Netsh Commands for Windows Firewall with Advanced Security
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Netsh advfirewall is a command-line tool for Windows Firewall with Advanced Security that helps with the creation, administration, and monitoring of Windows Firewall and IPsec settings and provides an alternative to console-based management. This can be useful in the following situations:
When deploying Windows Firewall with Advanced Security settings to computers on a wide area network (WAN), commands can be used interactively at the Netsh command prompt to provide better performance than gnraphical utilities when used across slow-speed network links.

When deploying Windows Firewall with Advanced Security settings to a large number of computers, commands can be used in batch mode at the Netsh command prompt to help script and automate recurring administrative tasks that must be performed.

You must have the required permissions to run the netsh advfirewall commands:
If you are a member of the Administrators group, and User Account Control is enabled on your computer, then run the commands from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.

If you are a member of the Network Operators group then you can run the commands from any command prompt.

If you are a not a member of Administrators or Network Operators, and have not been delegated any other permissions to run this command, then you can run only those commands that display, but do not change settings.

Note
note
netsh advfirewall
Windows 2000 Server Resource Kit
Important
Important
IMPORTANT: “netsh firewall” is deprecated; use “netsh advfirewall firewall” instead. For more information on using “netsh advfirewall firewall” commands instead of “netsh firewall”, see KB article 947709 at http://go.microsoft.com/fwlink?linkid=121488.
For general information about netsh, see Netsh Overview and Enter a Netsh Context.
For information on how to interpret netsh command syntax, see Formatting Legend.
The available contexts for managing Windows Firewall with Advanced Security are:
Netsh AdvFirewall context
The following commands are available at the netsh advfirewall> prompt.
To start the advfirewall context at an elevated command prompt, type netsh, press ENTER, then type advfirewall and press ENTER.
To view the command syntax, click a command:
The following commands change to subcontexts of the netsh advfirewall context. To see the list of commands available in each context, click a command:
consec

  firewall

  mainmode (Windows 7 and Windows Server 2008 R2 only )

monitor

Important
Important
set store
dump
Important
Important
netsh
netsh advfirewall
dump
export
Exports the Windows Firewall with Advanced Security configuration in the current store to a file. This file can be used with the import command to restore the Windows Firewall with Advanced Security service configuration to a store on the same or to a different computer. The Windows Firewall with Advanced Security configuration on which the export command works is determined by the set store command. This command is the equivalent to the Export Policy command in the Windows Firewall with Advanced Security MMC snap-in.
Syntax
export [ Path ] FileName
Parameters
[ Path ] FileName
Required
Path
.wfw
Example
In the following example, the command exports the complete Windows Firewall with Advanced Security service configuration to the file C:\temp\wfas.wfw.
export c:\temp\wfas.wfw
import
Imports a Windows Firewall with Advanced Security service configuration from a file to the local service. The configuration file is created by using export command. This command is equivalent to the Import Policy command in the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in.
Syntax
import [ Path ] FileName
Parameters
[ Path ] FileName
Required
Path,
Remarks
Caution
Caution
Important
Important
Example
In the following example, the command imports the complete Windows Firewall with Advanced Security service configuration from the file c:\temp\wfas.wfw.
import c:\temp\wfas.wfw
reset
Restores Windows Firewall with Advanced Security to all of its default settings and rules. Optionally, it first backs up the current settings by using the export command to a configuration file. This command is equivalent to the Restore Defaults command in the Windows Firewall with Advanced Security MMC snap-in.
If the current focus of your commands is the local computer object, then the default settings and rules immediately take effect on the computer.

If the current focus of your commands is a GPO, then this command resets all policy settings in that object to Not Configured, and deletes all connection security and firewall rules from that object only. Changes do not take place until that policy is refreshed on those computers to which the policy applies. To use the Netsh tool to modify a GPO rather than the local computer's configuration store, see set store.

Syntax
reset [ export [ Path ]FileName ]
Parameters
[ export [ Path ]FileName ]
Path,
.wfw
Example
In the following example, the command exports the complete Windows Firewall with Advanced Security configuration to the file c:\Temp\wfas.wfw, and then resets the Windows Firewall with Advanced Security configuration to its default configuration settings and rules.
reset export c:\Temp\wfas.wfw
set
Configures settings that apply globally, or to the per-profile configurations of Windows Firewall with Advanced Security.
The Set commands available at the netsh advfirewall> prompt are:
set {ProfileType}
Configures options for the profile associated with the specified network location type.
Important
Important
To see which firewall profiles are currently active on your computer, use the netsh advfirewall show currentprofile command. The set {ProfileType} command is equivalent to using the Windows Firewall with Advanced Security Properties page, with the tabs for Domain, Private, and Public profiles.
Note
note
Syntax
set ProfileTypeParameter Value
Parameters
ProfileType
Required
allprofiles

currentprofile

domainprofile

privateprofile

publicprofile

Parameter Value
Required
Parameter
set {ProfileType} state
Configures the overall operational state of Windows Firewall with Advanced Security.
Syntax
set ProfileTypestate { on | off | notconfigured }
Parameters
on
off
notconfigured
Remarks
The default state for all profiles on computers that are running Windows Vista or later versions of Windows is on, for both new installations and upgrades.

The default state for all profiles on computers that are running a new installation of Windows Server 2008 or Windows Server 2008 R2 is on. For computers that were upgraded from an earlier version of Windows Server, the state of Windows Firewall with Advanced Security is preserved from the state of Windows Firewall on the previously installed operating system. If Windows Firewall was enabled when the upgrade was started, then Windows Firewall with Advanced Security is enabled for all profiles when the upgrade is completed. If Windows Firewall was disabled when the upgrade was started, then Windows Firewall with Advanced Security is disabled for all profiles when the upgrade is completed.

Example
To turn Windows Firewall with Advanced Security on for all profiles:
set allprofiles state on
set {ProfileType} firewallpolicy
Configures the inbound and outbound firewall filtering behavior that is used when traffic does not match any firewall rule currently enabled on the computer.
Syntax
set ProfileTypefirewallpolicy InboundPolicy,OutboundPolicy
Parameters
InboundPolicy
blockinbound. Blocks inbound network traffic that does not match an inbound rule.

blockinboundalways. Blocks all inbound network traffic, including traffic that matches an inbound rule. This effectively blocks all unsolicited inbound network traffic into the computer. Only traffic that is sent in response to an outbound request is allowed.

allowinbound. Allows all inbound network traffic, whether or not it matches an inbound rule.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

OutboundPolicy
blockoutbound. Block outbound network traffic that does not match an outbound rule.

allowoutbound. Allow all outbound network traffic, whether or not it matches an outbound rule.

notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

Remarks
The default value for firewallpolicy is blockinbound,allowoutbound.

Example
To set the behavior for the current network profile to block unsolicited inbound traffic, but allow outbound traffic:
set currentprofile firewallpolicy blockinbound, allowoutbound
set {ProfileType} settings
Configures general settings related to Windows Firewall and IPsec that are specific for each profile.
Syntax
set ProfileTypesettings SettingName { enable | disable | notconfigured }
Parameters
SettingName is one of the items in the following table:
localfirewallrules
enable. Firewall rules defined by the local administrator are merged with firewall rules from GPOs and are applied to the computer.

disable. Rules defined by the local administrator are ignored, and only firewall rules from GPOs are applied to the computer.

notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

enable
notconfigured
localconsecrules
enable. IPsec connection security rules defined by the local administrator are merged with connection security rules from GPOs and are applied to the computer.

disable. Rules defined by the local administrator are ignored, and only connection security rules from GPOs are applied to the computer.

notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

enable
notconfigured
inboundusernotification
enable. Windows notifies the user whenever a program or service starts listening for inbound connections.

disable. Windows does not notify the user whenever a program or service starts listening for inbound connections.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

enable
disable
notconfigured
remotemanagement
enable. Users with appropriate permissions on remote computers can manage the Windows Firewall with Advanced Security settings on this computer. This is equivalent to enabling the "Windows Firewall Remote Management" rule group for the profile.

disable. The Windows Firewall with Advanced Security settings on this computer cannot be managed from a remote computer.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

set machine
disable
notconfigured
unicastresponsetomulticast
enable. The computer can receive unicast responses to outgoing multicast or broadcast messages.

disable. The computer discards unicast responses to outgoing multicast or broadcast messages.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

enable
notconfigured
Examples
To enable the local computer to be managed by another computer when the local computer is connected using the Private profile:
set privateprofile settings remotemanagement enable
To prevent the computer from accepting inbound unicast responses to outbound multicast traffic in the currently active profile:
set currentprofile settings unicastresponsetomulticast disable
set {ProfileType} logging
Configures firewall logging settings related to Windows Firewall with Advanced Security.
Syntax
set ProfileTypelogging SettingName Value
Parameters
SettingName is one of the items in the following table:
allowedconnections
Value
enable. Causes Windows to write an entry to the log whenever an incoming or outgoing connection is fully established, meaning the TCP 3-way handshake is completed.

disable. No logging for allowed connections.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

disable
notconfigured
droppedconnections
Value
enable. Causes Windows to write an entry to the log whenever an incoming or outgoing connection is prevented by policy.

disable. No logging for dropped connections.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

disable
notconfigured
filename
Value
notconfigured
%windir%\system32\logfiles\firewall\pfirewall.log
notconfigured
Important
Important
To grant write permissions for the log folder to the Windows Firewall service
Locate the folder that you specified for the logging file, right-click it, and then click Properties.
Select the Security tab, and then click Edit.
Click Add, in Enter object names to select, type NT SERVICE\mpssvc, and then click OK.
In the Permissions dialog box, verify that MpsSvc has Write access, and then click OK.
maxfilesize
Value
notconfigured
4096
notconfigured
Remarks
No IPsec related information is collected in the packet log. The log collects firewall related information only.

Examples
To configure a Windows Firewall with Advanced Security log file at c:\logs\firewall.log that can grow to a maximum size of approximately 1 megabyte:
set currentprofile logging filename c:\logs\firewall.log
set currentprofile logging maxfilesize 1024
To log all dropped connections for all network profiles:
set allprofiles logging droppedconnections enable
set global
Configures properties that apply to the firewall and IPsec settings, no matter which network profile is currently in use.
The set global command supports the following options:
set global statefulftp
Configures how Windows Firewall with Advanced Security handles FTP traffic that uses an initial connection on one port to request a data connection on a different port. This affects both active and passive FTP.
With active FTP, the client initiates a connection to the server on TCP port 21 and includes a PORT command that indicates to the FTP server the port number on which it should respond. A typical firewall on the client would block this new connection as unsolicited inbound traffic since the packets to the new port are not in response to a request from that port.

With passive FTP, the client initiates a connection to the server on TCP port 21 and includes the PASV command. The server responds on TCP port 21 with a port number that the client must use for subsequent data transfer. The client then initiates a connection to the server on the specified port. A typical firewall on the FTP server would block this new incoming data connection as unsolicited inbound traffic since the packets received at the new port are not in response to a request from that port.

When statefulftp is enabled, the firewall examines the PORT and PASV requests for these other port numbers and then allows the corresponding data connection to the port number that was requested.
Syntax
set global statefulftp { enable | disable | notconfigured }
Parameters
statefulftp can be set to one of the following values:
enable
disable
notconfigured
Remarks
The default setting when managing a computer running Windows Vista or Windows 7 is enable. The default setting when managing a computer running Windows Server 2008 or Windows Server 2008 R2 is disable. When managing a GPO, the default setting is notconfigured.

Examples
To configure Windows Firewall with Advanced Security to allow FTP data traffic through Windows Firewall when using either PORT or PASV commands:

set global statefulftp enable

set global ipsec
Configures global IPsec options.
Syntax
set global ipsec SettingName Value
Parameters
SettingName is one of the items in the following table:
strongcrlcheck
Value
0. Specifies that IPsec does not perform any CRL checking.

1. Specifies that IPsec authentication fails only if the certificate is found to be revoked.

2. Specifies that IPsec authentication fails if there is any error during CRL checking, including a failure to retrieve the CRL.

notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

1
notconfigured
saidletimemin
notconfigured
5
notconfigured
defaultexemptions
Value
none. No protocols are exempted.

neighbordiscovery. Exempt IPv6 Neighbor Discovery protocol traffic.

icmp. Exempt ICMP (both IPv4 and IPv6) protocol traffic. This option is available on computers that are running Windows 7 or Windows Server 2008 R2.

dhcp. Exempt DHCP (both IPv4 and IPv6) protocol traffic. This option is available on computers that are running Windows 7 or Windows Server 2008 R2.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

neighbordiscovery,dhcp
neighbordiscovery
notconfigured
ipsecthroughnat
Value
never. Specifies that an SA cannot be negotiated if either computer is behind a NAT device.

serverbehindnat. Specifies that an SA can be negotiated if only the server is on a private subnet behind a NAT device.

serverandclientbehindnat. Specifies that an SA can be negotiated if either or both of the computers are on private subnets behind NAT devices.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

Never
notconfigured
authzcomputergrp
Value
none. Specifies that access to the tunnel is not restricted based on computer account.

<SDDL string>. A string that identifies computer or group accounts and the permissions granted or denied to those accounts. See the Remarks section for more information.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

authzusergrp
Value
none. Specifies that access to the tunnel is not restricted based on user account.

<SDDL string>. A string that identifies user or group accounts and the permissions granted or denied to those accounts. See the Remarks section for more information.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

Remarks
For more information about SDDL strings and their format, see "Security Descriptor String Format" (http://go.microsoft.com/fwlink/?linkid=109950) on the Microsoft MSDN Web site.

One way to find the SDDL strings for computer, user, or group accounts is to use the Windows Firewall with Advanced Security MMC snap-in to create a temporary firewall rule. If the accounts of interest are domain accounts, you must run the snap-in on a computer that is joined to the domain with the accounts. Be sure to disable the rule so that it cannot interfere with any network traffic. On the Users and Computers tab, select Only allow connections from these computers, and then click the Add button to find the computer or machine group account of interest. You can also select the Only allow connections from these users, and then click the Add button to find the user or group account of interest. After creating the rule, you can use the command netsh advfirewall firewall show rule name=rulename verbose to view the SDDL string for that computer or group. Be sure to delete the temporary rule when you are finished.

Examples
To configure IPsec to reject a connection attempt when certificate-based authentication fails, or if the CRL check encounters any error:

set global ipsec strongcrlcheck 2

To configure IPsec to delete an SA after 15 minutes:

set global ipsec saidletimemin 15

set global mainmode
Configures global options that control how IPsec performs Main Mode negotiations.
Syntax
set global mainmode SettingName Value
Parameters
SettingName is one of the items in the following table:
mmkeylifetime
num
min
num
sess
480min,0sess
notconfigured
480min,0sess
mmsecmethods
keyexch:enc-integrity[,enc-integrity][,…]

Where:

keyexch is one of:

dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384

enc is one of:

des | 3des | aes128 | aes192 | aes256

integrity is one of:

md5 | sha1 | sha256 | sha384

You can enter multiple combinations of enc-integrity algorithms that use the same keyexch algorithm, by following the keyexch entry with the first enc-integrity pair, followed by additional pairs that are separated by commas.

default. When managing the local computer policy store, this entry is equivalent to entering the following entry:

dhgroup2:aes128-sha1,dhgroup2:3des-sha1

When you are managing a GPO, this option behaves similarly to the notconfigured option, allowing the highest precedence policy that applies to the computer, and that does specify an mmsecmethods value to control the setting. If none of the GPOs or the local computer policy store sets the value, then the computer uses the value string displayed above.

notconfigured. Valid only when netsh is configuring a GPO by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

dhgroup2:aes128-sha1,dhgroup2:3des-sha1
Note
note
mmforcedh
yes
no
notconfigured
notconfigured
no
Examples
To configure IPsec to expire a Main Mode SA after four hours or 1000 sessions:

set global mainmode mmkeylifetime 240min,1000sess

To configure IPsec to use a specific Main Mode set:

set global mainmode mmsecmethods dhgroup2:des-md5,3des-sha1

To configure IPsec to use the default Main Mode set:

set global mainmode mmsecmethods default

To configure IPsec to use DH for AuthIP as well as IKE set:

set global mainmode mmforcedh yes

set store
Specifies where changes made by subsequent netsh advfirewall commands are stored. When you first start the netsh comand, you are by default working with the local computer's policy store (set store=local).
To configure the policy store on a remote machine, you must use the set machine command. For more information, see the topic "Set Machine" in Netsh Commands for All Contexts.
Syntax
set store { local | gpo = ComputerName | gpo = localhost | gpo = domain\GPOName | gpo = domain\GPOUniqueID }
Parameters
local
gpo =  ComputerName
Note
note
gpo = localhost
gpo =  Domain \ GPOName
Domain
GPOName
gpo =  domain \ GPOUniqueID
Domain
GPOUniqueID
Remarks
You must stay in the same interactive netsh session otherwise the store setting is lost.

A domain name needs to be fully specified, including its Domain Name System (DNS) zone.

Examples
Set the policy store to the GPO on computer1:
set store gpo=computer1
Set the policy store to the GPO called laptops in the office.example.com domain:
set store gpo=office.example.com\laptops
Set the policy store to the GPO with a specific GUID in the office domain:
set store gpo=office.example.com\{842082DD-7501-40D9-9103-FE3A31AFDC9B}
show
Displays settings that apply globally, or to the per-profile configurations of Windows Firewall with Advanced Security.
The show commands available at the netsh advfirewall> prompt are:
show {ProfileType}
Displays the currently configured options for a specified profile. This command displays information that is presented on the Windows Firewall with Advanced Security Properties page, with the tabs for Domain, Private, and Public profiles. For more information about network location types and profiles, see the introduction to set {ProfileType}.
Syntax
Show  ProfileType [ Parameter ]
Parameters
ProfileType
Required
allprofiles

currentprofile

domainprofile

privateprofile

publicprofile

[ Parameter ]
state. Displays whether the Windows Firewall is enabled or not for the specified profile. See set {ProfileType} state.

firewallpolicy. Displays the handling rules configured in the specified profile for inbound and outbound network traffic that does not match a separately defined firewall rule. See set {ProfileType} firewallpolicy.

settings. Displays the general settings configured in the specified profile. See set {ProfileType} settings.

logging. Displays the logging settings configured in the specified profile. See set {ProfileType} logging.

Examples
To display all settings for all profiles:
show allprofiles
To display the firewall state for the current profile:
show currentprofile state
To display the current profile, and all of its settings:
show currentprofile
show global
Displays the configuration of the current policy store for properties that apply to the firewall and IPsec settings, no matter which profile is currently in use.
Syntax
show global [ { ipsec | mainmode | statefulftp } ]
Parameters
[{ipsec|mainmode|statefulftp}]
ipsec. Displays the current configuration of global IPsec options.

mainmode. Displays the current configuration of options that control how IPsec performs Main Mode negotiations.

statefulftp. Displays the current configuration of the option which controls how Windows Firewall with Advanced Security handles FTP network traffic. For more information, see set global statefulftp.

Examples
To display global IPsec configuration options:
show global ipsec
To display all global configuration options:
show global
show store
Displays where changes made by subsequent netsh advfirewall commands are stored.
Syntax
show store
Parameters
None.
Examples
To display the policy store currently being used by netsh advfirewall:
show store
Make sure to use the FQDN of your AD domain in set store gpo =
our campus ad is FOOROOT aka adsroot.foo.edu
set store gpo = FOOROOT\gponame does not work
set store gpo = adsroot.foo.edu\gponame does work
Beware if you use reset
A warning should here mentioned if someone is testing out what the reset command is actually doing. There is no warning or any kind of hint that this command is reseting all firewall rules without confirmation question.
Show:
Master Technician Technology Services