Netsh Commands for Windows Firewall
Updated: June 3, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings.
Important
Important
firewall
firewall
advfirewall
advfirewall
Important
Important
You can run these commands from within the netsh tool at the netsh firewall> prompt.
For these commands to work at a standard Windows command prompt, you must preface each command with netsh firewall, followed by the specific command and parameters as they appear in the syntax below.
Note
note
Run as administrator
For more information about netsh, see Netsh Overview and Enter a Netsh Context.
Netsh firewall
The following sections describe each command and its syntax.
Note
note
interface
add allowedprogram
Adds a program-based exception to the firewall.
Syntax
add allowedprogram [ program = ] PathAndFileName [ name = ] ProgramName [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ program = ] PathAndFileName
Required
[ name = ] ProgramName
Required
[ [ mode = ] { enable | disable } ]
enable
[ [ scope = ] { all | subnet | custom } ]
all
subnet
custom
addresses
all
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
scope=custom
An IPv4 or IPv6 address. For example, 192.168.0.15.

An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.

A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.

A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.

The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.

172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

Remarks
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.

To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
add allowedprogram "C:\My App\MyApp.exe" "My Application" enable
add allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,21AB:0000:0000:CD30::/60,localsubnet
set allowedprogram
Modifies the settings of an existing program-based exception.
Syntax
set allowedprogram [ program = ] PathAndFileName [ [ name = ] ProgramName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ program = ] PathAndFileName ]
[ [ name = ] ProgramName ]
[ [ mode = ] { enable | disable } ]
[ [ scope = ] { all | subnet | custom } ]
all
subnet
custom
addresses
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
scope=custom
An IPv4 or IPv6 address. For example, 192.168.0.15.

An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.

A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.

A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.

The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.

172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
You must specify at least one parameter other than program.

You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.

To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set allowedprogram "C:\My App\MyApp.exe" "My Application" enable
set allowedprogram "C:\My App\MyApp.exe" "My Application" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
set allowedprogram program="C:\My App\MyApp.exe" name=MyApp mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
delete allowedprogram
Deletes an existing program-based exception.
Syntax
delete allowedprogram [ program = ] PathAndFileName [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ program = ] PathAndFileName
[ [ profile = ] { current | domain | standard | all } ]
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe profile=all
set icmpsetting
Specifies the types of ICMP traffic that are permitted through the firewall.
Syntax
set icmpsetting [ type = ] { 2-5 | 8-9 | 11-13 | 17 | all } [ [ mode = ] { enable | disable} ] [ [ profile= ] { current | domain | standard | all } ]
Parameters
[ type = ] { 2-5 | 8-9 | 11-13 | 17 | all }
2 - Outbound packet too big.

3 - Outbound destination unreachable.

4 - Outbound source quench.

5 - Redirect.

8 - Inbound echo request (ping).

9 - Inbound router request.

11 - Outbound time exceeded.

12 - Outbound parameter problem.

13 - Inbound timestamp request.

17 - Inbound mask request.

all - All of the above types.

[ [ mode = ] { enable | disable} ]
enable
[ [ profile = ] { current | domain | standard | all } ]
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set icmpsetting 8 enable all
set icmpsetting type=all mode=disable
set multicastbroadcastresponse
Specifies whether or not responses to a multicast or broadcast request are allowed through the firewall.
Syntax
set multicastbroadcastresponse [ mode = ] { enable | disable} [ [ profile= ] { current | domain | standard | all } ]
Parameters
[ mode = ] { enable | disable}
enable
[ [ profile = ] { current | domain | standard | all } ]
current specifies that the command applies to the profile that is currently active on the computer.

domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set multicastbroadcastresponse enable
set multicastbroadcastresponse mode=enable profile=all
set notifications
Specifies whether the firewall displays a pop-up notification to the user when a program attempts to listen on a port.
Syntax
set notifications [ mode = ] { enable | disable} [ [ profile= ] { current | domain | standard | all } ]
Parameters
[ mode = ] { enable | disable}
[ [ profile = ] { current | domain | standard | all } ]
current specifies that the command applies to the profile that is currently active on the computer.

domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set notifications enable
set notifications disable
set notifications mode=enable profile=current
set logging
Specifies whether the firewall writes information to a log file, and what details are included. This command only affects the currently active profile.
Syntax
set logging [ [ filelocation = ] PathAndFileName ] [ [ maxfilesize = ] Integer ] [ [ droppedpackets = ] { enable | disable } ] [ [ connections = ] { enable | disable } ]
Parameters
[ [ filelocation = ] PathAndFileName ]
%windir%\pfirewall.log
[ [ maxfilesize = ] Integer ]
4096
[ [ droppedpackets = ] { enable | disable } ]
disable
[ [ connections = ] { enable | disable } ] ]
disable
Remarks
At least one parameter must be specified.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set logging enable enable
set logging 4096 enable disable
set logging c:\mylogs\mylog.log 4096 enable enable
set opmode
Specifies the operating mode of Windows Firewall.
Syntax
set opmode [ mode = ] { enable | disable } [ [ exceptions = ] { enable | disable } ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ mode = ] { enable | disable}
[ [ exceptions = ] { enable | disable } ]
exceptions=disable
enable
[ [ profile = ] { current | domain | standard | all } ]
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set opmode enable
set opmode mode=enable exceptions=enable
add portopening
Creates a port-based exception.
Syntax
add portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ name = ] ExceptionName [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]
Parameters
[ protocol = ] { tcp | udp | all }
Required
[ port = ] Integer
Required
[ name = ] ExceptionName
Required
[ [ mode = ] { enable | disable } ]
[ scope = ] { all | subnet | custom }
all
subnet
custom
addresses
all
[ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]
scope=custom
An IPv4 or IPv6 address. For example, 192.168.0.15.

An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.

A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.

A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.

The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.

172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ profile = ] { current | domain | standard | all }
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.

To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
add portopening tcp 80 MyWebPort
add portopening udp 500 "IKE Exception" enable all
add portopening all 53 DNS enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
set portopening
Modifies the settings of an existing port-based exception.
Syntax
set portopening [ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ name = ] ExceptionName ] ] [ [ mode = ] { enable | disable } ] [ [ scope = ] all | subnet | custom } ] [ [ addresses = ] addresses ] [ [ profile = ] current | domain | standard | all } ]
Parameters
[ protocol = ] { tcp | udp | all }
[ port = ] Integer
[ [ name = ] ExceptionName ]
[ [ mode = ] { enable | disable } ]
[ scope = ] { all | subnet | custom }
all
subnet
custom
addresses
[ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…]
scope=custom
An IPv4 or IPv6 address. For example, 192.168.0.15.

An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.

A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.

A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.

The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.

172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ profile = ] { current | domain | standard | all }
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

Remarks
You must specify at least one parameter other than port and protocol.

You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.

To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set portopening tcp 80 "My Web Port"
set portopening udp 500 "IKE Exception" enable all
set portopening all 53 "DNS Exception" enable custom 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
delete portopening
Deletes an existing port-based exception.
Syntax
delete portopening
[ protocol = ] { tcp | udp | all } [ port = ] Integer [ [ profile = ] current | domain | standard | all } ]
Parameters
[ protocol = ] { tcp | udp | all }
Required
[ port = ] Integer
Required
[ profile = ] { current | domain | standard | all }
current specifies that the command applies to the profile that is currently active on the computer.

domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
delete portopening tcp 80
delete portopening protocol=all port=25
set service
Enables or disables the pre-defined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.
Syntax
set service [ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all } [ [ mode = ] { enable | disable } ] [ [ scope = ] { all | subnet | custom } ] [ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ] [ [ profile = ] { current | domain | standard | all } ]
Parameters
[ type = ] { fileandprint | remoteadmin | remotedesktop | upnp | all }
fileandprint. The file and printer sharing service.

remoteadmin. The ability to remotely administer a computer running Windows.

remotedesktop. The ability to use a Terminal Services client such as Remote Desktop.

upnp. Universal Plug-and-Play protocol for networked devices.

all. All of the above services.

[ [ mode = ] { enable | disable } ]
enable
[ [ scope = ] { all | subnet | custom } ]
all
subnet
custom
addresses
[ [ addresses = ] { IPAddress | IPRange | Subnet | localsubnet }[,…] ]
scope=custom
An IPv4 or IPv6 address. For example, 192.168.0.15.

An IPv4 or IPv6 range with start and end addresses separated by a '-'. For example, 192.168.0.1-192.168.0.50.

A subnet indicated by the subnet address and subnet mask separated by a '/'. For example, 192.168.0.0/255.255.255.0.

A subnet indicated by the subnet address and a subnet prefix separated by a '/'. For example, 10.1.0.0/16.

The keyword localsubnet, which includes all addresses that are on the local computer's current subnet.

172.16.0.0/16, 10.0.0.0/255.0.0.0, 21AB:0000:0000:CD30::/60, localsubnet
[ [ profile = ] { current | domain | standard | all } ]
current
Note
note
domain specifies that the command applies only to the domain profile.

standard specifies that the command applies only to the private profile.

all specifies that the command applies to all profiles except the private profile.

current
Remarks
You must specify scope=custom to specify addresses. If scope=custom is used, then addresses cannot be blank.

To specify the profile associated with the public network location type, you must specify profile=current when the computer is attached to a public network.

The addresses parameter cannot contain an unspecified IPv6 address, a loopback address, or a multicast address.

Examples
Each example must be entered as a single command line. The examples may be displayed on multiple lines below for space reasons.
set service fileandprint
set service remoteadmin enable subnet
set service type=remotedesktop mode=enable scope=custom addresses=157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,localsubnet
show commands
The following show commands are used to display the current configuration:
Note
note
show
Filter by Profile
show allowedprogram [ [ verbose = ] { enable | disable } ]

Displays the current list of program exceptions for the domain and standard profiles. Use the parameter verbose=enable to see additional details.

show config [ [ verbose = ] { enable | disable } ]

Displays the local configuration information for the domain and standard profiles, including the output of all other show commands. Use parameter verbose=enable to see additional details.

show currentprofile
Note
note
show icmpsetting [ [ verbose = ] { enable | disable } ]

Displays the ICMP settings. Use parameter verbose=enable to see additional details.

show logging
Note
note
show multicastbroadcastresponse

Displays multicast/broadcast response settings for each profile.

show notifications

Displays whether the firewall displays pop-up notifications for each profile.

show opmode

Displays the operational mode for the firewall for each profile.

show portopening

Displays the current list of port exceptions for each profile. Use parameter verbose=enable to see additional details.

show service

Displays the service configuration for each profile. Use parameter verbose=enable to see additional details.

show state

Displays the current state information for the firewall. Use parameter verbose=enable to see additional details.

reset
Resets the configuration of Windows Firewall to default settings. All manually configured changes are lost. There are no parameters for the reset command.
Not working
Most commands working in Windows 2008 R2, but display info message:


IMPORTANT: "netsh firewall" is deprecated;

use "netsh advfirewall firewall" instead.

For more information on using "netsh advfirewall firewall" commands

instead of "netsh firewall", see KB article 947709

at http://go.microsoft.com/fwlink/?linkid=121488 .

Master Technician Technology Services
Netsh Technical Reference
Netsh Commands for Wireless Local Area Network (WLAN)
NetshCmdForWlan2
NetshCmdForWlan1
NetshCmdForWinsock0
NetshCmdForInternetNameService
NetshCmdForWinhttp
NetshCmdForFirewall
NetshCmdForAllContexts
Netsh Command Reference
NetshAdvfirewallMonitorCmds
netsh advfirewall mainmode commands
netsh advfirewall firewall commands
netsh advfirewall consec commands
NetshCmdForFirewallAdvancedSecurity