Use Use this tab to name, enable, and specify the action of a firewall rule.

To get to this tab

General section

This section contains identifying information about the rule and gives you the ability to enable or disable the rule.


This is the name of the firewall rule. As a best practice, give the firewall rule a unique name. If two rules have the same name, then you cannot easily manage them by using the netsh commands. Do not use the name “all” for a firewall rule because that is the name of a Netsh command-line tool keyword.

Description (optional)

This is a description of the rule. Use this to provide information about the rule, such as the rule owner, the rule requester, the purpose of the rule, a version number, or the date of creation.


Select this check box to enable the rule. Enabling a rule causes Windows Firewall with Advanced Security to compare all network packets to the criteria in this rule and to perform the action specified in Action when a match is found. Disabling the rule does not delete it, but instead causes Windows Firewall with Advanced Security to stop comparing network packets to the rule.

Action section

Select the action that Windows Firewall with Advanced Security will take for network packets that match the firewall rule criteria. When you have multiple firewall rules defined, the order in which they are evaluated for a match depends on the action specified in the rule. Firewall rules are evaluated in the following order:

  1. Allow if secure with Override block rules selected in the Customize Allow if Secure Settings dialog box.

  2. Block the connection.

  3. Allow the connection.

  4. Default profile behavior (allow or block as specified on the applicable Profile tab of the Windows Firewall with Advanced Security Properties dialog box).

Within each category, rules are evaluated from the most specific to the least specific. A rule that specifies four criteria is selected over a rule that specifies only three criteria. As soon as a network packet matches a rule, its action is triggered, and it is not compared to any additional rules. In other words, even if a network packet matches more than one rule, only the matching rule that is evaluated against the packet first is applied to the packet.

Allow the connection

Use this option to allow a network packet that matches all criteria in the firewall rule.

Allow the connection if it is secure

Use this option to specify that only network packets that are protected by Internet Protocol security (IPsec) are allowed. IPsec settings must be defined in separate connection security rules. By default, this setting requires both authentication and integrity to be included, but it does not require encryption. To configure the requirements, click Customize, and then select an option on the Customize Allow If Secure Settings dialog box.

Block the connection

Use this option to explicitly block any network packet that matches the firewall rule criteria. The block action takes precedence over the allow action, unless the Override block rules option is selected when the firewall rule is created.

Additional references