="Domain Isolation Custom QM Rule" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des,ah:sha1,esp:sha1-none,esp:none-aes256+30min+50000kb
  
  
• The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local computer (1.1.1.1) attached to a public network to a second computer through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is integrity checked using ESP/SHA1, and encrypted using ESP/3DES.
  
  add rule name="My Tunnel" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
  
  
• The following command creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authentication for outbound connections, but allows an outbound connection if authentication is not successful. Note that multiple certificates are separated by a vertical bar (|) character, and that the single quotes around the certificate names must be prefaced with the backslash (\) character to be interpreted correctly.
  
  add rule name="Authenticate with Certificates Rule" endpoint1=any endpoint2=any action=requireinrequestout auth1=computercert auth1ca="C=US,O=MSFT,CN=\'Microsoft Root Authority\'|C=US,O=MYORG,CN=\'My Organizations Root Certificate\'"
  
  
• The following command creates a rule that requires a first (computer) authentication and attempts an optional second (user) authentication:
  
  Add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
  
  

delete rule name={all|RuleName} [type={dynamic|static}] [profile={public|private|domain|any|[,...]}] [endpoint1=Addresses] [endpoint2=Addresses] [port1={any|Integer}] [port2={any|Integer}] [protocol={any|tcp|udp|icmpv4|icmpv6|Integer}]

name={all|RuleName}

Required. You can specify one of the following values:

• The rule name of the connection security rule you want deleted. Only the rule with the specified name is deleted.
  
  
• all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all connection security rules are deleted.
  
  

[type={dynamic|static}]

Specifies that only rules of the selected type are deleted. The value can be either dynamic or static.

[profile={public| private| domain| any|[,...]}]

Specifies that only rules assigned to the specified profile(s) are deleted.If profile is not specified, the default is any.

[endpoint1=Addresses] [endpoint2=Addresses]

Specifies that only rules that match the IP addresses, ranges, subnets, or server types are deleted.Endpoint1 and endpoint2 can be any of the following values:

• IPAddress. Specifies an IPv4 or IPv6 address.
  
  
• IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  
• One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.
  
  

You can specify multiple entries for either endpoint1 or endpoint2 by separating them with a comma.

[port1={any|Integer}] [port2={any|Integer}]

Specifies that only rules that match the port numbers indicated are deleted.

[protocol={any| tcp| udp| icmpv4| icmpv6| Integer}]

Specifies that only rules that match the indicated protocol values are deleted.

• If multiple rules are found that match the specified criteria, then they are all deleted.
  
  

• The following example deletes a rule based on its exact name:
  
  Delete rule name="rule1"
  
  
• The following example deletes all dynamic rules from all profiles:
  
  delete rule name=all type=dynamic
  
  

set rule name={all|RuleName} [type={dynamic|static}] [profile={public|private|domain|any|[,...]}] [endpoint1=Addresses] [endpoint2=Addresses] [port1={any|Integer}] [port2={any|Integer}] [protocol={any| tcp| udp| icmpv4| icmpv6| Integer}] new [name=NewRuleName] [profile={public| private| domain| any|[,...]}] [description=NewRuleDescription] [mode={transport|tunnel}] [endpoint1=Addresses] [endpoint2=Addresses] [action={requireinrequestout| requestinrequestout| requireinrequireout| noauthentication}] [enable={yes|no}] [type={dynamic|static}] [localtunnelendpoint=IPAddress] [remotetunnelendpoint=IPAddress] [port1={any|Integer}] [port2={any|Integer}] [protocol={any| tcp| udp| icmpv4| icmpv6| Integer}] [interfacetype={any| wiresless| lan| ras}] [auth1={computerkerb| computercert| computerpsk| computerntlm| anonymous|[,...]}] [auth1psk=PreSharedKey] [auth1ca="CAName [certmapping:{yes|no}] [excludecaname:{yes|no}][|...]"] [auth1healthcert={yes|no}] [auth2={userkerb| userntlm| usercert| computercert| anonymous|[,...]}] [auth2ca="CAName [certmapping:{yes|no}][|...]"] [auth2healthcert={yes|no}] [qmpfs={dhgroup1| dhgroup2| dhgroup14| ecdhp256| ecdhp384| mainmode| none}] [qmsecmethods=ah:Integrity+esp:Integrity-Encryption+[Lifemin]+[Datakb]| default]

name={all|RuleName}

Required. Specifies the rule name assigned to an existing rule that you want to modify. If name=all, then all rules that match all other criteria listed before the new keyword are modified.If name=all, and no other parameters are included before the new keyword, then all rules are modified as indicated.

[type={dynamic|static}]

Specifies that only matching rules of the indicated type are modified. The value of type can be either dynamic or static.

[profile={public| private| domain| any|[,...]}]

Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify more than one profile, then only rules that include the exact same list of profiles match.

[endpoint1=Addresses] [endpoint2=Addresses]

Specifies that only rules that match the IP addresses, ranges, subnets, or server types are modified.Endpoint1 and endpoint2 can be any of the following values:

• any. Matches a computer with any IP address.
  
  
• localsubnet. Matches any computer that is on the same IP subnet as the local computer.
  
  
• dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.
  
  
• IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.
  
  
• IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

Multiple entries can be specified for either endpoint1 or endpoint2 by separating them with a comma. Do not include any spaces in the completed comma separated text.

[port1={any|Integer}] [port2={any|Integer}]

Specifies that only rules that match the port numbers indicated are modified.

[protocol={any| tcp| udp| icmpv4| icmpv6| Integer}

Specifies that only rules that match the indicated protocol values are modified.

new

Any parameter that precedes this keyword is used to find a match for the rules that are modified. Any parameter that follows this keyword indicates a value that is modified in the rules that match the specified criteria.

[name=NewRuleName]

Specifies a new name for the connection security rule. The name should be unique, and cannot be "all".

[profile={public| private| domain| any|[,...]}]

Specifies the profile(s) to which the connection security rule is assigned. The rule is only applied when the specified profile is the currently active profile.

[description=DescriptionOfRule]

Provides information about the connection security rule.

[mode={transport|tunnel}]

Specifies whether this connection security rule defines an IPsec transport mode connection, or an IPsec tunnel mode connection.

[endpoint1=Addresses] [endpoint2=Addresses]

Specifies the computers that are subject to the requirements of this rule. Computers that match endpoint1 can communicate with computers that match endpoint2 only when the requirements of this rule are satisfied. Endpoint1 or endpoint2 can be any of the keywords, addresses, subnets, ranges, or server types described in the endpoint1 and endpoint2 description that precede the new keyword above.

action={requireinrequestout| requestinrequestout| requireinrequireout| noauthentication}

Specifies whether authentication is requested or required for connections that matches the rule. Action can be one of the following values:

• requireinrequestout. Specifies that the local computer requires successful authentication for all inbound network connections that match this rule. If the authentication is not successful, then the inbound network traffic is discarded. The local computer attempts to authenticate any outbound network connections that match this rule, but still allows the connection if the authentication attempt fails.
  
  
• requestinrequestout. Specifies that the local computer attempts to authenticate any inbound or outbound network connection that matches this rule, but still allows the connection if the authentication attempt fail.
  
  
• requireinrequireout. Specifies that the local computer requires successful IPsec negotiation for all inbound and outbound network connections that match this rule. If an authentication attempt fails, then the network connection is prevented, and any related network traffic is discarded.
  
  
• noauthentication. Specifies that the local computer does not attempt authentication for any network connections that match this rule. This option is typically used to grant IPsec exemptions for network connections that do not need to be protected by IPsec, but would otherwise match other rules that could cause the connection to be dropped.
  
  

[enable={yes|no}]

Specifies whether the rule is currently enabled.

[type={dynamic|static}]

Specifies how the rule is applied to the current session and whether the rule is stored. The value can be one of the following:

• dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not saved in any store and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.
  
  
• static. The rule is saved in the store currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer.
  
  

[localtunnelendpoint=IPAddress]

Required and valid only if mode=tunnel. Specifies the IP address of the computer gateway device that sends traffic from computers that match endpoint1 to computers that match endpoint2. The traffic is sent from this IP address to the gateway identified as the remotetunnelendpoint. This value must use the same type of IP address as the remotetunnelendpoint, either IPv4 or IPv6.

[remotetunnelendpoint=IPAddress]

Required and valid only if mode=tunnel. Specifies the IP address of the computer or gateway device that sends traffic from computers that match endpoint2 to computers that match endpoint1. The traffic is sent from this remote IP address to the local gateway identified as the localtunnelendpoint. This value must use the same type of IP address as the localtunnelendpoint, either IPv4 or IPv6.

[port1={any|Integer}]

Specifies the port number of network traffic coming from endpoint1 computers that is subject to the requirements of this rule. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port1 is set to a value other than any, then the protocol value must be set to tcp or udp.

Note
This is an advanced setting and is not displayed on the Windows Firewall with Advanced Security MMC snap-in.

[port2={any|Integer}]

Specifies the port number of network traffic arriving at endpoint2 computers that is subject to the requirements of this rule. Only traffic matching the specified port1, port2, and protocol values are subject to the requirements of this rule. If port2 is set to a value other than any, then the protocol value must be set to tcp or udp.

Note
This is an advanced setting and is not displayed on the Windows Firewall with Advanced Security MMC snap-in.

[protocol={any| tcp| udp| icmpv4| icmpv6| Integer}

Specifies the protocol of network traffic that is subject to the requirements of this rule. If a port number is identified by using port1 or port2, then protocol must be set to tcp or udp.

[interfacetype={any| wireless| lan| ras}]

Specifies that only network connections made through the indicated interface types are subject to the requirements of this rule. Using this parameter allows you to specify different authentication requirements for each of the three main network types. The value can be one of the following:

• any. The requirements of this rule are applied to network connections made through any of the interface types.
  
  
• wireless. The requirements of this rule are applied only when the network connection is through a wireless network.
  
  
• lan. The requirements of this rule are applied only when the network connection is through a wired LAN adapter.
  
  
• ras. The requirements of this rule are applied only when the network connection is through a RAS interface, such as a VPN or dial-up network connection.
  
  

[auth1={computerkerb| computercert| computerpsk| computerntlm| anonymous|[,...]}]

Specifies the methods offered for Main Mode first authentication during IPsec negotiations. Multiple values can be included by separating them with commas. Do not include any spaces. If the negotiation uses IKE, the first match between the two computers is attempted. If it fails, the negotiation fails. If the negotiation uses AuthIP, then each match is tried in order, until one succeeds. If they all fail, then the negotiation fails. Windows uses IKE when it can, and uses AuthIP if you specify any options that are not supported by IKE.For computers to communicate by using this rule, one of the specified authentication methods must be successful unless anonymous is specified, indicating that first authentication is optional.The value can be any of the following:

• computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.
  
  
• computercert. This method uses a computer certificate issued by a Certification Authority (CA).
  
  
• computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. We strongly recommend the use of a more secure authentication method.
  
  
• computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.
  
  
• anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk
  
  

[auth1psk=PreSharedKey]

Required and valid only if computerpsk is included in the auth1 parameter. Specifies the preshared key value that is used for authentication if the computerpsk option is negotiated.

[auth1ca="CAName [certmapping:{yes|no}] [excludecaname:{yes|no}][|...]"]

Specifies certificate authentication options for Main Mode first authentication, and is valid only if auth1 includes computercert. Multiple certificates can be referenced by separating each entry by using the vertical bar (|) character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

CAName

Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on as required.

certmapping:{yes|no}

Specifies whether to enable certificate-to-account mapping.

excludecaname:{yes|no}

Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.

[auth1healthcert={yes|no}]

Specifies that the computer certificate specified in auth1ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercert.

[auth2={userkerb| userntlm| usercert| computercert| anonymous|[,...]}]

Specifies the methods for Main Mode second authentication offered during IPsec negotiations. Using auth2 results in the negotiating being performed by using the AuthIP protocol instead of the IKE protocol. Multiple values can be included by separating them with commas. They are attempted in the order displayed. The first successful method is the one used.If auth1 contains computerpsk, then you cannot use auth2.For computers to communicate by using this rule one of the specified authentication methods must be successful unless anonymous is specified, indicating that second authentication is optional.The value can be any of the following:

• userkerb. This method uses the Kerberos v5 protocol to authenticate the user account.
  
  
• userntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the user account.
  
  
• usercert. This method uses a user certificate issued by a Certification Authority (CA).
  
  
• computercert. This method uses a computer health certificate issued by a Network Access Protection (NAP) server on the domain. You must specify auth2healthcert=yes to use this value.
  
  
• anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last.
  
  

[auth2ca="CAName [certmapping:{yes|no}][|...]"]

Specifies certificate authentication options for Main Mode second authentication. Valid only if auth2 contains usercert or computercert. Multiple certificates can be referenced by separating each entry by a vertical bar (|) character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

CAName

Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.

certmapping:{ yes | no }

Specifies whether to enable certificate-to-account mapping.

[auth2healthcert={yes|no}]

Specifies that the computer certificate specified in auth2ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. If auth2 includes computercert, then auth2healthcert must be yes. For all other cases, auth2healthcert must be no.

[qmpfs={dhgroup1| dhgroup2| dhgroup14| ecdhp256| ecdhp384| mainmode| none}]

Specifies the method used to establish Main Mode perfect forward secrecy. If mainmode is specified, then the Main Mode key exchange settings are used.

[qmsecmethods={ah:Integrity+esp:Integrity-Encryption[+Lifemin][+Datakb][,...] |default}]

Specifies one or more Quick Mode security suites, separated by commas. There must be no spaces included. The value is defined by one of the following formats:

• ah: AHIntegrity +esp: EspIntegrity - Encryption[+Lifemin][+Datakb][,…]
  
  

Where:

AHIntegrity

Specifies an integrity algorithm for the AH protocol. Integrity can be MD5, SHA1. To specify that you do not want to use AH, do not include the ah:AHIntegrity portion of the parameter.

EspIntegrity

Specifies an integrity algorithm for the ESP protocol. Integrity can be MD5, SHA1, or none.

Encryption

Specifies the encryption algorithm used. Encryption can be des, 3des, aes128, aes192, aes256, or none.

Life

Specifies the session key lifetime in minutes. The default value is 60 minutes.

Data

Specifies the session key lifetime in kilobytes. After the specified number of kilobytes of data is transferred, a new session key for the Quick Mode SA is generated. The default value is 100,000 kilobytes.

• Default. When managing the local computer policy store, this entry is equivalent to entering the following entry (line breaks are included only for clarity):
  
  AH:SHA1 +60min+100000kb,
  
  ESP:SHA1-None+60min+100000kb,
  
  ESP:SHA1-AES128+60min+100000kb,
  
  ESP:SHA1-3DES+60min+100000kb
  
  When you are managing a Group Policy object, this option behaves similarly to the notconfigured option, allowing the highest precedence policy that applies to the computer, and that does specify an qmsecmethods value to control the setting. If none of the Group Policy objects or the local computer policy store sets the value, then the computer uses the value string displayed above.
  
  

• If multiple rules match the criteria you specify, then all matching rules are updated with the changes included in the command.
  
  
• Any parameters available after the new keyword that you do not include are not modified by the command.
  
  
• Do not modify a connection security rule to use the name all. Doing this creates a conflict with the netsh option to select all connection security rules (for example, delete rule name=all).
  
  
• If you change mode to tunnel, you must specify both tunnel endpoints and you must specify action=requireinrequireout.
  
  
• In auth1, computerpsk and computerntlm cannot be used together.
  
  
• In auth1, computerpsk and anonymous cannot be used together.
  
  
• At least one Main Mode first authentication method must be specified, unless action=noauthentication.
  
  
• Do not make Main Mode first and second authentication methods both optional as this is equivalent to disabling authentication.
  
  
• The ability to set Quick Mode integrity and encryption offerings on a per-rule basic is available only by using the netsh add rule and set rule commands. The Windows Firewall with Advanced Security MMC snap-in allows you to set the per-machine default Quick Mode authentication and encryption settings, but provides no means to configure them on a per-rule basis.
  
  
• We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backwards compatibility only.
  
  
• Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote ( \' )
  
  

• The following command renames "Rule1" to "Rule2":
  
  set rule name="Rule1" new name="Rule2"
  
  
• The following command changes a rule to use a different action, and assumes that the other parameters required by the new action value were already set:
  
  set rule name="Rule3" new action=requestinrequestout
  
  

show rule name={all|RuleName} [profile={public| private| domain| any}[,...]] [type={dynamic|static}] [verbose]

name={all|RuleName}

Required. Specifies the rule name assigned to an existing rule that you want to display. If name=all, then all rules that match the other criteria are displayed.If name=all, and no other parameters are included, then all rules are displayed.

[profile={public| private| domain| any|[,...]}]

Specifies that you only want those rules that match the specified profile(s) displayed. If you specify more than one profile, then only rules that include the exact same list of profiles match.If you do not specify profile, the default is any.

[type={dynamic|static}]

Specifies that you only want those rules of the selected type displayed.

• If you select dynamic, the rules displayed are from the currently active configuration.
  
  
• If you select static, the rules displayed are from the current store, as determined by the set store command.
  
  

If you do not specify type, the default is static.

[verbose]

Specifies that you want additional details for each rule displayed.

• The following command displays all currently defined rules in the current store:
  
  show rule name=all
  
  
• The following command displays all static rules in the current store:
  
  show rule name=all type=static
  
  

add rule name= RuleName dir={in|out} action={allow|block|bypass} [program=ProgramPath\FileName] [service={ServiceShortName|any}] [description=RuleDescription] [enable={yes|no}] [profile={public|private|domain|any|[,...]}] [localip={Addresses}] [remoteip={Addresses}] [localport={any| Integer| rpc| rpc-epmap| teredo|[,...]}] [remoteport={any|Integer|[,...]}] [protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}] [interfacetype={any|wireless|lan|ras}] [rmtcomputergrp=SDDLString] [rmtusrgrp=SDDLString] [edge={yes|no}] [security={authenticate| authenc| notrequired}]

name = RuleName

Required. Specifies the name of this firewall rule. The name should be unique, and must not be "all".

dir={in|out}

Required. Specifies whether this rule matches inbound or outbound network traffic.dir can be any of the following values:

• in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Inbound Rules.
  
  
• out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Outbound Rules.
  
  

action={allow|block|bypass}

Required. Specifies what Windows Firewall with Advanced Security does to filter network packets that match the criteria specified in this rule.action can be one of the following:

• allow. Network packets that match all criteria specified in this rule are permitted through the firewall.
  
  
• block. Network packets that match all criteria specified in this rule are dropped by the firewall.
  
  
• bypass. Valid only for rules that include dir=in and that have one or more accounts listed in rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are successfully authenticated against a computer account specified in rmtcomputergrp and against a user account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then you cannot set security=notrequired. This option is the equivalent to the Override block rules checkbox in the Windows Firewall with Advanced Security MMC snap-in.
  
  

[program=ProgramPath\FileName]

Specifies that network traffic generated by the identified executable program matches this rule.

Caution

Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in Windows Firewall with Advanced Security. Starting in Windows Vista, the security of Windows network services was increased by using predefined, built-in firewall rules. Creating new rules referencing services that are already protected by the built-in rules might result in conflicts or undesired side-effects.

If program is not specified, then network traffic generated by any program matches this rule.

[service={ServiceShortName|any}]

Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can be found in Services MMC snap-in, by right-clicking the service, selecting Properties, and examining Service Name.If service is not specified then network traffic generated by any program or service matches this rule.

[description=RuleDescription]

Provides information about the firewall rule.

[enable={yes|no}]

Specifies whether the rule is currently enabled.If enable is not specified, the default is yes.

[profile={public| private| domain| any|[,...]}]

Specifies the profile(s) to which the firewall rule is assigned. The rule is only active on the local computer when the specified profile is the currently active profile.You can include multiple entries for profile by separating them with a comma. Do not include any spaces.If profile is not specified, the default is any.

[localip={Addresses}]

Specifies that network packets with matching IP addresses match this rule. localip is compared to the Destination IP address field of an inbound network packet. It is compared to the Source IP address field of an outbound network packet.localip can be any of the following values:

• any. Matches any IP address.
  
  
• IPAddress. Matches only the exact IPv4 or IPv6 address.
  
  
• IPSubnet. Matches any IPv4 or IPv6 address that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

Multiple entries can be specified for localip by separating them with a comma. Do not include any spaces.If localip is not specified, the default is any.

[remoteip={Addresses}]

Specifies that network packets with matching IP addresses match this rule. remoteip is compared to the Destination IP address field of an outbound network packet. It is compared to the Source IP address field of an inbound network packet.remoteip can be any of the following values:

• any. Matches any IP address.
  
  
• localsubnet. Matches any IP address that is on the same IP subnet as the local computer.
  
  
• dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the identified server type on the local computer.
  
  
• IPAddress. Matches only the exact IPv4 or IPv6 address specified.
  
  
• IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

Multiple entries can be specified for remoteip by separating them with a comma.If remoteip is not specified, the default is any.

[localport={any| Integer| rpc| rpc-epmap| teredo|[,...]}]

Specifies that network packets with matching IP port numbers matched by this rule. localport is compared to the Source Port field of an outbound network packet. It is compared to the Destination Port field of an inbound network packet.localport can be any of the following values:

• any. Matches any value in the port field of the IP packet.
  
  
• Integer. Specifies the exact port number that must be present for the packet to match the rule.
  
  
• rpc. Matches inbound TCP packets that are addressed to the listening socket of an application that correctly registers the port as an RPC listening port. A rule with this option must also specify protocol=tcp, and dir=in. We recommend that you also specify the appropriate program=ProgramName and/or service=ServiceName options to ensure that only the correct service can send or receive traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the application at when it starts.
  
  
• rpc-epmap. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper service. A rule with this option must also specify protocol=tcp, and dir=in. We recommend that you also specify program=%windir%\system32\svchost.exe, and service=rpcss to ensure that only the RPC service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service when it starts. If you have one or more rules that specify localport=rpc, then you must also create a rule with localport=rpc-epmap enabled. This allows both the incoming request to the mapper, and the subsequent packets to the ephemeral ports assigned by the RPC service.
  
  
• teredo. Matches inbound UDP packets that are addressed to the dynamic ports used by the Teredo service to support edge traversal tunneling of IPv6 traffic over IPv4 networks. A rule with this option must also specify protocol=udp, and dir=in. We recommend that you also specify program="%windir%\system32\svchost.exe", and service=iphlpsvc to ensure that only the Teredo service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service.
  
  

Multiple entries can be specified for localport by separating them with a comma. Do not include any spaces.If localport is not specified, the default is any.

[remoteport={any|Integer|[,...]}]

Specifies that network packets with matching IP port numbers match this rule. remoteport is compared to the Destination Port field of an outbound network packet. It is compared to the Source Port field of an inbound network packet.remoteport can be any of the following values:

• any. Matches any value in the port field of the IP packet.
  
  
• Integer. Specifies the exact port number that must be present for the packet to match the rule.
  
  

Multiple entries can be specified for remoteport by separating them with a comma. Do not include any spaces.If remoteport is not specified, the default is any.

[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]

Specifies that network packets with a matching IP protocol match this rule.protocol can be any of the following values:

• any. Matches any value in the Protocol field of the IP packet.
  
  
• Integer. Specifies the protocol by number that must be present for the packet to match the rule.
  
  
• icmpv4. Specifies that all ICMP v4 packets match this rule.
  
  
• icmpv6. Specifies that all ICMP v6 packets match this rule.
  
  
• icmpv4: type , code. Specifies that only ICMP v4 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
  
  
• icmpv6: type , code. Specifies that only ICMP v6 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
  
  
• tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and remoteport matches this rule.
  
  
• udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and remoteport matches this rule.
  
  

Multiple entries can be specified for protocol by separating them with a comma. Do not include any spaces.If protocol is not specified, the default is any.

[interfacetype={any| wireless| lan| ras}]

Specifies that only network packets passing through the indicated interface types match this rule. Using this parameter allows you to specify different firewall requirements for each of the three main network types. The value must be one of the following:

• any. Network packets passing through any of the interface types match this rule.
  
  
• wireless. Network packets that pass through a wireless network adapter match this rule.
  
  
• lan. Network packets that pass through a wired LAN adapter match this rule.
  
  
• ras. Network packets that pass through a RAS interface, such as a VPN or dial-up network connection match this rule.
  
  

If interfacetype is not specified, the default is any.

[rmtcomputergrp=SDDLString]

Specifies that only network packets that are authenticated as coming from or going to a computer identified in the list of computer and group accounts match this rule.If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.If action=bypass, then at least one computer or computer group account must be specified in rmtcomputergrp.For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries computer account information.

[rmtusrgrp=SDDLString]

Specifies that only network packets that are authenticated as coming from or going to a user identified in the list of user and group accounts match this rule.If rmtusrgrp is specified, then security must be set to either authenticate or authenc.For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user account information.

[edge={yes|no}]

Valid only when dir=in. Specifies that traffic that traverses an edge device, such as a Network Address Translation (NAT) enabled router, between the local and remote computer matches this rule.This option is the equivant of the Allow edge traversal checkbox in the Windows Firewall with Advanced Security MMC snap-in.If edge is not specified, the default is no.

[security={authenticate | authenc | notrequired } ]

Specifies that only network packets protected with the specified type of IPsec options match this rule.security can be one of the following values:

• authenticate. Network packets that are authenticated by IPsec match this rule. You must create a separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow only secure connections in the Windows Firewall with Advanced Security MMC snap-in.
  
  
• authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must create a separate connection security rule to authenticate and encrypt the traffic. This option is the equivalent of the Require encryption option in the Windows Firewall with Advanced Security MMC snap-in.
  
  
• notrequired. Any network packet matches this rule, whether or not it is protected by IPsec. This option is the equivalent of not selecting the Allow only secure connections option in the Windows Firewall with Advanced Security MMC snap-in.
  
  

If security is not specified, the default is notrequired.

• Do not create a firewall rule with the name all. Doing this creates a conflict with the netsh option to select all firewall rules (for example, delete rule name=all).
  
  
• If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection security rule that authenticates the connection. The authentication protocol used must include identification of a computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping enabled.
  
  
• Do not set both edge=yes and remoteip=localsubnet. They are conflicting options and result in the firewall blocking all network traffic from outside the edge device.
  
  
• For more information about SDDL strings and their format, see "Security Descriptor String Format" (http://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.
  
  
• One way to find the SDDL strings for computer, user, or group accounts is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. If the accounts of interest are domain accounts, you must run the snap-in on a computer that is joined to the domain with the accounts. Be sure to disable the rule so that it can not interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then click the Add button to find the computer or machine group account of interest. You can also select the Only allow connections from these users, and then click the Add button to find the user or group account of interest. After creating the rule, you can use the command netsh advfirewall firewall show rule name=rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.
  
  

• The following command creates an outbound rule to block all traffic from the local computer that originates on TCP port 80.
  
  add rule name="Block Outbound Port 80" dir=out localport=80 protocol=TCP action=block
  
  
• The following command creates a rule that blocks all inbound traffic from all WINS servers:
  
  add rule name="Block WINS" dir=in action=block remoteip=wins
  
  
• The following command creates an inbound rule that allows traffic for the Windows Messenger program only from computers on the same subnet as the local computer.
  
  add rule name="Allow Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" remoteip=localsubnet action=allow
  
  
• The following command creates a rule that permits inbound Windows Messenger network traffic only if the connection from the remote computer is authenticated by using a separate connection security rule.
  
  add rule name="Allow Authenticated Messenger" dir=in program="c:\program files\messenger\msmsgs.exe" security=authenticate action=allow
  
  
• The following command creates a rule that allows all network traffic from computers that are members of a specific computer group, and only from users that are members of a specific user group. Both memberships must be confirmed by authentication using a separate connection security rule. The actual SDDL strings to use should be determined by referring to the SDDL documentation and steps identified in the Remarks section above.
  
  add rule name="Allow Only Specific Computers and Users" dir=in rmtcomputergrp=D:(A;;CC;;; SIDforMachineGroupAccount ) rmtusergrp= D:(A;;CC;;; SIDforUserGroupAccount ) action=bypass security=authenticate
  
  
• The following two commands creates rules that prevent all wireless network traffic:
  
  add rule name="Block Wireless In" dir=in interface=wireless action=block
  
  add rule name="Block Wireless Out" dir=out interface=wireless action=block
  
  
• The following command creates a rule to allow TCP traffic addressed to port 12345 to a specific application from computers on the remote side of an edge (NAT) device, using the Teredo IPv6 interface:
  
  add rule name="Allow TCP 12345" dir=in action=allow edge=yes remoteip=any protocol=TCP localport=12345 program="c:\program files\TestIPv6App.exe"
  
  

delete rule name={all|RuleName} [dir={in|out}] [profile={public| private| domain| any|[,...]}] [program=ProgramPath\FileName] [service={ServiceShortName|any}] [localip={Addresses}] [remoteip={Addresses}] [localport={any| Integer| rpc| rpc-epmap|[,...]}] [remoteport={any|Integer|[,...]}] [protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]

name={all|RuleName}

Required. You can specify one of the following values:

• The rule name of the connection security rule you want deleted.
  
  
• all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all connection security rules are deleted.
  
  

[dir={in|out}]

Specifies that only rules of the selected direction are deleted. The value can be either in or out.

[profile={public| private| domain| any|[,...]}]

Specifies that only rules assigned to the specified profile(s) are deleted. If you specify more than one profile, then only rules that include the exact same list of profiles match.

[program=ProgramPath\FileName]

Specifies that only rules that match the identified program are deleted.

[service={ServiceShortName| any}]

Specifies that only rules that match the identified service name are deleted.

[localip={Addresses}]

Specifies that only rules that match the IP addresses, ranges, or subnets are deleted. If your rule includes multiple entries, then the rule only matches if it contains the exact same list of entries.localip can be any of the following values:

• The keyword any.
  
  
• IPAddress. Specifies an IPv4 or IPv6 address.
  
  
• IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

You can specify multiple entries for localip by separating them with a comma. Do not include any spaces.

[remoteip={Addresses}]

Specifies that only rules that match the IP addresses, ranges, subnets, or server types are deleted. If your rule includes multiple entries, then the rule only matches if it contains the exact same list of entries.remoteip can be any of the following values:

• One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.
  
  
• IPAddress. Specifies an IPv4 or IPv6 address.
  
  
• IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

You can specify multiple entries for remoteip by separating them with a comma. Do not include any spaces.

[localport={any| Integer| rpc | rpc-epmap| teredo|[,...]}] [remoteport={any|Integer|[,...]}]

Specifies that only rules that match the port numbers or keywords indicated are deleted.If specify localport or remoteport then you must specify protocol, and it must be set to either tcp or udp

[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]

Specifies that only rules that match the indicated protocol value are deleted.

• If multiple rules are found that match the specified criteria, then they are all deleted.
  
  
• If you specify name=all and do not specify any other criteria, then all firewall rules are deleted.
  
  

• The following example deletes a rule based on its exact name:
  
  Delete rule name="rule1"
  
  
• The following example deletes all rules for TCP port 80:
  
  delete rule name=all protocol=tcp localport=80
  
  

set rule {group=GroupName| name={all|RuleName}} [dir={in|out}] [profile={public| private| domain| any}[,...]] [program=ProgramPath\FileName] [service={ServiceShortName|any}] [localip=Addresses] [remoteip=Addresses] [localport={any|rpc| rpc-epmap| Integer|[,...]}] [remoteport={any| Integer|[,...]}] [protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}] new [name=NewRuleName] [dir={in|out}] [program=ProgramPath\FileName] [service={ServiceShortName|any}] [action={allow|block|bypass}] [description=RuleDescription] [enable={yes|no}] [profile={public| private| domain| any|[,...]}] [localip=Addresses] [remoteip=Addresses] [localport={any| rpc| rpc-epmap| teredo| Integer|[,...]}] [remoteport={any|Integer|[,...]} [protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}] [interfacetype={any| wiresless| lan| ras}] [rmtcomputergrp=SDDLString] [rmtusrgrp=SDDLString] [edge={yes|no}] [security={authenticate| authenc| notrequired}]

{group= GroupName| name={all|RuleName}}

Required. Specifies either the group name for a set of rules to modify together, or a rule name assigned to an existing rule that you want to modify. If you specify the group name for a set of rules, then all of the rules in that group receive the same set of modifications.If name=all, then all rules that match the other criteria listed before the new keyword are modified.If name=all, and no other parameters are included before the new keyword, then all rules are modified as indicated.

[dir={in|out}]

Specifies that only matching rules of the indicated direction are modified. The value of dir can be either in or out.

[profile={public| private| domain| any}[,...]]

Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.

program= ProgramPath \ FileName]

Specifies that only rules that match the identified program are modified.

[service={ServiceShortName| any}]

Specifies that only rules that match the identified service name are modified.If service is not specified, then rules that specify any value, including no value, and that match all other criteria, are modified.

[localip={Addresses}]

Specifies that only rules that match the IP addresses, ranges, or subnets are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.localip can be any of the following values:

• The keyword any.
  
  
• IPAddress. Specifies an IPv4 or IPv6 address.
  
  
• IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

You can specify multiple entries for localip by separating them with a comma.

[remoteip={Addresses}]

Specifies that only rules that match the IP addresses, ranges, subnets, or server types are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.remoteip can be any of the following values:

• One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.
  
  
• IPAddress. Specifies an IPv4 or IPv6 address.
  
  
• IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

You can specify multiple entries for remoteip by separating them with a comma.

[localport={any| Integer| rpc | rpc-epmap| teredo|[,...]}] [remoteport={any|Integer|[,...]}]

Specifies that only rules that match the port numbers or keywords indicated are deleted. If you specify a comma separated list, then only rules that contain the exact same list are modified.

[protocol={any| Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]

Specifies that only rules that match the indicated protocol value are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.

new

Any parameter that precedes this keyword is used to find a match for the rules that are modified. Any parameter that follows this keyword indicates a value that is modified in the rules that match the specified criteria.

[name=NewRuleName]

Specifies a new name for the connection security rule. The name should be unique, and must not be "all".

[dir={in|out}]

Specifies whether this rule matches inbound or outbound network traffic.Dir can be one of the following values:

• in. The rule matches only inbound network traffic that is arriving at the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Inbound Rules.
  
  
• out. The rule matches only outbound network traffic that is sent by the computer. This rule appears in the Windows Firewall with Advanced Security MMC snap-in under Outbound Rules.
  
  

[action={allow|block|bypass}]

Specifies what Windows Firewall with Advanced Security does to filter network packets that match the criteria specified in this rule.action can be one of the following:

• allow. Network packets that match all criteria specified in this rule are permitted through the firewall.
  
  
• block. Network packets that match all criteria specified in this rule are dropped by the firewall.
  
  
• bypass. Valid only for rules that include dir=in and that have one or more accounts listed in rmtcomputergrp and optionally rmtusrgrp. Network packets that match this rule and that are successfully authenticated against a computer account specified in rmtcomputergrp and against a user account identified in rmtusrgrp are permitted through the firewall. If you specify this option, then you cannot set security=notrequired. This option is the equivalent to the Override block rules checkbox in the Windows Firewall with Advanced Security MMC snap-in.
  
  

[program=ProgramPath\FileName]

Specifies that network traffic generated by the identified executable program matches this rule.

Caution

Creating firewall rules for hosting processes such as svchost.exe can lead to unpredictable behavior in Windows Firewall with Advanced Security. Starting in Windows Vista, the security of Windows network services was increased by using predefined, built-in firewall rules. Creating new rules referencing services that are already protected by the built-in rules might result in conflicts or undesired side-effects.

[service={ServiceShortName|any}]

Specifies that traffic generated by the identified service matches this rule. The ServiceShortName for a service can be found in Services MMC snap-in, by right-clicking the service, selecting Properties, and examining Service Name.

[description=RuleDescription]

Provides information about the firewall rule.

[enable={yes|no}]

Specifies whether the rule is currently enabled.

[profile={public| private| domain| any|[,...]}]

Specifies the profile(s) to which the firewall rule is assigned. The rule is only active on the local computer when the specified profile is the currently active profile. You can include multiple entries for profile by separating them with a comma. Do not include any spaces.

[localip={Addresses}]

Specifies that network packets with matching IP addresses match this rule. localip is compared to the Destination IP address field of an inbound network packet. It is compared to the Source IP address field of an outbound network packet.localip can be any of the following values:

• any. Matches any IP address.
  
  
• IPAddress. Matches only the exact IPv4 or IPv6 address.
  
  
• IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

Multiple entries can be specified for localip by separating them with a comma. Do not include any spaces.

[remoteip={Addresses}]

Specifies that network packets with matching IP addresses match this rule. remoteip is compared to the Destination IP address field of an outbound network packet. It is compared to the Source IP address field of an inbound network packet.remoteip can be any of the following values:

• any. Matches any IP address.
  
  
• localsubnet. Matches any IP address that is on the same IP subnet as the local computer.
  
  
• dns|dhcp|wins|defaultgateway. Matches the IP address of any computer that is configured as the identified server type on the local computer.
  
  
• IPAddress. Matches only the exact IPv4 or IPv6 address specified.
  
  
• IPSubnet. Matches any an IPv4 or IPv6 subnet that is part of the specified subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.
  
  
• IPRange. Matches any IPv4 or IPv6 addresses that fall within the specified range. The format is the starting and ending IP addresses of the range separated by a '-'.
  
  

Multiple entries can be specified for remoteip by separating them with a comma. Do not include any spaces.

[localport={any| Integer| rpc| rpc-epmap| teredo|[,...]}]

Specifies that network packets with matching IP port numbers match this rule. localport is compared to the Source Port field of an outbound network packet. It is compared to the Destination Port field of an inbound network packet.localport can be any of the following values:

• any. Matches any value in the port field of the IP packet.
  
  
• Integer. Specifies the exact port number that must be present for the packet to match the rule.
  
  
• rpc. Matches inbound TCP packets that are addressed to the listening socket of an application that correctly registers the port as an RPC listening port. A rule with this option must also specify protocol=tcp, dir=in. We recommend that you also specify the appropriate program=ProgramName and/or service=ServiceName options to ensure that only the correct service can send or receive traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the application at when it starts.
  
  
• rpc-epmap. Matches inbound TCP packets that are addressed to the dynamic RPC endpoint mapper service. A rule with this option must also specify protocol=tcp, dir=in. We recommend that you also specify program=%windir%\system32\svchost.exe, and service=rpcss to ensure that only the RPC service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service when it starts. . If you have one or more rules that specify localport=rpc, then you must also create a rule with localport=rpc-epmap enabled. This allows both the incoming request to the mapper, and the subsequent packets to the ephemeral ports assigned by the RPC service.
  
  
• teredo. Matches inbound UDP packets that are addressed to the dynamic ports used by the Teredo service to support edge traversal tunneling of IPv6 traffic over IPv4 networks. A rule with this option must also specify protocol=udp, dir=in. We recommend that you also specify program="%windir%\system32\svchost.exe", and service=iphlpsvc to ensure that only the Teredo service can send or receive network traffic by using this rule. This option eliminates the need to know the specific port numbers assigned to the service.
  
  

Multiple entries can be specified for localport by separating them with a comma. Do not include any spaces.

[remoteport={any|Integer|[,...]}]

Specifies that network packets with matching IP port numbers match this rule. remoteport is compared to the Destination Port field of an outbound network packet. It is compared to the Source Port field of an inbound network packet.remoteport can be any of the following values:

• any. Matches any value in the port field of the IP packet.
  
  
• Integer. Specifies the exact port number that must be present for the packet to match the rule.
  
  

Multiple entries can be specified for remoteport by separating them with a comma. Do not include any spaces.

[protocol={any |Integer| icmpv4| icmpv6| icmpv4:type,code| icmpv6:type,code| tcp| udp}]

Specifies that network packets with a matching IP protocol match this rule.protocol can be one of the following values:

• any. Matches any value in the Protocol field of the IP packet.
  
  
• Integer. Specifies the protocol by number that must be present for the packet to match the rule.
  
  
• icmpv4. Specifies that all ICMP v4 packets match this rule.
  
  
• icmpv6. Specifies that all ICMP v6 packets match this rule.
  
  
• icmpv4: type , code. Specifies that only ICMP v4 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
  
  
• icmpv6: type , code. Specifies that only ICMP v6 network packets with the specified type and code match this rule. type and code can each be either the keyword any, or an integer ranging from 0 to 255.
  
  
• tcp. Specifies that only TCP traffic addressed to or from the ports identified by localport and remoteport matches this rule.
  
  
• udp. Specifies that only UDP traffic addressed to or from the ports identified by localport and remoteport matches this rule.
  
  

Multiple entries can be specified for protocol by separating them with a comma.

[interfacetype={any| wireless| lan| ras}]

Specifies that only network packets passing through the indicated interface types match this rule. Using this parameter allows you to specify different firewall requirements for each of the three main network types. The value must be one of the following:

• any. Network packets passing through any of the interface types match this rule.
  
  
• wireless. Network packets that pass through a wireless network adapter match this rule.
  
  
• lan. Network packets that pass through a wired LAN adapter match this rule.
  
  
• ras. Network packets that pass through a RAS interface, such as a VPN or dial-up network connection match this rule.
  
  

[rmtcomputergrp=SDDLString]

Specifies that only network packets that are authenticated as coming from or going to a computer identified in the list of computer and group accounts are filtered by this rule.If rmtcomputergrp is specified, then security must be set to either authenticate or authenc.If action=bypass, then at least one computer or computer group account must be specified in rmtcomputergrp.For rmtcomputergrp to match, the network traffic must be authenticated using a credential that carries computer account information.

[rmtusrgrp=SDDLString]

Specifies that only network packets that are authenticated as coming from or going to a user identified in the list of user and group accounts are filtered this rule.If rmtusrgrp is specified, then security must be set to either authenticate or authenc.For rmtusergrp to match, the network traffic must be authenticated using a credential that carries user account information.

[edge={yes|no}]

Valid only when dir=in. Specifies that traffic that traverses an edge device, such as a Network Address Translation (NAT) enabled router, between the local and remote computer matches this rule.This option is the equivant of the Allow edge traversal checkbox in the Windows Firewall with Advanced Security MMC snap-in.

[security={authenticate| authenc| notrequired}]

Specifies that only network packets protected with the specified type of IPsec options match this rule.security can be one of the following values:

• authenticate. Network packets that are authenticated by IPsec match this rule. You must create a separate connection security rule to authenticate the traffic. This option is the equivalent of the Allow only secure connections in the Windows Firewall with Advanced Security MMC snap-in.
  
  
• authenc. Network packets that are authenticated and encrypted by IPsec match this rule. You must create a separate connection security rule to authenticate and encrypt the traffic. This option is the equivalent of the Require encryption option in the Windows Firewall with Advanced Security MMC snap-in.
  
  
• notrequired. Any network packet matches this rule, whether or not it is protected by IPsec. This option is the equivalent of not selecting the Allow only secure connections option in the Windows Firewall with Advanced Security MMC snap-in.
  
  

• Do not modify a firewall rule to use the name all. Doing this creates a conflict with the netsh option to select all firewall rules (for example, set rule name=all).If multiple rules match the criteria you specify, then all matching rules are modified with the changes included in the command.
  
  
• Any parameters that follow the new keyword that you do not include in the command are not modified, and maintain their previous value.
  
  
• To see the group assignments for the predefined Windows Firewall rules, look in the Windows Firewall with Advanced Security MMC snap-in, under the Inbound Rules and Outbound Rules nodes. The Group column in the Details pane contains the group assignment for each rule. This version of Windows supports group names only for predefined rules included with Windows Firewall at installation. There is currently no supported way to create a group or assign your custom rules to a group.
  
  
• If rmtcomputergrp or rmtusergrp is specified, then the network traffic must also match a connection security rule that authenticates the connection. The authentication protocol used must include identification of a computer or user account, such as Kerberos v5, NTLM v2, or a computer certificate with account mapping enabled.
  
  
• Do not set both edge=yes and remoteip=localsubnet. They are conflicting options and result in the firewall blocking all network traffic from outside the edge device.
  
  
• For more information about SDDL strings and their format, see "Security Descriptor String Format" (http://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.
  
  
• One way to find an SDDL string for a computer or group account is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. Be sure to disable the rule so that it can not interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then use the Add button to find the computer or group account(s) of interest. After creating the rule, you can use the command netsh advfirewall firewall show rule name=rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.
  
  

• The following command changes a rule to match a different remote IP address of a Web server whose traffic is allowed by a rule:
  
  set rule name="AllowWeb80" new remoteip=192.168.0.2
  
  
• The following command enables all rules in a predefined group:
  
  set rule group="windows firewall remote management" new enable=yes
  
  
• The following command changes a rule to require authentication. A separate connection security rule must exist to perform the authentication:
  
  set rule name="AllowMessenger" new security=authenticate
  
  
• For more example of how to use the various parameters that can follow the new keyword, see the firewall add rule examples section.
  
  

show rule name={all|RuleName} [profile={public| private| domain| any}[,...]] [type={dynamic|static}] [verbose]

name={all|RuleName}

Required. Specifies the rule name assigned to the rule that you want to display. If name=all, then all rules that match the other criteria listed before the new keyword are displayed.If name=all, and no other parameters are included before the new keyword, then all rules are displayed.

[profile={public| private| domain| any|[,...]}]

Specifies that only matching rules that are assigned to the indicated profile are modified. If you specify a comma separated list, then only rules that contain the exact same list are modified.

[type={dynamic|static}]

Specifies that you only want those rules of the selected type displayed.Type can be one of the following values:

• Dynamic. Displays the rules currently active on your local computer.
  
  
• Static. Displays rules defined in the current store, as defined by the set store command.
  
  

If type is not specified, then both types of rules are displayed.

[verbose]

Specifies that you want additional details for each rule displayed.

• The following command displays all currently defined firewall rules:
  
  show rule name=all
  
  
• The following command displays all firewall rules that are for the domain profile:
  
  show rule name=all profile=domain
  
  This command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain included in the rule.
  
  

Delete {mmsa|qmsa} {IPv4AddressPair|IPv6AddressPair|all}

mmsa|qmsa

Required. Specifies the type of SA to delete.

• mmsa specifies that Main Mode SAs matching the specified addresses are deleted.
  
  
• qmsa specifies that Quick Mode SAs matching the specified addresses are deleted.
  
  

IPv4AddressPair|IPv6AddressPair|all

Specifies the SAs to delete by matching source and destination IP addresses. The address pairs are a single IP source address and a single IP destination address. The order does not matter. The IP version of both addresses must match.You can specify a wildcard for either address to indicate a match for any address:

• IPv4: 0.0.0.0
  
  
• IPv6: ::0
  
  

If you use the keyword all, then all SAs of the specified type are deleted.

• The following command deletes all Main Mode SAs active on the local computer:
  
  delete mmsa all
  
  
• The following command deletes any existing Quick Mode SA between two specific IP addresses:
  
  delete qmsa 192.168.1.1 192.168.2.2
  
  

show {mmsa|qmsa} {IPv4AddressPair|IPv6AddressPair|all}

mmsa|qmsa

Required. Specifies the type of SA to display.

• mmsa displays Main Mode SAs that match the specified addresses.
  
  
• qmsa displays Quick Mode SAs that match the specified addresses.
  
  

IPv4AddressPair | IPv6AddressPair | all

Specifies the SAs to display by matching source and destination IP addresses. The address pairs are a single IP source address and a single IP destination address. The order does not matter. The IP version of both addresses must match.You can specify a wildcard for either address to indicate a match for any address:

• IPv4: 0.0.0.0
  
  
• IPv6: ::0
  
  

If you use the keyword all, then all SAs of the indicated type are displayed.

• The following command displays all Main Mode SAs active on the local computer:
  
  show mmsa all
  
  
• The following command displays any existing Quick Mode SA between two specific IP addresses:
  
  show qmsa 192.168.1.1 192.168.2.2
  
  
• The following command displays any existing Main Mode SAs that exist between a certain IP address and any other:
  
  show mmsa 192.168.1.1 0.0.0.0