Microsoft Windows [Version 10.0.19045.3570]
(c) Microsoft Corporation. C:\Windows>netsh advfirewall ? The following commands are available: Commands in this context: ? - Displays a list of commands. consec - Changes to the `netsh advfirewall consec' context. dump - Displays a configuration script. export - Exports the current policy to a file. firewall - Changes to the `netsh advfirewall firewall' context. help - Displays a list of commands. import - Imports a policy file into the current policy store. mainmode - Changes to the `netsh advfirewall mainmode' context. monitor - Changes to the `netsh advfirewall monitor' context. reset - Resets the policy to the default out-of-box policy. set - Sets the per-profile or global settings. show - Displays profile or global properties. The following sub-contexts are available: consec firewall mainmode monitor To view help for a command, type the command, followed by a space, and then type ?.
Changes to the `netsh advfirewall consec' context.
»netsh »advfirewall »consec
C:\Windows>netsh advfirewall consec ? The following commands are available: Commands in this context: ? - Displays a list of commands. add - Adds a new connection security rule. delete - Deletes all matching connection security rules. dump - Displays a configuration script. help - Displays a list of commands. set - Sets new values for properties of an existing rule. show - Displays a specified connection security rule. To view help for a command, type the command, followed by a space, and then type ?.
Adds a new connection security rule.
»netsh »advfirewall »consec »add
C:\Windows>netsh advfirewall consec add ? The following commands are available: Commands in this context: add rule - Adds a new connection security rule.
Adds a new connection security rule.
»netsh »advfirewall »consec »add »rule
C:\Windows>netsh advfirewall consec add rule ?
Usage: add rule name=<string>
endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>
endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>
action=requireinrequestout|requestinrequestout|
requireinrequireout|requireinclearout|noauthentication
[description=<string>]
[mode=transport|tunnel (default=transport)]
[enable=yes|no (default=yes)]
[profile=public|private|domain|any[,...] (default=any)]
[type=dynamic|static (default=static)]
[localtunnelendpoint=any|<IPv4 address>|<IPv6 address>]
[remotetunnelendpoint=any|<IPv4 address>|<IPv6 address>]
[port1=0-65535|<port range>[,...]|any (default=any)]
[port2=0-65535|<port range>[,...]|any (default=any)]
[protocol=0-255|tcp|udp|icmpv4|icmpv6|any (default=any)]
[interfacetype=wiresless|lan|ras|any (default=any)]
[auth1=computerkerb|computercert|computercertecdsap256|
computercertecdsap384|computerpsk|computerntlm|anonymous[,...]]
[auth1psk=<string>]
[auth1kerbproxyfqdn=<fully-qualified dns name>]
[auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
|..."]
[auth1healthcert=yes|no (default=no)]
[auth1ecdsap256ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap256healthcert=yes|no (default=no)]
[auth1ecdsap384ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap384healthcert=yes|no (default=no)]
[auth2=computercert|computercertecdsap256|computercertecdsap384|
userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm|
anonymous[,...]]
[auth2kerbproxyfqdn=<fully-qualified dns name>]
[auth2ca="<CA Name> [certmapping:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth2ecdsap256ca="<CA Name> [certmapping:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth2ecdsap384ca="<CA Name> [certmapping:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384|
mainmode|none (default=none)]
[qmsecmethods=authnoencap:<integrity>+[valuemin]+[valuekb]|
ah:<integrity>+esp:<integrity>-<encryption>+[valuemin]+[valuekb]
|default]
[exemptipsecprotectedconnections=yes|no (default=no)]
[applyauthz=yes|no (default=no)]
Remarks:
- Rule name should be unique and cannot be "all".
- When mode=tunnel,tunnel endpoints must be specified,
except when the action is noauthentication.
When specific IP addresses are entered, they must be
the same IP version.
In addition, When configuring dynamic tunnels:
Tunnel endpoints can be set to any. Local tunnel
endpoint need not be specified for Client policy
(i.e any).
Remote tunnel endpoints need not be specified for
Gateway Policy (i.e any).
Also, action must be requireinrequireout, requireinclearout,
or noauthentication.
- requireinclearout is not valid when mode=Transport.
- At least one authentication must be specified.
- Auth1 and auth2 can be comma-separated lists of options.
- Computerpsk and computerntlm methods cannot be specified together
for auth1.
- Computercert cannot be specified with user credentials for auth2.
- Certsigning options ecdsap256 and ecdsap384 are only supported on
Windows Vista SP1 and later.
- Qmsecmethods can be a list of proposals separated by a ",".
- For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192|
aesgmac256|aesgcm128|aesgcm192|aesgcm256 and
encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256.
- If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for
both ESP integrity and encryption.
- Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256,
sha256 are only supported on Windows Vista SP1 and later.
- Qmpfs=mainmode uses the main mode key exchange setting for PFS.
- The use of DES, MD5 and DHGroup1 is not recommended. These
cryptographic algorithms are provided for backward compatibility
only.
- The default value for certmapping and excludecaname is 'no'.
- The " characters within CA name must be replaced with \'
- For auth1ca and auth2ca, the CA name must be prefixed by 'CN='.
- catype can be used to specify the Certification authority type -
catype=root/intermediate
- authnoencap is supported on Windows 7 and later.
- authnoencap means that the computers will only use authentication,
and will not use any per packet encapsulation or encryption
algorithms to protect subsequent network packets exchanged as part
of this connection.
- QMPFS and authnoencap cannot be used together on the same rule.
- AuthNoEncap must be accompanied by at least one AH or ESP integrity
suite.
- applyauthz can only be specified for tunnel mode rules.
- exemptipsecprotectedconnections can only be specified
for tunnel mode rules. By setting this flag to "Yes",
ESP traffic will be exempted from the tunnel.
AH only traffic will NOT be exempted from the tunnel.
- Valuemin(when specified) for a qmsecmethod should be between 5-2880
minutes. Valuekb(when specified) for a qmsecmethod should be
between 20480-2147483647 kilobytes.
- Certhash specifies the thumbprint, or hash of the certificate.
- Followrenewal specifies whether to automatically follow renewal
links in certificates. Only applicable for certificate section
(requires certhash).
- Certeku specifies the comma separated list of EKU OIDs to match
in the certificate.
- Certname specifies the string to match for certificate name
(requires certnametype).
- Certnametype specifies the certificate field for the certname
to be matched against (requires certname).
- Certcriteriatype specifies whether to take the action with the
certificate when selecting the local certificate, validating
the peer certificate, or both.
- Within a computercert authentication mapping, multiple certificates can
be referenced by separating each entry by using the '|' character.
Examples:
Add a rule for domain isolation using defaults:
netsh advfirewall consec add rule name="isolation"
endpoint1=any endpoint2=any action=requireinrequestout
Add a rule with custom quick mode proposals:
netsh advfirewall consec add rule name="custom"
endpoint1=any endpoint2=any
qmsecmethods=ah:sha1+esp:sha1-aes256+60min+20480kb,ah:sha1
action=requireinrequestout
Add a rule with custom quick mode proposals:
netsh advfirewall consec add rule name="custom"
endpoint1=any endpoint2=any
qmsecmethods=authnoencap:sha1,ah:aesgmac256+esp:aesgmac256-none
action=requireinrequestout
Create a tunnel mode rule from
subnet A (192.168.0.0, external ip=1.1.1.1) to
subnet B (192.157.0.0, external ip=2.2.2.2):
netsh advfirewall consec add rule name="my tunnel" mode=tunnel
endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16
remotetunnelendpoint=2.2.2.2
localtunnelendpoint=1.1.1.1 action=requireinrequireout
Create a dynamic tunnel mode rule from subnet
A (192.168.0.0/16)
to subnet B (192.157.0.0, remoteGW=2.2.2.2)
Client Policy:
netsh advfirewall consec add rule name="dynamic tunnel"
mode=tunnel
endpoint1=any endpoint2=192.157.0.0/16
remotetunnelendpoint=2.2.2.2
action=requireinrequireout
Gateway Policy (Applied only to the Gateway device):
netsh advfirewall consec add rule name="dynamic tunnel"
mode=tunnel endpoint1=192.157.0.0/16
endpoint2=any localtunnelendpoint=2.2.2.2
action=requireinrequireout
Add a rule with CA name:
netsh advfirewall consec add rule name="cert rule"
endpoint1=any endpoint2=any action=requireinrequestout
auth1=computercert auth1ca="C=US, O=MSFT, CN=\'Microsoft North,
South, East, and West Root Authority\'"
Add a rule, with multiple authentication methods, using a variety of cert
criteria:
netsh advfirewall consec add rule name="cert rule" endpoint1=any
endpoint2=any action=requireinrequireout auth1=computercert
auth1ca="CN=\'CN1\' certcriteriatype:Selection certname:MyGroup
certnametype:SubjectOU certeku:1.2.3.4.5|CN=\'CN2\'
certcriteriatype:Validation certeku:2.3.4.5.6,9.10.11.12|CN=\'CN3\'
certhash:0123456789abcdef01234567890ABCDEF0123456"
Deletes all matching connection security rules.
»netsh »advfirewall »consec »delete
C:\Windows>netsh advfirewall consec delete ? The following commands are available: Commands in this context: delete rule - Deletes all matching connection security rules.
Deletes all matching connection security rules.
»netsh »advfirewall »consec »delete »rule
C:\Windows>netsh advfirewall consec delete rule ?
Usage: delete rule name=<string>
[type=dynamic|static]
[profile=public|private|domain|any[,...] (default=any)]
[endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[port1=0-65535|<port range>[,...]|any (default=any)]
[port2=0-65535|<port range>[,...]|any (default=any)]
[protocol=0-255|tcp|udp|icmpv4|icmpv6|any]
Remarks:
- Deletes a rule identified by name and optionally by profiles,
endpoints, ports, protocol, and type.
- If multiple matches are found, all matching rules are deleted.
Examples:
Delete a rule called "rule1" from all profiles:
netsh advfirewall consec delete rule name="rule1"
Delete all dynamic rules from all profiles:
netsh advfirewall consec delete rule name=all type=dynamic
Displays a configuration script.
»netsh »advfirewall »consec »dump
C:\Windows>netsh advfirewall consec dump ?
Usage: dump
Remarks:
Creates a script that contains the current configuration. If saved to a
file, this script can be used to restore altered configuration settings.
Displays a list of commands.
»netsh »advfirewall »consec »help
C:\Windows>netsh advfirewall consec help ?
Usage: help
Remarks:
Displays a list of commands.
Sets new values for properties of an existing rule.
»netsh »advfirewall »consec »set
C:\Windows>netsh advfirewall consec set ? The following commands are available: Commands in this context: set rule - Sets new values for properties of an existing rule.
Sets new values for properties of an existing rule.
»netsh »advfirewall »consec »set »rule
C:\Windows>netsh advfirewall consec set rule ?
Usage: set rule
group=<string> | name=<string>
[type=dynamic|static]
[profile=public|private|domain|any[,...] (default=any)]
[endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[port1=0-65535|<port range>[,...]|any]
[port2=0-65535|<port range>[,...]|any]
[protocol=0-255|tcp|udp|icmpv4|icmpv6|any]
new
[name=<string>]
[profile=public|private|domain|any[,...]]
[description=<string>]
[mode=transport|tunnel]
[endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[action=requireinrequestout|requestinrequestout|
requireinrequireout|requireinclearout|noauthentication]
[enable=yes|no]
[type=dynamic|static]
[localtunnelendpoint=any|<IPv4 address>|<IPv6 address>]
[remotetunnelendpoint=any|<IPv4 address>|<IPv6 address>]
[port1=0-65535|<port range>[,...]|any]
[port2=0-65535|<port range>[,...]|any]
[protocol=0-255|tcp|udp|icmpv4|icmpv6|any]
[interfacetype=wiresless|lan|ras|any]
[auth1=computerkerb|computercert|computercertecdsap256|
computercertecdsap384|computerpsk|computerntlm|anonymous[,...]]
[auth1psk=<string>]
[auth1kerbproxyfqdn=<fully-qualified dns name>]
[auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1healthcert=yes|no]
[auth1ecdsap256ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap256healthcert=yes|no (default=no)]
[auth1ecdsap384ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap384healthcert=yes|no (default=no)]
[auth2=computercert|computercertecdsap256|computercertecdsap384|
userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm|
anonymous[,...]]
[auth2kerbproxyfqdn=<fully-qualified dns name>]
[auth2ca="<CA Name> [certmapping:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth2ecdsap256ca="<CA Name> [certmapping:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth2ecdsap384ca="<CA Name> [certmapping:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384|
mainmode|none]
[qmsecmethods=authnoencap:<integrity>+[valuemin]+[valuekb]|
ah:<integrity>+esp:<integrity>-<encryption>+[valuemin]+[valuekb]
|default]
[exemptipsecprotectedconnections=yes|no (default=no)]
[applyauthz=yes|no (default=no)]
Remarks:
- Sets a new parameter value on an identified rule. The command fails
if the rule does not exist. To create a rule, use the add command.
- Values after the new keyword are updated in the rule. If there are
no values, or keyword new is missing, no changes are made.
- A group of rules can only be enabled or disabled.
- If multiple rules match the criteria, all matching rules will be
updated.
- Rule name should be unique and cannot be "all".
- Auth1 and auth2 can be comma-separated lists of options.
- Computerpsk and computerntlm methods cannot be specified together
for auth1.
- Computercert cannot be specified with user credentials for auth2.
- Certsigning options ecdsap256 and ecdsap384 are only supported on
Windows Vista SP1 and later.
- Qmsecmethods can be a list of proposals separated by a ",".
- For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192|
aesgmac256|aesgcm128|aesgcm192|aesgcm256 and
encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256.
- If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for
both ESP integrity and encryption.
- Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256,
sha256 are only supported on Windows Vista SP1 and later.
- If qmsemethods are set to default, qmpfs will be set to default
as well.
- Qmpfs=mainmode uses the main mode key exchange setting for PFS.
- The use of DES, MD5 and DHGroup1 is not recommended. These
cryptographic algorithms are provided for backward compatibility
only.
- The " characters within CA name must be replaced with \'
- For auth1ca and auth2ca, the CA name must be prefixed by 'CN='.
- catype can be used to specify the Certification authority type -
catype=root/intermediate
- authnoencap is supported on Windows 7 and later.
- authnoencap means that the computers will only use authentication,
and will not use any per packet encapsulation or encryption
algorithms to protect subsequent network packets exchanged as part
of this connection.
- QMPFS and authnoencap cannot be used together on the same rule.
- AuthNoEncap must be accompanied by at least one AH or ESP integrity
suite.
- When mode=tunnel action must be requireinrequireout, requireinclearout
or noauthentication.
- requireinclearout is not valid when mode=Transport.
- applyauthz can only be specified for tunnel mode rules.
- exemptipsecprotectedconnections can only be specified
for tunnel mode rules. By setting this flag to "Yes",
ESP traffic will be exempted from the tunnel.
AH only traffic will NOT be exempted from the tunnel.
- Port1, Port2 and Protocol can only be specified when mode=transport.
- Valuemin(when specified) for a qmsecmethod should be between 5-2880
minutes. Valuekb(when specified) for a qmsecmethod should be
between 20480-2147483647 kilobytes.
- Certhash specifies the thumbprint, or hash of the certificate.
- Followrenewal specifies whether to automatically follow renewal
links in certificates. Only applicable for certificate section
(requires certhash).
- Certeku specifies the comma separated list of EKU OIDs to match
in the certificate.
- Certname specifies the string to match for certificate name
(requires certnametype).
- Certnametype specifies the certificate field for the certname
to be matched against (requires certname).
- Certcriteriatype specifies whether to take the action with the
certificate when selecting the local certificate, validating
the peer certificate, or both.
Examples:
Rename rule1 to rule 2:
netsh advfirewall consec set rule name="rule1" new
name="rule2"
Change the action on a rule:
netsh advfirewall consec set rule name="rule1"
endpoint1=1.2.3.4 endpoint2=4.3.2.1 new action=requestinrequestout
Add a rule with custom quick mode proposals:
netsh advfirewall consec set rule name="Custom QM" new
endpoint1=any endpoint2=any
qmsecmethods=authnoencap:aesgmac256,ah:aesgmac256+esp:aesgmac256-none
Displays a specified connection security rule.
»netsh »advfirewall »consec »show
C:\Windows>netsh advfirewall consec show ? The following commands are available: Commands in this context: show rule - Displays a specified connection security rule.
Displays a specified connection security rule.
»netsh »advfirewall »consec »show »rule
C:\Windows>netsh advfirewall consec show rule ?
Usage: show rule name=<string>
[profile=public|private|domain|any[,...]]
[type=dynamic|static (default=static)]
[verbose]
Remarks:
- Displays all instances of the rule identified by name, and
optionally profiles and type.
Examples:
Display all rules:
netsh advfirewall consec show rule name=all
Display all dynamic rules:
netsh advfirewall consec show rule name=all type=dynamic
Displays a configuration script.
»netsh »advfirewall »dump
C:\Windows>netsh advfirewall dump ?
Usage: dump
Remarks:
Creates a script that contains the current configuration. If saved to a
file, this script can be used to restore altered configuration settings.
Exports the current policy to a file.
»netsh »advfirewall »export
C:\Windows>netsh advfirewall export ?
Usage: export <path\filename>
Remarks:
- Exports the current policy to the specified file.
Example:
netsh advfirewall export "c:\advfirewallpolicy.wfw"
Changes to the `netsh advfirewall firewall' context.
»netsh »advfirewall »firewall
C:\Windows>netsh advfirewall firewall ? The following commands are available: Commands in this context: ? - Displays a list of commands. add - Adds a new inbound or outbound firewall rule. delete - Deletes all matching firewall rules. dump - Displays a configuration script. help - Displays a list of commands. set - Sets new values for properties of a existing rule. show - Displays a specified firewall rule. To view help for a command, type the command, followed by a space, and then type ?.
Adds a new inbound or outbound firewall rule.
»netsh »advfirewall »firewall »add
C:\Windows>netsh advfirewall firewall add ? The following commands are available: Commands in this context: add rule - Adds a new inbound or outbound firewall rule.
Adds a new inbound or outbound firewall rule.
»netsh »advfirewall »firewall »add »rule
C:\Windows>netsh advfirewall firewall add rule ?
Usage: add rule name=<string>
dir=in|out
action=allow|block|bypass
[program=<program path>]
[service=<service short name>|any]
[description=<string>]
[enable=yes|no (default=yes)]
[profile=public|private|domain|any[,...]]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
[remoteport=0-65535|<port range>[,...]|any (default=any)]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any (default=any)]
[interfacetype=wireless|lan|ras|any]
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferuser|no (default=no)]
[security=authenticate|authenc|authdynenc|authnoencap|notrequired
(default=notrequired)]
Remarks:
- Add a new inbound or outbound rule to the firewall policy.
- Rule name should be unique and cannot be "all".
- If a remote computer or user group is specified, security must be
authenticate, authenc, authdynenc, or authnoencap.
- Setting security to authdynenc allows systems to dynamically
negotiate the use of encryption for traffic that matches
a given Windows Defender Firewall rule. Encryption is negotiated based on
existing connection security rule properties. This option
enables the ability of a machine to accept the first TCP
or UDP packet of an inbound IPsec connection as long as
it is secured, but not encrypted, using IPsec.
Once the first packet is processed, the server will
re-negotiate the connection and upgrade it so that
all subsequent communications are fully encrypted.
- If action=bypass, the remote computer group must be specified when dir=in.
- If service=any, the rule applies only to services.
- ICMP type or code can be "any".
- Edge can only be specified for inbound rules.
- AuthEnc and authnoencap cannot be used together.
- Authdynenc is valid only when dir=in.
- When authnoencap is set, the security=authenticate option becomes an
optional parameter.
Examples:
Add an inbound rule with no encapsulation security for browser.exe:
netsh advfirewall firewall add rule name="allow browser"
dir=in program="c:\programfiles\browser\browser.exe"
security=authnoencap action=allow
Add an outbound rule for port 80:
netsh advfirewall firewall add rule name="allow80"
protocol=TCP dir=out localport=80 action=block
Add an inbound rule requiring security and encryption
for TCP port 80 traffic:
netsh advfirewall firewall add rule
name="Require Encryption for Inbound TCP/80"
protocol=TCP dir=in localport=80 security=authdynenc
action=allow
Add an inbound rule for browser.exe and require security
netsh advfirewall firewall add rule name="allow browser"
dir=in program="c:\program files\browser\browser.exe"
security=authenticate action=allow
Add an authenticated firewall bypass rule for group
acmedomain\scanners identified by a SDDL string:
netsh advfirewall firewall add rule name="allow scanners"
dir=in rmtcomputergrp=<SDDL string> action=bypass
security=authenticate
Add an outbound allow rule for local ports 5000-5010 for udp-
Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010 action=allow
Deletes all matching firewall rules.
»netsh »advfirewall »firewall »delete
C:\Windows>netsh advfirewall firewall delete ? The following commands are available: Commands in this context: delete rule - Deletes all matching firewall rules.
Deletes all matching firewall rules.
»netsh »advfirewall »firewall »delete »rule
C:\Windows>netsh advfirewall firewall delete rule ?
Usage: delete rule name=<string>
[dir=in|out]
[profile=public|private|domain|any[,...]]
[program=<program path>]
[service=<service short name>|any]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|any]
[remoteport=0-65535|<port range>[,...]|any]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any]
Remarks:
- Deletes a rule identified by name and optionally by endpoints, ports,
protocol, and type.
- If multiple matches are found, all matching rules are deleted.
- If name=all is specified all rules are deleted from the specified
type and profile.
Examples:
Delete all rules for local port 80:
netsh advfirewall firewall delete rule name=all protocol=tcp localport=80
Delete a rule called "allow80":
netsh advfirewall firewall delete rule name="allow80"
Displays a configuration script.
»netsh »advfirewall »firewall »dump
C:\Windows>netsh advfirewall firewall dump ?
Usage: dump
Remarks:
Creates a script that contains the current configuration. If saved to a
file, this script can be used to restore altered configuration settings.
Displays a list of commands.
»netsh »advfirewall »firewall »help
C:\Windows>netsh advfirewall firewall help ?
Usage: help
Remarks:
Displays a list of commands.
Sets new values for properties of a existing rule.
»netsh »advfirewall »firewall »set
C:\Windows>netsh advfirewall firewall set ? The following commands are available: Commands in this context: set rule - Sets new values for properties of a existing rule.
Sets new values for properties of a existing rule.
»netsh »advfirewall »firewall »set »rule
C:\Windows>netsh advfirewall firewall set rule ?
Usage: set rule
group=<string> | name=<string>
[dir=in|out]
[profile=public|private|domain|any[,...]]
[program=<program path>]
[service=service short name|any]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any]
[remoteport=0-65535|<port range>[,...]|any]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any]
new
[name=<string>]
[dir=in|out]
[program=<program path>
[service=<service short name>|any]
[action=allow|block|bypass]
[description=<string>]
[enable=yes|no]
[profile=public|private|domain|any[,...]]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|RPC|RPC-EPMap|any[,...]]
[remoteport=0-65535|any[,...]]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any]
[interfacetype=wireless|lan|ras|any]
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferuser|no (default=no)]
[security=authenticate|authenc|authdynenc|notrequired]
Remarks:
- Sets a new parameter value on an identified rule. The command fails
if the rule does not exist. To create a rule, use the add command.
- Values after the new keyword are updated in the rule. If there are
no values, or keyword new is missing, no changes are made.
- A group of rules can only be enabled or disabled.
- If multiple rules match the criteria, all matching rules will
be updated.
- Rule name should be unique and cannot be "all".
- If a remote computer or user group is specified, security must be
authenticate, authenc or authdynenc.
- Setting security to authdynenc allows systems to dynamically
negotiate the use of encryption for traffic that matches
a given Windows Defender Firewall rule. Encryption is negotiated based on
existing connection security rule properties. This option
enables the ability of a machine to accept the first TCP
or UDP packet of an inbound IPsec connection as long as
it is secured, but not encrypted, using IPsec.
Once the first packet is processed, the server will
re-negotiate the connection and upgrade it so that
all subsequent communications are fully encrypted.
- Authdynenc is valid only when dir=in.
- If action=bypass, the remote computer group must be specified when dir=in.
- If service=any, the rule applies only to services.
- ICMP type or code can be "any".
- Edge can only be specified for inbound rules.
Examples:
Change the remote IP address on a rule called "allow80":
netsh advfirewall firewall set rule name="allow80" new
remoteip=192.168.0.2
Enable a group with grouping string "Remote Desktop":
netsh advfirewall firewall set rule group="remote desktop" new
enable=yes
Change the localports on the rule "Allow port range" for udp-
Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
Displays a specified firewall rule.
»netsh »advfirewall »firewall »show
C:\Windows>netsh advfirewall firewall show ? The following commands are available: Commands in this context: show rule - Displays a specified firewall rule.
Displays a specified firewall rule.
»netsh »advfirewall »firewall »show »rule
C:\Windows>netsh advfirewall firewall show rule ?
Usage: show rule name=<string>
[profile=public|private|domain|any[,...]]
[type=static|dynamic]
[verbose]
Remarks:
- Displays all matching rules as specified by name and optionally,
profiles and type. If verbose is specified all matching rules are
displayed.
Examples:
Display all dynamic inbound rules:
netsh advfirewall firewall show rule name=all dir=in type=dynamic
Display all the settings for all inbound rules called
"allow browser":
netsh advfirewall firewall show rule name="allow browser" verbose
Displays a list of commands.
»netsh »advfirewall »help
C:\Windows>netsh advfirewall help ?
Usage: help
Remarks:
Displays a list of commands.
Imports a policy file into the current policy store.
»netsh »advfirewall »import
C:\Windows>netsh advfirewall import ?
Usage: import <path\filename>
Remarks:
- Imports policy from the specified file.
Example:
netsh advfirewall import "c:\newpolicy.wfw"
Changes to the `netsh advfirewall mainmode' context.
»netsh »advfirewall »mainmode
C:\Windows>netsh advfirewall mainmode ? The following commands are available: Commands in this context: ? - Displays a list of commands. add - Adds a new mainmode rule. delete - Deletes all matching mainmode rules. dump - Displays a configuration script. help - Displays a list of commands. set - Sets new values for properties of an existing rule. show - Displays a specified mainmode rule. To view help for a command, type the command, followed by a space, and then type ?.
Adds a new mainmode rule.
»netsh »advfirewall »mainmode »add
C:\Windows>netsh advfirewall mainmode add ? The following commands are available: Commands in this context: add rule - Adds a new mainmode rule.
Adds a new mainmode rule.
»netsh »advfirewall »mainmode »add »rule
C:\Windows>netsh advfirewall mainmode add rule ?
Usage: add rule name=<string>
mmsecmethods=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|
ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256
|sha384[,...]|default
[mmforcedh=yes|no (default=no)]
[mmkeylifetime=<num>min,<num>sess]
[description=<string>]
[enable=yes|no (default=yes)]
[profile=any|current|public|private|domain[,...]]
[endpoint1=any|<IPv4 address>|<IPv6 address>|<subnet>
|<range>|<list>]
[endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[auth1=computerkerb|computercert|computercertecdsap256|
computercertecdsap384|computerpsk|computerntlm|anonymous[,...]]
[auth1psk=<string>]
[auth1kerbproxyfqdn=<fully-qualified dns name>]
[auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1healthcert=yes|no (default=no)]
[auth1ecdsap256ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap256healthcert=yes|no (default=no)]
[auth1ecdsap384ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap384healthcert=yes|no (default=no)]
[type=dynamic|static (default=static)]
Remarks:
- Add a new mainmode rule to the firewall policy.
- Rule name should be unique and cannot be "all".
- Computerpsk and computerntlm methods cannot be
specified together for auth1.
- The use of DES, MD5 and DHGroup1 is not recommended.
These cryptographic algorithms are provided for backward
compatibility only.
- The minimum main mode keylifetime is mmkeylifetime=1min.
The maximum main mode mmkeylifetime= 2880min.
The minimum number of sessions= 0 sessions.
The maximum = 2,147,483,647 sessions.
- The mmsecmethods keyword default sets the policy to:
dhgroup2-aes128-sha1,dhgroup2-3des-sha1
- Certhash specifies the thumbprint, or hash of the certificate.
- Followrenewal specifies whether to automatically follow renewal
links in certificates. Only applicable for certificate section
(requires certhash).
- Certeku specifies the comma separated list of EKU OIDs to match
in the certificate.
- Certname specifies the string to match for certificate name
(requires certnametype).
- Certnametype specifies the certificate field for the certname
to be matched against (requires certname).
- Certcriteriatype specifies whether to take the action with the
certificate when selecting the local certificate, validating
the peer certificate, or both.
Examples:
-Add a main mode rule
netsh advfirewall mainmode add rule name="test"
description="Mainmode for RATH"
Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384
auth1=computercert,computercertecdsap256
auth1ca="C=US, O=MSFT, CN=\'Microsoft North,
South, East, and West Root Authority\'"
auth1healthcert=no
auth1ecdsap256ca="C=US, O=MSFT, CN=\'Microsoft North,
South, East, and West Root Authority\'"
auth1ecdsap256healthcert=yes
mmkeylifetime=2min profile=domain
Deletes all matching mainmode rules.
»netsh »advfirewall »mainmode »delete
C:\Windows>netsh advfirewall mainmode delete ? The following commands are available: Commands in this context: delete rule - Deletes all matching mainmode rules.
Deletes all matching mainmode rules.
»netsh »advfirewall »mainmode »delete »rule
C:\Windows>netsh advfirewall mainmode delete rule ?
Usage: delete rule name=<string>|all
[profile=any|current|public|private|domain[,...]]
[type=dynamic|static (default=static)]
Remarks:
- Deletes an existing main mode setting that matches the
name specified. Optionally, profile can be specified.
Command fails if setting with the specified name does not exist.
- If name=all is specified all rules are deleted from the specified
type and profile.
If profile is not specified, the delete applies to all profiles.
Examples:
Delete a main mode rule with name test:
netsh advfirewall mainmode delete rule name="test"
Displays a configuration script.
»netsh »advfirewall »mainmode »dump
C:\Windows>netsh advfirewall mainmode dump ?
Usage: dump
Remarks:
Creates a script that contains the current configuration. If saved to a
file, this script can be used to restore altered configuration settings.
Displays a list of commands.
»netsh »advfirewall »mainmode »help
C:\Windows>netsh advfirewall mainmode help ?
Usage: help
Remarks:
Displays a list of commands.
Sets new values for properties of an existing rule.
»netsh »advfirewall »mainmode »set
C:\Windows>netsh advfirewall mainmode set ? The following commands are available: Commands in this context: set rule - Sets new values for properties of an existing rule.
Sets new values for properties of an existing rule.
»netsh »advfirewall »mainmode »set »rule
C:\Windows>netsh advfirewall mainmode set rule ?
Usage:
set rule name=<String>
[profile=public|private|domain|any[,...]]
[type=dynamic|static (default=static)]
new
[name=<string>]
[mmsecmethods= dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|
ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256|
sha384[,...]|default]
[mmforcedh=yes|no (default=no)]
[mmkeylifetime=<num>min,<num>sess]
[description=<string>]
[enable=yes|no]
[profile=public|private|domain|any[,...]]
[endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[auth1=computerkerb|computercert|computercertecdsap256|
computercertecdsap384|computerpsk|computerntlm|anonymous[,...]]
[auth1psk=<string>]
[auth1kerbproxyfqdn=<fully-qualified dns name>]
[auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1healthcert=yes|no (default=no)]
[auth1ecdsap256ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap256healthcert=yes|no (default=no)]
[auth1ecdsap384ca="<CA Name> [certmapping:yes|no]
[excludecaname:yes|no]
[catype:root|intermediate (default=root)]
[certhash:<Hex hash string, with no spaces or leading 0x>]
[followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>]
[certname:<CertName>] [certnametype:<SubjectAltDNS|
SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>]
[certcriteriatype:<Selection|Validation|Both (default=both)>]
| ..."]
[auth1ecdsap384healthcert=yes|no (default=no)]
[profile= any|current|domain|private|public[,...]]
Remarks:
-Sets a new parameter value on an identified rule. The command fails
if the rule does not exist. To create a rule, use the add command.
-Values after the new keyword are updated in the rule. If there are
no values, or keyword new is missing, no changes are made.
-If multiple rules match the criteria, all matching rules will
be updated.
-Rule name should be unique and cannot be "all".
-Auth1 can be comma-separated lists of options.
Computerpsk and computerntlm methods cannot
be specified together for auth1.
-The use of DES, MD5 and DHGroup1 is not recommended.
These cryptographic algorithms are provided for backward
compatibility only.
-The minimum main mode keylifetime is mmkeylifetime=1min.
The maximum main mode mmkeylifetime= 2880min.
The minimum number of sessions= 0 sessions.
The maximum = 2,147,483,647 sessions.
-The mmsecmethods keyword default sets the policy to:
dhgroup2-aes128-sha1,dhgroup2-3des-sha1
-Certhash specifies the thumbprint, or hash of the certificate.
-Followrenewal specifies whether to automatically follow renewal
links in certificates. Only applicable for certificate section
(requires certhash).
-Certeku specifies the comma separated list of EKU OIDs to match
in the certificate.
-Certname specifies the string to match for certificate name
(requires certnametype).
-Certnametype specifies the certificate field for the certname
to be matched against (requires certname).
-Certcriteriatype specifies whether to take the action with the
certificate when selecting the local certificate, validating
the peer certificate, or both.
Examples:
Change the mmescmethods, description
and keylifetime of a rule named test
netsh advfirewall mainmode set rule name="test"
new description="Mainmode for RATH2"
Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384
auth1=computerntlm mmkeylifetime=2min profile=domain
Displays a specified mainmode rule.
»netsh »advfirewall »mainmode »show
C:\Windows>netsh advfirewall mainmode show ? The following commands are available: Commands in this context: show rule - Displays a specified mainmode rule.
Displays a specified mainmode rule.
»netsh »advfirewall »mainmode »show »rule
C:\Windows>netsh advfirewall mainmode show rule ?
Usage: show rule name=<string>|all
[profile=all|current|public|private|domain[,...]]
[type=dynamic|static (default=static)]
[verbose]
Remarks:
- Display existing main mode settings that match the name specified.
Displays all matching rules as specified by name and optionally,
profile can be specified.
If "all" is specified in the name, all mainmode settings will be shown
for the profiles specified.
Examples:
Display a main mode rule by name test:
netsh advfirewall mainmode show rule name="test"
Changes to the `netsh advfirewall monitor' context.
»netsh »advfirewall »monitor
C:\Windows>netsh advfirewall monitor ? The following commands are available: Commands in this context: ? - Displays a list of commands. delete - Deletes all matching security associations. dump - Displays a configuration script. help - Displays a list of commands. show - Shows the runtime Firewall policy settings. To view help for a command, type the command, followed by a space, and then type ?.
Deletes all matching security associations.
»netsh »advfirewall »monitor »delete
C:\Windows>netsh advfirewall monitor delete ?
Usage: delete mmsa|qmsa [(source destination)|all]
Remarks:
- This command deletes the matching security association as
specified by (source destination) pair.
- Source and destination are each a single IPv4 or IPv6
address.
Examples:
Delete all quick mode security associations:
netsh advfirewall monitor delete qmsa all
Delete all main mode security associations between the two
specified addresses:
netsh advfirewall monitor delete mmsa 192.168.03 192.168.0.6
Displays a configuration script.
»netsh »advfirewall »monitor »dump
C:\Windows>netsh advfirewall monitor dump ?
Usage: dump
Remarks:
Creates a script that contains the current configuration. If saved to a
file, this script can be used to restore altered configuration settings.
Displays a list of commands.
»netsh »advfirewall »monitor »help
C:\Windows>netsh advfirewall monitor help ?
Usage: help
Remarks:
Displays a list of commands.
Shows the runtime Firewall policy settings.
»netsh »advfirewall »monitor »show
C:\Windows>netsh advfirewall monitor show ? The following commands are available: Commands in this context: show consec - Displays current consec state information. show currentprofile - Displays the currently active profiles. show firewall - Displays current firewall state information. show mainmode - Displays current mainmode state information. show mmsa - Displays the main mode SAs show qmsa - Displays the quick mode SAs.
Displays current consec state information.
»netsh »advfirewall »monitor »show »consec
C:\Windows>netsh advfirewall monitor show consec ?
Usage: show consec
[rule
name=<string>
[profile=public|private|domain|active|any[,...]]
]
[verbose]
Remarks:
- Displays the Connection Security configuration for all
available network profiles
- The [profile=] command enables the administrator to filter
the output to specific profiles on the system or to only
return results from Active or Inactive profiles
- The [rule] command allows the administrator to scope the rule
output to certain rule names and status to scope the output
- The Verbose command adds support for displaying detailed
security and advanced rule 'source name' information
Examples:
Display the current connection security state:
netsh advfirewall monitor show consec
Display the current connection security information for public profie:
netsh advfirewall monitor show consec rule name=all profile=public
Displays the currently active profiles.
»netsh »advfirewall »monitor »show »currentprofile
C:\Windows>netsh advfirewall monitor show currentprofile ?
Usage: show currentprofile
Remarks:
- This command shows the network connections associated
with currently active profiles.
Examples:
Shows all networks associated with the currently active profiles:
netsh advfirewall monitor show currentprofile
Displays current firewall state information.
»netsh »advfirewall »monitor »show »firewall
C:\Windows>netsh advfirewall monitor show firewall ?
Usage: show firewall
[rule
name=<string>
[dir=in|out]
[profile=public|private|domain|active|any[,...]]
]
[verbose]
Remarks:
- Displays the Windows Defender Firewall properties for all available
network profiles.
- The profile= argument enables the administrator to filter
the output to specific profiles on the system.
- The Verbose argument adds support for displaying detailed
security and advanced rule 'source name' information.
Examples:
Display the current Firewall state:
netsh advfirewall monitor show firewall
Display the current outbound firewall rule for public profie:
netsh advfirewall monitor show firewall rule name=all dir=out profile=public
Displays current mainmode state information.
»netsh »advfirewall »monitor »show »mainmode
C:\Windows>netsh advfirewall monitor show mainmode ?
Usage: show mainmode
[rule
name=<string>
[profile=public|private|domain|active|any[,...]]
]
[verbose]
Remarks:
- Displays the Main mode Security configuration for all
available network profiles
- The [profile=] command enables the administrator to filter
the output to specific profiles on the system or to only
return results from Active or Inactive profiles
- The [rule] command allows the administrator to scope the rule
output to certain rule names and status to scope the output
- The Verbose command adds support for displaying detailed
security and advanced rule 'source name' information
Examples:
Display the current main mode information for public profie:
netsh advfirewall monitor show mainmode rule name=all profile=public
Displays the main mode SAs
»netsh »advfirewall »monitor »show »mmsa
C:\Windows>netsh advfirewall monitor show mmsa ?
Usage: show mmsa [(source destination)|all]
Remarks:
- This command shows the security association, or as
filtered by (source destination) pair.
- Source and destination are each a single IPv4 or IPv6
address.
Examples:
Show all main mode SAs:
netsh advfirewall monitor show mmsa
Show the main mode SAs between the two addresses:
netsh advfirewall monitor show mmsa 192.168.0.3 192.168.0.4
Displays the quick mode SAs.
»netsh »advfirewall »monitor »show »qmsa
C:\Windows>netsh advfirewall monitor show qmsa ?
Usage: show qmsa [(source destination)|all]
Remarks:
- This command shows the security association, or as
filtered by (source destination) pair.
- Source and destination are each a single IPv4 or IPv6
address.
Examples:
Show all quick mode SAs:
netsh advfirewall monitor show qmsa
Show the quick mode SAs between the two addresses:
netsh advfirewall monitor show qmsa 192.168.0.3 192.168.0.4
Resets the policy to the default out-of-box policy.
»netsh »advfirewall »reset
C:\Windows>netsh advfirewall reset ?
Usage: reset [export <path\filename>]
Remarks:
- Restores the Windows Defender Firewall with Advanced Security policy to the
default policy. The current active policy can be optionally exported
to a specified file.
- In a Group Policy object, this command returns all settings to
notconfigured and deletes all connection security and firewall
rules.
Examples:
Backup the current policy and restore out-of-box policy:
netsh advfirewall reset export "c:\backuppolicy.wfw"
Sets the per-profile or global settings.
»netsh »advfirewall »set
C:\Windows>netsh advfirewall set ? The following commands are available: Commands in this context: set allprofiles - Sets properties in all profiles. set currentprofile - Sets properties in the active profile. set domainprofile - Sets properties in the domain profile. set global - Sets the global properties. set privateprofile - Sets properties in the private profile. set publicprofile - Sets properties in the public profile.
Sets properties in all profiles.
»netsh »advfirewall »set »allprofiles
C:\Windows>netsh advfirewall set allprofiles ?
Usage: set allprofiles (parameter) (value)
Parameters:
state - Configure the firewall state.
Usage: state on|off|notconfigured
firewallpolicy - Configures default inbound and outbound behavior.
Usage: firewallpolicy (inbound behavior),(outbound behavior)
Inbound behavior:
blockinbound - Block inbound connections that do not
match an inbound rule.
blockinboundalways - Block all inbound connections even if
the connection matches a rule.
allowinbound - Allow inbound connections that do
not match a rule.
notconfigured - Return the value to its unconfigured state.
Outbound behavior:
allowoutbound - Allow outbound connections that do not
match a rule.
blockoutbound - Block outbound connections that do not
match a rule.
notconfigured - Return the value to its unconfigured state.
settings - Configures firewall settings.
Usage: settings (parameter) enable|disable|notconfigured
Parameters:
localfirewallrules - Merge local firewall rules with Group
Policy rules. Valid when configuring
a Group Policy store.
localconsecrules - Merge local connection security rules
with Group Policy rules. Valid when
configuring a Group Policy store.
inboundusernotification - Notify user when a program listens
for inbound connections.
remotemanagement - Allow remote management of Windows
Firewall.
unicastresponsetomulticast - Control stateful unicast response to
multicast.
logging - Configures logging settings.
Usage: logging (parameter) (value)
Parameters:
allowedconnections - Log allowed connections.
Values: enable|disable|notconfigured
droppedconnections - Log dropped connections.
Values: enable|disable|notconfigured
filename - Name and location of the firewall log.
Values: <string>|notconfigured
maxfilesize - Maximum log file size in kilobytes.
Values: 1 - 32767|notconfigured
Remarks:
- Configures profile settings for all profiles.
- The "notconfigured" value is valid only for a Group Policy store.
Examples:
Turn the firewall off for all profiles:
netsh advfirewall set allprofiles state off
Set the default behavior to block inbound and allow outbound
connections on all profiles:
netsh advfirewall set allprofiles firewallpolicy
blockinbound,allowoutbound
Turn on remote management on all profiles:
netsh advfirewall set allprofiles settings remotemanagement enable
Log dropped connections on all profiles:
netsh advfirewall set allprofiles logging droppedconnections enable
Sets properties in the active profile.
»netsh »advfirewall »set »currentprofile
C:\Windows>netsh advfirewall set currentprofile ?
Usage: set currentprofile (parameter) (value)
Parameters:
state - Configure the firewall state.
Usage: state on|off|notconfigured
firewallpolicy - Configures default inbound and outbound behavior.
Usage: firewallpolicy (inbound behavior),(outbound behavior)
Inbound behavior:
blockinbound - Block inbound connections that do not
match an inbound rule.
blockinboundalways - Block all inbound connections even if
the connection matches a rule.
allowinbound - Allow inbound connections that do
not match a rule.
notconfigured - Return the value to its unconfigured state.
Outbound behavior:
allowoutbound - Allow outbound connections that do not
match a rule.
blockoutbound - Block outbound connections that do not
match a rule.
notconfigured - Return the value to its unconfigured state.
settings - Configures firewall settings.
Usage: settings (parameter) enable|disable|notconfigured
Parameters:
localfirewallrules - Merge local firewall rules with Group
Policy rules. Valid when configuring
a Group Policy store.
localconsecrules - Merge local connection security rules
with Group Policy rules. Valid when
configuring a Group Policy store.
inboundusernotification - Notify user when a program listens
for inbound connections.
remotemanagement - Allow remote management of Windows
Firewall.
unicastresponsetomulticast - Control stateful unicast response to
multicast.
logging - Configures logging settings.
Usage: logging (parameter) (value)
Parameters:
allowedconnections - Log allowed connections.
Values: enable|disable|notconfigured
droppedconnections - Log dropped connections.
Values: enable|disable|notconfigured
filename - Name and location of the firewall log.
Values: <string>|notconfigured
maxfilesize - Maximum log file size in kilobytes.
Values: 1 - 32767|notconfigured
Remarks:
- Configures profile settings for the currently active profile.
- The "notconfigured" value is valid only for a Group Policy store.
Examples:
Turn the firewall off on the currently active profile:
netsh advfirewall set currentprofile state off
Set the default behavior to block inbound and allow outbound
connections on the currently active profile:
netsh advfirewall set currentprofile firewallpolicy
blockinbound,allowoutbound
Turn on remote management on the currently active profile:
netsh advfirewall set currentprofile settings remotemanagement enable
Log dropped connections on the currently active profile:
netsh advfirewall set currentprofile logging droppedconnections enable
Sets properties in the domain profile.
»netsh »advfirewall »set »domainprofile
C:\Windows>netsh advfirewall set domainprofile ?
Usage: set domainprofile (parameter) (value)
Parameters:
state - Configure the firewall state.
Usage: state on|off|notconfigured
firewallpolicy - Configures default inbound and outbound behavior.
Usage: firewallpolicy (inbound behavior),(outbound behavior)
Inbound behavior:
blockinbound - Block inbound connections that do not
match an inbound rule.
blockinboundalways - Block all inbound connections even if
the connection matches a rule.
allowinbound - Allow inbound connections that do
not match a rule.
notconfigured - Return the value to its unconfigured state.
Outbound behavior:
allowoutbound - Allow outbound connections that do not
match a rule.
blockoutbound - Block outbound connections that do not
match a rule.
notconfigured - Return the value to its unconfigured state.
settings - Configures firewall settings.
Usage: settings (parameter) enable|disable|notconfigured
Parameters:
localfirewallrules - Merge local firewall rules with Group
Policy rules. Valid when configuring
a Group Policy store.
localconsecrules - Merge local connection security rules
with Group Policy rules. Valid when
configuring a Group Policy store.
inboundusernotification - Notify user when a program listens
for inbound connections.
remotemanagement - Allow remote management of Windows
Firewall.
unicastresponsetomulticast - Control stateful unicast response to
multicast.
logging - Configures logging settings.
Usage: logging (parameter) (value)
Parameters:
allowedconnections - Log allowed connections.
Values: enable|disable|notconfigured
droppedconnections - Log dropped connections.
Values: enable|disable|notconfigured
filename - Name and location of the firewall log.
Values: <string>|notconfigured
maxfilesize - Maximum log file size in kilobytes.
Values: 1 - 32767|notconfigured
Remarks:
- Configures domain profile settings.
- The "notconfigured" value is valid only for a Group Policy store.
Examples:
Turn the firewall off when the domain profile is active:
netsh advfirewall set domainprofile state off
Set the default behavior to block inbound and allow outbound
connections when the domain profile is active:
netsh advfirewall set domainprofile firewallpolicy
blockinbound,allowoutbound
Turn on remote management when the domain profile is active:
netsh advfirewall set domainprofile settings remotemanagement enable
Log dropped connections when the domain profile is active:
netsh advfirewall set domainprofile logging droppedconnections enable
Sets the global properties.
»netsh »advfirewall »set »global
C:\Windows>netsh advfirewall set global ?
Usage: set global statefulftp|statefulpptp enable|disable|notconfigured
set global ipsec (parameter) (value)
set global mainmode (parameter) (value) | notconfigured
IPsec Parameters:
strongcrlcheck - Configures how CRL checking is enforced.
0: Disable CRL checking (default)
1: Fail if cert is revoked
2: Fail on any error
notconfigured: Returns the value to its not
configured state.
saidletimemin - Configures the security association idle time in
minutes.
- Usage: 5-60|notconfigured (default=5)
defaultexemptions - Configures the default IPsec exemptions. Default is
to exempt IPv6 neighbordiscovery protocol and
DHCP from IPsec.
- Usage: none|neighbordiscovery|icmp|dhcp|notconfigured
ipsecthroughnat - Configures when security associations can be
established with a computer behind a network
address translator.
- Usage: never|serverbehindnat|
serverandclientbehindnat|
notconfigured(default=never)
authzcomputergrp - Configures the computers that are authorized to
establish tunnel mode connections.
- Usage: none|<SDDL string>|notconfigured
authzusergrp - Configures the users that are authorized to establish
tunnel mode connections.
- Usage: none|<SDDL string>|notconfigured
Main Mode Parameters:
mmkeylifetime - Sets main mode key lifetime in minutes
or sessions, or both.
- Usage: <num>min,<num>sess
minlifetime: <1> min,
maxlifetime: <2880> min
minsessions: <0> sessions,
maxsessions: <2,147,483,647> sessions
mmsecmethods - configures the main mode list of proposals
- Usage:
keyexch:enc-integrity,keyexch:enc-integrity[,...]|default
- keyexch=dhgroup1|dhgroup2|dhgroup14|dhgroup24|
ecdhp256|ecdhp384
- enc=3des|des|aes128|aes192|aes256
- integrity=md5|sha1|sha256|sha384
mmforcedh - configures the option to use DH to secure key exchange.
- Usage:
yes|no (default=no)
Remarks:
- Configures global settings, including advanced IPsec options.
- The use of DES, MD5 and DHGroup1 is not recommended. These
cryptographic algorithms are provided for backward compatibility
only.
- The mmsecmethods keyword default sets the policy to:
dhgroup2-aes128-sha1,dhgroup2-3des-sha1
Examples:
Disable CRL checking:
netsh advfirewall set global ipsec strongcrlcheck 0
Turn on the Firewall support for stateful FTP:
netsh advfirewall set global statefulftp enable
Set global main mode proposals to the default value:
netsh advfirewall set global mainmode mmsecmethods default
Set global main mode proposals to a customer list:
netsh advfirewall set global mainmode mmsecmethods
dhgroup1:des-md5,dhgroup1:3des-sha1
Sets properties in the private profile.
»netsh »advfirewall »set »privateprofile
C:\Windows>netsh advfirewall set privateprofile ?
Usage: set privateprofile (parameter) (value)
Parameters:
state - Configure the firewall state.
Usage: state on|off|notconfigured
firewallpolicy - Configures default inbound and outbound behavior.
Usage: firewallpolicy (inbound behavior),(outbound behavior)
Inbound behavior:
blockinbound - Block inbound connections that do not
match an inbound rule.
blockinboundalways - Block all inbound connections even if
the connection matches a rule.
allowinbound - Allow inbound connections that do
not match a rule.
notconfigured - Return the value to its unconfigured state.
Outbound behavior:
allowoutbound - Allow outbound connections that do not
match a rule.
blockoutbound - Block outbound connections that do not
match a rule.
notconfigured - Return the value to its unconfigured state.
settings - Configures firewall settings.
Usage: settings (parameter) enable|disable|notconfigured
Parameters:
localfirewallrules - Merge local firewall rules with Group
Policy rules. Valid when configuring
a Group Policy store.
localconsecrules - Merge local connection security rules
with Group Policy rules. Valid when
configuring a Group Policy store.
inboundusernotification - Notify user when a program listens
for inbound connections.
remotemanagement - Allow remote management of Windows
Firewall.
unicastresponsetomulticast - Control stateful unicast response to
multicast.
logging - Configures logging settings.
Usage: logging (parameter) (value)
Parameters:
allowedconnections - Log allowed connections.
Values: enable|disable|notconfigured
droppedconnections - Log dropped connections.
Values: enable|disable|notconfigured
filename - Name and location of the firewall log.
Values: <string>|notconfigured
maxfilesize - Maximum log file size in kilobytes.
Values: 1 - 32767|notconfigured
Remarks:
- Configures private profile settings.
- The "notconfigured" value is valid only for a Group Policy store.
Examples:
Turn the firewall off when the private profile is active:
netsh advfirewall set privateprofile state off
Set the default behavior to block inbound and allow outbound
connections when the private profile is active:
netsh advfirewall set privateprofile firewallpolicy
blockinbound,allowoutbound
Turn on remote management when the private profile is active:
netsh advfirewall set privateprofile settings remotemanagement enable
Log dropped connections when the private profile is active:
netsh advfirewall set privateprofile logging droppedconnections enable
Sets properties in the public profile.
»netsh »advfirewall »set »publicprofile
C:\Windows>netsh advfirewall set publicprofile ?
Usage: set publicprofile (parameter) (value)
Parameters:
state - Configure the firewall state.
Usage: state on|off|notconfigured
firewallpolicy - Configures default inbound and outbound behavior.
Usage: firewallpolicy (inbound behavior),(outbound behavior)
Inbound behavior:
blockinbound - Block inbound connections that do not
match an inbound rule.
blockinboundalways - Block all inbound connections even if
the connection matches a rule.
allowinbound - Allow inbound connections that do
not match a rule.
notconfigured - Return the value to its unconfigured state.
Outbound behavior:
allowoutbound - Allow outbound connections that do not
match a rule.
blockoutbound - Block outbound connections that do not
match a rule.
notconfigured - Return the value to its unconfigured state.
settings - Configures firewall settings.
Usage: settings (parameter) enable|disable|notconfigured
Parameters:
localfirewallrules - Merge local firewall rules with Group
Policy rules. Valid when configuring
a Group Policy store.
localconsecrules - Merge local connection security rules
with Group Policy rules. Valid when
configuring a Group Policy store.
inboundusernotification - Notify user when a program listens
for inbound connections.
remotemanagement - Allow remote management of Windows
Firewall.
unicastresponsetomulticast - Control stateful unicast response to
multicast.
logging - Configures logging settings.
Usage: logging (parameter) (value)
Parameters:
allowedconnections - Log allowed connections.
Values: enable|disable|notconfigured
droppedconnections - Log dropped connections.
Values: enable|disable|notconfigured
filename - Name and location of the firewall log.
Values: <string>|notconfigured
maxfilesize - Maximum log file size in kilobytes.
Values: 1 - 32767|notconfigured
Remarks:
- Configures public profile settings.
- The "notconfigured" value is valid only for a Group Policy store.
Examples:
Turn the firewall off when the public profile is active:
netsh advfirewall set publicprofile state off
Set the default behavior to block inbound and allow outbound
connections when the public profile is active:
netsh advfirewall set publicprofile firewallpolicy
blockinbound,allowoutbound
Turn on remote management when the public profile is active:
netsh advfirewall set publicprofile settings remotemanagement enable
Log dropped connections when the public profile is active:
netsh advfirewall set publicprofile logging droppedconnections enable
Displays profile or global properties.
»netsh »advfirewall »show
C:\Windows>netsh advfirewall show ? The following commands are available: Commands in this context: show allprofiles - Displays properties for all profiles. show currentprofile - Displays properties for the active profile. show domainprofile - Displays properties for the domain properties. show global - Displays the global properties. show privateprofile - Displays properties for the private profile. show publicprofile - Displays properties for the public profile. show store - Displays the policy store for the current interactive session.
Displays properties for all profiles.
»netsh »advfirewall »show »allprofiles
C:\Windows>netsh advfirewall show allprofiles ?
Usage: show allprofiles [parameter]
Parameters:
state - Displays whether Windows Defender Firewall with Advanced
Security is on or off.
firewallpolicy - Displays default inbound and outbound
firewall behavior.
settings - Displays firewall properties.
logging - Displays logging settings.
Remarks:
- Displays the properties for all profiles. If a parameter
is not specified, all properties are displayed.
Examples:
Display the firewall state for all propfiles:
netsh advfirewall show allprofiles state
Displays properties for the active profile.
»netsh »advfirewall »show »currentprofile
C:\Windows>netsh advfirewall show currentprofile ?
Usage: show currentprofile [parameter]
Parameters:
state - Displays whether Windows Defender Firewall with Advanced
Security is on or off.
firewallpolicy - Displays default inbound and outbound
firewall behavior.
settings - Displays firewall properties.
logging - Displays logging settings.
Remarks:
- Displays the properties for the active profile. If a parameter
is not specified, all properties are displayed.
Examples:
Display the active profile firewall state:
netsh advfirewall show currentprofile state
Displays properties for the domain properties.
»netsh »advfirewall »show »domainprofile
C:\Windows>netsh advfirewall show domainprofile ?
Usage: show domainprofile [parameter]
Parameters:
state - Displays whether Windows Defender Firewall with Advanced
Security is on or off.
firewallpolicy - Displays default inbound and outbound
firewall behavior.
settings - Displays firewall properties.
logging - Displays logging settings.
Remarks:
- Displays the properties for the domain profile. If a parameter
is not specified, all properties are displayed.
Examples:
Display the domain profile firewall state:
netsh advfirewall show domainprofile state
Displays the global properties.
»netsh »advfirewall »show »global
C:\Windows>netsh advfirewall show global ?
Usage: show global [property]
Parameters:
ipsec - Shows IPsec specific settings.
statefulftp - Shows stateful ftp support.
statefulpptp - Shows stateful pptp support.
This value is Ignored in Windows 7 and is available only to
manage downlevel Windows Defender Firewall with Advanced Security systems.
mainmode - Shows Main Mode settings.
categories - Shows Firewall Categories.
Remarks:
- Displays the global property settings. If a parameter is
not specified,
all properties are displayed.
Examples:
Display IPsec settings:
netsh advfirewall show global ipsec
Display main mode settings:
netsh advfirewall show global mainmode
Displays properties for the private profile.
»netsh »advfirewall »show »privateprofile
C:\Windows>netsh advfirewall show privateprofile ?
Usage: show privateprofile [parameter]
Parameters:
state - Displays whether Windows Defender Firewall with Advanced
Security is on or off.
firewallpolicy - Displays default inbound and outbound
firewall behavior.
settings - Displays firewall properties.
logging - Displays logging settings.
Remarks:
- Displays the properties for the private profile. If a parameter
is not specified, all properties are displayed.
Examples:
Display the private profile firewall state:
netsh advfirewall show privateprofile state
Displays properties for the public profile.
»netsh »advfirewall »show »publicprofile
C:\Windows>netsh advfirewall show publicprofile ?
Usage: show publicprofile [parameter]
Parameters:
state - Displays whether Windows Defender Firewall with Advanced
Security is on or off.
firewallpolicy - Displays default inbound and outbound
firewall behavior.
settings - Displays firewall properties.
logging - Displays logging settings.
Remarks:
- Displays the properties for the public profile. If a parameter
is not specified, all properties are displayed.
Examples:
Display the public profile firewall state:
netsh advfirewall show publicprofile state
Displays the policy store for the current interactive session.
»netsh »advfirewall »show »store
C:\Windows>netsh advfirewall show store ?
Usage: show store
Remarks:
- This command displays the current policy store.
Example:
netsh advfirewall show store
- cn -/- de -/- en -
