Netsh AdvFirewall Consec Commands
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Typing the command consec at the netsh advfirewall context changes to the netsh advfirewall consec context, where you can view, create, and modify connection security rules that specify how connections are protected by using IPsec. This context is the command-line equivalent to the Connection Security Rules node of the Windows Firewall with Advanced Security MMC snap-in.
To view the syntax of commands available in the Consec context, click a command:
dump
Important
Important
netsh
netsh advfirewall
dump
add
In the netsh advfirewall consec context, the add command only has one variation, the add rule command.
add rule
Adds a connection security rule that defines IPsec requirements for network connections that matches the specified criteria.
Syntax
add rule
name = RuleName
endpoint1 = Addresses
endpoint2 = Addresses
action = { requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication }
[ description = DescriptionOfRule ]
[ mode = { transport | tunnel } ]
[ enable = { yes | no } ]
[ profile = { public | private | domain | any } [ , ...] ]
[ type = { dynamic | static } ]
[ localtunnelendpoint = { IPAddress | any } ]
[ remotetunnelendpoint = { IPAddress | any } ]
[ port1 = { any | Integer or Range } [ ,… ] ]
[ port2 = { any | Integer or Range } [ ,… ] ]
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer } ]
[ interfacetype = { any | wireless | lan | ras } ]
[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ , ...] } ]
[ auth1psk = PreSharedKey ]
[ auth1ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } ] [ | ... ]" ]
[ auth1healthcert = { yes | no } ]
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap256healthcert = { yes | no } ]
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap384healthcert = { yes | no } ]
[ auth2 = { userkerb | userntlm | usercert | computercert | computercertecdsap256 | computercertecdsap384 | usercertecdsap256 | usercertecdsap384 | anonymous | [ , ...] } ]
[ auth2ca = "CAName [ certmapping: { yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]
[ auth2ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]
[ auth2ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]
[ qmpfs = { dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]
[ qmsecmethods = [ authnoencap:integrity [ +Lifemin ] [ +datakb ] ; ] ah:Integrity+esp:Integrity-Encryption+[Lifemin]+[Datakb] | default ]
[ exemptipsecprotectedconnections = { yes | no } ]
[ applyauthz = { yes | no } ]
Parameters
name= RuleName
Required
endpoint1= Addresses endpoint2= Addresses
Required
endpoint1
endpoint2
Endpoint1
endpoint2
any. Matches a computer with any IPv4 or IPv6 address.

localsubnet. Matches any computer that is on the same subnet as the local computer.

dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.

IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.

IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.

endpoint1
endpoint2
action = { requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication }
Required
requireinrequestout. Specifies that the local computer must successfully authenticate all inbound network connections that match this rule. If the authentication is not successful, then the inbound network traffic is discarded. The local computer attempts to authenticate any outbound network connections that match this rule, but allows the connection if the authentication attempt fails.

requestinrequestout. Specifies that the local computer attempts to authenticate any inbound or outbound network connection that matches this rule, but allows the connection if the authentication attempt fails.

requireinrequireout. Specifies that the local computer requires successful IPsec negotiation for all inbound and outbound network connections that match this rule. If an authentication attempt fails, then the network connection is prevented, and any related network traffic is discarded.

requireinclearout
Note
note
noauthentication. Specifies that the local computer does not attempt authentication for any network connections that match this rule. This option is typically used to grant IPsec exemptions for network connections that do not need to be protected by IPsec, but would otherwise match other rules that could cause the connection to be dropped.

[ description = DescriptionOfRule ]
[ mode = { transport | tunnel } ]
mode
transport
[ enable = { yes | no } ]
enable
yes
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
any
[ type = { dynamic | static } ]
dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not stored in any policy container and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

static. The rule is stored in the policy container currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer. If the computer's local policy store is the active store, then the rule is immediately applied.

type
static
[ localtunnelendpoint = { IPAddress | any } ]
mode = tunnel
endpoint1
endpoint2
remotetunnelendpoint
remotetunnelendpoint
any
[ remotetunnelendpoint = { IPAddress | any } ]
mode = tunnel
endpoint2
endpoint1
localtunnelendpoint
localtunnelendpoint
any
[ port1 = { any | Integer } [ ,… ] ]
endpoint1
5000-5020
port1
port2
protocol
port1
any
protocol
tcp
udp
port1
any
Note
note
[ port2 = { any | Integer } [ ,… ] ]
endpoint2
5000-5020
port1
port2
protocol
port2
any
protocol
tcp
udp
port2
any
Note
note
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer }
port1
port2
tcp
udp
icmpv4
icmpv6
protocol
any
Note
note
[ interfacetype = { any | wireless | lan | ras } ]
any. This rule is applied to network connections made through any of the interface types.

wireless. This rule is applied only when the network connection is through a wireless network.

lan. This rule is applied only when the network connection is through a wired LAN adapter.

ras. This rule is applied only when the network connection is through a RAS interface, such as a VPN or dial-up network connection.

interfacetype
any
[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,...] } ]
anonymous
computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. The preshared key is stored in plaintext. We strongly recommend the use of a more secure authentication method.

computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk.

[ auth1psk = PreSharedKey ]
Required
computerpsk
auth1
computerpsk
[ auth1ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercert
CAName
CN=
OU=
certmapping:{ yes | no }
excludecaname:{ yes | no }
catype:{ root | intermediate }
root
intermediate
root
[ auth1healthcert = { yes | no } ]
auth1ca
auth1
computercert
auth1healthcert
no
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertecdsap256
authca1
[ auth1ecdsap256healthcert = { yes | no } ]
auth1ecdsap256ca
auth1
computercertecdsap256
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertedcsap384
authca1
[ auth1ecdsap384healthcert = { yes | no } ]
auth1ecdsap384ca
auth1
computercertecdsap384
[ auth2 = { userkerb | userntlm | usercert | usercertecdsap256 | usercertecdsap384 | computercert | computercertecdsap256 | computercertecdsap384 | anonymous | [ ,... ] } ]
auth1
computerpsk
auth2
anonymous
userkerb. This method uses the Kerberos v5 protocol to authenticate the user against an account in an Active Directory domain.

userntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the user against an account in an Active Directory domain.

usercert. This method uses a user certificate issued by a Certification Authority (CA).

usercertecdsap256. This method uses a user certificate issued by a CA that is signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm (ECDSA).

usercertecdsap384. This method uses a user certificate issued by a CA that is signed with the 384-bit version of the ECDSA.

computercert. This method uses a computer health certificate issued by a Network Access Protection (NAP) server on the domain and that is signed with the default RSA algorithm.

computercertecdsap256. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 256-bit version of the ECDSA.

computercertecdsap384. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 384-bit version of the ECDSA.

anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last.

Note
note
auth2
auth1
computerpsk
auth2
[ auth2ca = "CAName [ certmapping:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth2
CAName
CN=
OU=
certmapping:{ yes | no }
catype:{ root | intermediate }
root
intermediate
root
[ auth2ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth2
computercertecdsap256
usercertecdsap256
authca2
[ auth2ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth2
computercertecdsap384
usercertecdsap384
authca2
[ qmpfs = { dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]
mainmode
qmpfs
none
[ qmsecmethods = { [ authnoencap:integrity [ +Lifemin ] [ +datakb ] ; ] ah:Integrity+esp:Integrity-Encryption [ +Lifemin ] +[ Datakb ] [ ,... ] | default } ]
[ authnoencap:integrity [ +Lifemin ] [ +datakb ] ; ]ah:Integrity+esp:Integrity-Encryption[+Lifemin][+Datakb]

authnoencap
Security Note
security
Note
note
Integrity
Integrity
md5
sha1
sha256
aesgmac128
aesgmac192
aesgmac256
aesgcm128
aesgcm192
aesgcm256
none
ah:
Integrity
Encryption
Encryption
des
3des
aes128
aes192
aes256
aesgcm128
aesgcm192
aesgcm256
none
Life
Data
Default. When managing the local computer policy store, this entry is equivalent to entering the following entry (line breaks are included only for clarity):

AH:SHA1+60min+100000kb,

ESP:SHA1-None+60min+100000kb,

ESP:SHA1-AES128+60min+100000kb,

ESP:SHA1-3DES+60min+100000kb

When you are managing a Group Policy object, this option behaves similarly to the notconfigured option, allowing the highest precedence policy that applies to the computer, and that does specify a qmsecmethods value to control the setting. If none of the Group Policy objects or the local computer policy store sets the value, then the computer uses the value displayed above.

[ exemptipsecprotectedconnections = { yes | no } ]
Security Note
security
Note
note
Note
note
[ applyauthz = { yes | no } ]
netsh advfirewall set global ipsec
authzcomputergrp
authzusergrp
Remarks
Do not create a connection security rule with the name all. Doing this creates a conflict with the netsh option to select all connection security rules (for example, delete rule name=all).

Rules that specify port ranges can be created or modified by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

The algorithms to support ECDSA certificate signatures are available only on computers that are running Windows Vista with Service Pack 1 (SP1) or later versions of Windows.

Rules that specify a catype for a certificate can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules that specify intermediate CAs that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

When running netsh on a computer that is running Windows Vista or Windows Server 2008 and specifying a computer certificate for auth2, then you must also specify the parameter auth2healthcert=yes. This parameter is not required on computers that are running later versions of Windows.

When mode=tunnel, you must specify both tunnel endpoints.

When mode=tunnel, on a computer that is running Windows Vista or Windows Server 2008, you must specify action=requireinrequireout. On computers that are running Windows 7 or Windows Server 2008 R2, you can specify action=requireinrequireout, action=requireinclearout, or action=noauthentication.

When mode=tunnel on a computer that is running Windows 7 or Windows Server 2008 R2, you can specify both tunnel endpoints as any only if both endpoint1 and endpoint2 are specified and not any.

When mode=tunnel and action=noauthentication, then both tunnel endpoints must be set to any.

At least one main mode authentication method must be specified, unless action=noauthentication, in which case no authentication method can be specified.

Do not make main mode first and second authentication methods both optional as this is equivalent to disabling authentication.

Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote (\')

The ability to set quick mode integrity and encryption offerings on a per-rule basic is available only by using the netsh add rule and set rule commands. The Windows Firewall with Advanced Security MMC snap-in allows you to set the per-machine default quick mode integrity and encryption settings, but provides no means to configure them on a per-rule basis.

qmpfs and authnoencap cannot be combined in the same rule.

We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backward compatibility only.

Examples
The following command creates a rule that could be used in a domain isolation scenario, where incoming traffic is only permitted from other domain member computers.

add rule name="Domain Isolation Rule" endpoint1=any endpoint2=any action=requireinrequestout

The following command creates a similar domain isolation rule, but uses a custom quick mode proposal that includes multiple quick mode suites, separated by commas. The first quick mode suite illustrates how to include both AH and ESP protocols in a single suite. The second suite illustrates how to specify the use of the AH protocol only. The third suite illustrates how to specify the use of the ESP protocol only, and uses the none keyword to specify not to include an encryption option. The final suite illustrates how to use the none keyword to specify that ESP is used with an encryption protocol, but with no integrity protocol. The last suite also illustrates how to set a custom SA timeout using both time and data amount values.

add rule name="Domain Isolation Custom QM Rule" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des,ah:sha1,esp:sha1-none,esp:none-aes256+30min+50000kb

The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local computer (1.1.1.1) attached to a public network to a second computer through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is integrity checked using ESP/SHA1, and encrypted using ESP/3DES.

add rule name="My Tunnel" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des

The following command creates a rule that requires that incoming connections are authenticated by using either of two computer certificates. The computer also requests authentication for outbound connections, but allows an outbound connection if authentication is not successful. Note that multiple certificates are separated by a vertical bar (|) character, and that the single quotes around the certificate names must be prefaced with the backslash (\) character to be interpreted correctly.

add rule name="Authenticate with Certificates Rule" endpoint1=any endpoint2=any action=requireinrequestout auth1=computercert auth1ca="C=US,O=MSFT,CN=\'Microsoft Root Authority\'|C=US,O=MYORG,CN=\'My Organizations Root Certificate\'"

The following command creates a rule that requires a first (computer) authentication and attempts an optional second (user) authentication:

Add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous

delete
In the netsh advfirewall consec context, the Delete command only has one variation, the Delete Rule command.
delete rule
Deletes all connection security rules that match the specified criteria.
Syntax
delete rule
name = { all | RuleName }
[ type = { dynamic | static } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ endpoint1 = Addresses ]
[ endpoint2 = Addresses ]
[ port1 = { any | Integer or Range } [ ,… ] ]
[ port2 = { any | Integer or Range } [ ,… ] ]
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer } ]
Parameters
name = { all | RuleName }
The rule name of the connection security rule you want deleted. Only the rule with the specified name is deleted.

all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all connection security rules are deleted.

[ type = { dynamic | static } ]
dynamic
static
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
any
[ endpoint1 = Addresses ] [ endpoint2 = Addresses ]
Endpoint1
endpoint2
IPAddress. Specifies an IPv4 or IPv6 address.

IPSubnet. Specifies an IPv4 or IPv6 subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses. The format is the starting and ending IP addresses of the range separated by a '-'.

One of the keywords any, localsubnet, dns, dhcp, wins, defaultgateway.

endpoint1
endpoint2
[ port1 = { any | Integer } ] [ port2 = { any | Integer } ]
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer } ]
Remarks
If multiple rules are found that match the specified criteria, then they are all deleted.

Rules that specify port ranges can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

Examples
The following example deletes a rule based on its exact name:

Delete rule name="rule1"

The following example deletes all dynamic rules from all profiles:

delete rule name=all type=dynamic

set
In the netsh advfirewall consec context, the set command only has one variation, the Set Rule command.
set rule
Modifies an existing connection security rule identified by name, or found by matching the specified criteria. Criteria that precede the keyword new identify the rule(s) to be modified. Criteria that follow the keyword new indicate properties that are modified or added.
Syntax
set rule
name = { all | RuleName }
[ type = { dynamic | static } ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ endpoint1 = Addresses ]
[ endpoint2 = Addresses ]
[ port1 = { any | Integer } [ ,… ] ]
[ port2 = { any | Integer } [ ,… ] ]
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer } ]
new
[ name = NewRuleName ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ description = NewRuleDescription ]
[ mode = { transport | tunnel } ]
[ endpoint1 = Addresses ]
[ endpoint2 = Addresses ]
[ action = { requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication } ]
[ enable = { yes | no } ]
[ type = { dynamic | static } ]
[ localtunnelendpoint = { IPAddress | any } ]
[ remotetunnelendpoint = { IPAddress | any } ]
[ port1 = { any | Integer } [ ,… ] ]
[ port2 = { any | Integer } [ ,… ] ]
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer } ]
[ interfacetype = { any | wiresless | lan | ras } ]
[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,... ] } ]
[ auth1psk = PreSharedKey ]
[ auth1ca = "CAName [ certmapping:{ yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } ] [ |... ]" ]
[ auth1healthcert = { yes |no } ]
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap256healthcert = { yes | no } ]
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap384healthcert = { yes | no } ]
[ auth2 = { userkerb | userntlm | usercert | computercert | computercertecdsap256 | computercertecdsap384 | usercertecdsap256 | usercertecdsap384 | anonymous | [ ,... ] } ]
[ auth2ca = "CAName [ certmapping:{ yes | no } ] [ catype: { root | intermediate } ] [ |... ]" ]
[ auth2ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]
[ auth2ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ catype: { root | intermediate } ] [ |... ]"]
[ qmpfs = { dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]
[ qmsecmethods = [ authnoencap:integrity[+Lifemin] [+datakb];] ah:Integrity+esp:Integrity-Encryption+[Lifemin]+[Datakb] | default ]
[ exemptipsecprotectedconnections = { yes | no } ]
[ applyauthz = { yes | no } ]
Parameters
name ={ all | RuleName }
Required
name=all
new
name=all
new
[ type = { dynamic | static } ]
type
dynamic
static
[ profile = { public | private | domain | any | [ ,... ] } ]
[ endpoint1 = Addresses ] [ endpoint2 = Addresses ]
Endpoint1
endpoint2
any. Matches a computer with any IP address.

localsubnet. Matches any computer that is on the same IP subnet as the local computer.

dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.

IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.

IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.

endpoint1
endpoint2
[ port1 = { any | Integer } [ ,… ] ] [ port2 = { any | Integer } [ ,… ] ]
5000-5020
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer }
new
[ name = NewRuleName ]
[ profile = { public | private | domain | any | [ ,... ] } ]
[ description = DescriptionOfRule ]
[ mode = { transport |tunnel } ]
[ endpoint1 = Addresses ] [ endpoint2 =Addresses ]
endpoint1
endpoint2
endpoint1
endpoint2
new
action = { requireinrequestout | requestinrequestout | requireinrequireout | requireinclearout | noauthentication }
requireinrequestout. Specifies that the local computer requires successful authentication for all inbound network connections that match this rule. If the authentication is not successful, then the inbound network traffic is discarded. The local computer attempts to authenticate any outbound network connections that match this rule, but still allows the connection if the authentication attempt fails.

requestinrequestout. Specifies that the local computer attempts to authenticate any inbound or outbound network connection that matches this rule, but still allows the connection if the authentication attempt fail.

requireinrequireout. Specifies that the local computer requires successful IPsec negotiation for all inbound and outbound network connections that match this rule. If an authentication attempt fails, then the network connection is prevented, and any related network traffic is discarded.

requireinclearout
Note
note
noauthentication. Specifies that the local computer does not attempt authentication for any network connections that match this rule. This option is typically used to grant IPsec exemptions for network connections that do not need to be protected by IPsec, but would otherwise match other rules that could cause the connection to be dropped.

[ enable = { yes | no } ]
[ type = { dynamic | static } ]
dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not saved in any store and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

static. The rule is saved in the store currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer.

[ localtunnelendpoint = { IPAddress | any } ]
mode = tunnel
endpoint1
endpoint2
remotetunnelendpoint
remotetunnelendpoint
any
[ remotetunnelendpoint = { IPAddress | any } ]
mode = tunnel
endpoint2
endpoint1
localtunnelendpoint
localtunnelendpoint
any
[ port1 = { any | Integer } [ ,… ] ]
endpoint1
5000-5020
port1
port2
protocol
port1
any
protocol
tcp
udp
[ port2 = { any | Integer } [ ,… ] ]
endpoint2
5000-5020
port1
port2
protocol
port2
any
protocol
tcp
udp
Note
note
[ protocol = { any | tcp | udp | icmpv4 | icmpv6 | Integer }
port1
port2
tcp
udp
[ interfacetype = { any | wireless | lan | ras } ]
any. The requirements of this rule are applied to network connections made through any of the interface types.

wireless. The requirements of this rule are applied only when the network connection is through a wireless network.

lan. The requirements of this rule are applied only when the network connection is through a wired LAN adapter.

ras. The requirements of this rule are applied only when the network connection is through a RAS interface, such as a VPN or dial-up network connection.

[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,... ] } ]
anonymous
computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. We strongly recommend the use of a more secure authentication method.

computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk

[ auth1psk = PreSharedKey ]
Required
computerpsk
auth1
computerpsk
[ auth1ca = "CAName [ certmapping:{ yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercert
CAName
CN=
OU=
certmapping:{ yes | no }
excludecaname:{ yes | no }
catype:{ root | intermediate }
root
intermediate
root
[ auth1healthcert = { yes | no } ]
auth1ca
auth1
computercert
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertecdsap256
authca1
[ auth1ecdsap256healthcert = { yes | no } ]
auth1ecdsap256ca
auth1
computercertecdsap256
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertedcsap384
authca1
[ auth1ecdsap384healthcert = { yes | no } ]
auth1ecdsap384ca
auth1
computercertecdsap384
[ auth2 = { userkerb | userntlm | usercert | usercertecdsap256 | usercertecdsap384 | computercert | computercertecdsap256 | computercertecdsap384 | anonymous | [ ,... ] } ]
auth2
auth1
computerpsk
auth2
anonymous
userkerb. This method uses the Kerberos v5 protocol to authenticate the user account.

userntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the user account.

usercert. This method uses a user certificate issued by a Certification Authority (CA).

usercertecdsap256. This method uses a user certificate issued by a CA that is signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm (ECDSA).

usercertecdsap384. This method uses a user certificate issued by a CA that is signed with the 384-bit version of the ECDSA.

computercert. This method uses a computer health certificate issued by a Network Access Protection (NAP) server on the domain.

computercertecdsap256. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 256-bit version of the ECDSA.

computercertecdsap384. This method uses a computer health certificate issued by a NAP server on the domain, and signed with the 384-bit version of the ECDSA.

anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last.

[ auth2ca ="CAName [ certmapping:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth2
CAName
CN=
OU=
certmapping:{ yes | no }
catype:{ root | intermediate }
root
intermediate
root
[ auth2ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth2
computercertecdsap256
usercertecdsap256
authca2
[ auth2ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth2
computercertecdsap384
usercertecdsap384
authca2
[ qmpfs = { dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384 | mainmode | none } ]
mainmode
[ qmsecmethods = {[authnoencap:integrity[+Lifemin] [+datakb];] ah:Integrity+esp:Integrity-Encryption[+Lifemin][+Datakb][,...] | default } ]
[authnoencap:integrity[ +Lifemin ] [ +datakb ] ; ]ah:Integrity+esp:Integrity-Encryption[+Lifemin][+Datakb][,…]

authnoencap
Security Note
security
Note
note
Integrity
Integrity
md5
sha1
sha256
aesgmac128
aesgmac192
aesgmac256
aesgcm128
aesgcm192
aesgcm256
none
ah:
Integrity
Encryption
Encryption
des
3des
aes128
aes192
aes256
aesgcm128
aesgcm192
aesgcm256
none
Life
Data
Default. When managing the local computer policy store, this entry is equivalent to entering the following entry (line breaks are included only for clarity):

AH:SHA1 +60min+100000kb,

ESP:SHA1-None+60min+100000kb,

ESP:SHA1-AES128+60min+100000kb,

ESP:SHA1-3DES+60min+100000kb

When you are managing a Group Policy object, this option behaves similarly to the notconfigured option, allowing the highest precedence policy that applies to the computer, and that does specify an qmsecmethods value to control the setting. If none of the Group Policy objects or the local computer policy store sets the value, then the computer uses the value string displayed above.

[ exemptipsecprotectedconnections = { yes | no } ]
Security Note
security
Note
note
Note
note
[ applyauthz = { yes | no } ]
netsh advfirewall set global ipsec
authzcomputergrp
authzusergrp
Note
note
Remarks
If multiple rules match the criteria you specify, then all matching rules are updated with the changes included in the command.

Any parameters available after the new keyword that you do not include are not modified by the command.

Do not modify a connection security rule to use the name all. Doing this creates a conflict with the netsh option to select all connection security rules (for example, delete rule name=all).

Rules that specify port ranges can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules with port ranges that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

The algorithms to support ECDSA certificate signatures are available only on computers that are running Windows Vista with Service Pack 1 (SP1) or later versions of Windows.

Rules that specify a catype for a certificate can be created by using netsh on Windows 7 and Windows Server 2008 R2 only. However, rules that specify intermediate CAs that are applied to computers running Windows Vista and Windows Server 2008 by using Group Policy work correctly.

When running netsh on a computer that is running Windows Vista or Windows Server 2008 and specifying a computer certificate for auth2, then you must also specify the parameter auth2healthcert=yes. This parameter is not required on computers that are running later versions of Windows.

If you change mode to tunnel, you must specify both tunnel endpoints.

When mode=tunnel, on a computer that is running Windows Vista or Windows Server 2008, you must specify action=requireinrequireout. On computers that are running Windows 7 or Windows Server 2008 R2, you can specify action=requireinrequireout, action=requireinclearout, or action=noauthentication.

When mode=tunnel and action=noauthentication, then both tunnel endpoints must be set to any.

When mode=tunnel on a computer that is running Windows 7 or Windows Server 2008 R2, you can specify both tunnel endpoints as any only if both endpoint1 and endpoint2 are specified and not any.

In auth1, computerpsk and computerntlm cannot be used together.

In auth1, computerpsk and anonymous cannot be used together.

At least one main mode first authentication method must be specified, unless action=noauthentication.

Do not make main mode first and second authentication methods both optional as this is equivalent to disabling authentication.

The ability to set quick mode integrity and encryption offerings on a per-rule basic is available only by using the netsh add rule and set rule commands. The Windows Firewall with Advanced Security MMC snap-in allows you to set the per-machine default Quick Mode authentication and encryption settings, but provides no means to configure them on a per-rule basis.

qmpfs and authnoencap cannot be combined in the same rule.

We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backwards compatibility only.

Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote ( \' )

Examples
The following command renames "Rule1" to "Rule2":

set rule name="Rule1" new name="Rule2"

The following command changes a rule to use a different action, and assumes that the other parameters required by the new action value were already set:

set rule name="Rule3" new action=requestinrequestout

show
In the netsh advfirewall consec context, the show command only has one variation, the Show Rule command.
show rule
Displays existing connection security rules.
Syntax
show rule
name = { all | RuleName }
[ profile = { public | private | domain | any } [ ,... ] ]
[ type = { dynamic | static } ]
[ verbose ]
Parameters
name = { all | RuleName }
Required
name=all
name=all
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
any
[ type = { dynamic | static } ]
If you select dynamic, the rules displayed are from the currently active configuration.

If you select static, the rules displayed are from the current store, as determined by the set store command.

type
static
[ verbose ]
Examples
The following command displays all currently defined rules in the current store:

show rule name=all

The following command displays all static rules in the current store:

show rule name=all type=static

Typo in qmpfs
The documentation states "Specifies the method used to establish main mode perfect forward secrecy" when this is the option for quick mode perfect forward secrecy.
Master Technician Technology Services