Netsh AdvFirewall MainMode Commands
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Typing the command mainmode at the netsh advfirewall context changes to the netsh advfirewall mainmode context, where you can view, create, and modify main mode rules that specify how IPsec negotiates main mode security associations between computers on the network. This context has no equivalent in the Windows Firewall with Advanced Security MMC snap-in.
Note
note
In earlier versions of Windows, there is only one main mode configuration available. It is available from the Windows Firewall with Advanced Security MMC snap-in. To find it, select Windows Firewall Properties, select the IPsec Settings tab, and then under IPsec defaults click Customize. You can also configure these settings in netsh by using the netsh advfirewall set global mainmode command.
Starting in Windows 7 and Windows Server 2008 R2, you can create rules that are compared to inbound and outbound network traffic. When the network traffic matches a rule, the main mode settings specified in that rule are used to negotiate and establish the connection to the remote host. You can create rules for each network location profile, or rules that match only certain network or host addresses. If no rule matches, then the global default values set as described in the previous paragraph are used for the connection. If a policy containing these rules is applied to a computer running an earlier version of Windows, then the rules are ignored and the global settings are used instead.
This netsh context is subject to the requirements of the Common Criteria mode. If enabled, then administrators can create main mode rules, but they cannot specify the mmsecmethods or mmkeylifetime parameters. Only members of the Cryptographic Operators group can set or modify those parameters.
Important
Important
To view the syntax of commands available in the mainmode context, click a command:
add

  delete

  set

  show

add
In the netsh advfirewall mainmode context, the add command only has one variation, the add rule command.
add rule
Adds a main mode rule that defines how IPsec negotiates a main mode security association (SA) with a remote computer when a network connection matches the specified criteria.
Syntax
add rule
name = RuleName
mmsecmethods = { KeyExch:Encryption-Integrity [ ,… ] | default }
[ mmforcedh = { yes | no } ]
[ mmkeylifetime = Lifemin,Numsess ]
[ description = DescriptionOfRule ]
[ enable = { yes | no } ]
[ profile = { public | private | domain | any } [ , ...] ]
endpoint1 = Addresses
endpoint2 = Addresses
[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ , ...] } ]
[ auth1psk = PreSharedKey ]
[ auth1ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } ] [ | ... ]" ]
[ auth1healthcert = { yes | no } ]
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap256healthcert = { yes | no } ]
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap384healthcert = { yes | no } ]
[ type = { dynamic | static } ]
Parameters
name= RuleName
Required
mmsecmethods = { KeyExch:Encryption-Integrity [ ,… ] | default }
Required
KeyExch:Encryption-Integrity[,…]

Where:

KeyExch is one of:

dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384

Encryption is one of:

des | 3des | aes128 | aes192 | aes256

Integrity is one of:

md5 | sha1 | sha256 | sha384

You can enter multiple combinations of enc-integrity algorithms that use the same KeyExch algorithm, by following the KeyExch entry with the first Encryption-integrity pair, followed by additional Encryption-integritypairs that are separated by commas. You can also enter multiple complete KeyExch:Encryption-Integrity, by separating them with commas.

default. When managing the local computer policy store, this entry is equivalent to entering the following entry: dhgroup2:aes128-sha1,3des-sha1

[ mmforcedh = { yes | no } ]
no
[ mmkeylifetime = Lifemin,Numsess ]
480min,0sess
notconfigured
480min,0sess
[ description = DescriptionOfRule ]
[ enable = { yes | no } ]
enable
yes
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
any
endpoint1= Addresses endpoint2= Addresses
endpoint1
endpoint2
Endpoint1
endpoint2
any. Matches a computer with any IPv4 or IPv6 address.

localsubnet. Matches any computer that is on the same subnet as the local computer.

dns|dhcp|wins|defaultgateway
Note
note
endpoint2
IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.

IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.

endpoint1
endpoint2
[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,...] } ]
anonymous
computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. The preshared key is stored in plaintext. We strongly recommend the use of a more secure authentication method.

computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk.

[ auth1psk = PreSharedKey ]
Required
computerpsk
auth1
computerpsk
[ auth1ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercert
CAName
CN=
OU=
certmapping:{ yes | no }
excludecaname:{ yes | no }
catype:{ root | intermediate }
root
intermediate
root
[ auth1healthcert = { yes | no } ]
auth1ca
auth1
computercert
auth1healthcert
no
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertecdsap256
authca1
[ auth1ecdsap256healthcert = { yes | no } ]
auth1ecdsap256ca
auth1
computercertecdsap256
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertedcsap384
authca1
[ auth1ecdsap384healthcert = { yes | no } ]
auth1ecdsap384ca
auth1
computercertecdsap384
[ type = { dynamic | static } ]
dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not stored in any policy container and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

static. The rule is stored in the policy container currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer. If the computer's local policy store is the active store, then the rule is immediately applied.

type
static
Remarks
Main mode rules are valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

If the operating system is running in Common Criteria mode, then only administrators can create main mode rules, but they cannot specify the mmsecmethods or mmkeylifetime parameters. Members of the Cryptographic Operators group can then use the set rule command to add those parameters to the existing rule created by the administrator. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (http://go.microsoft.com/fwlink/?linkid=147070).

Do not create a main mode rule with the name all. Doing this creates a conflict with the netsh option to select all main mode rules (for example, delete rule name=all).

Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote (\')

We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backward compatibility only.

Examples
The following command creates a main mode rule that specifies using alternate authentication and security methods for clients that communicate with the server at address 192.168.0.5 only.

add rule name="Alternate Main Mode Rule" description="Use alternate sec methods for HR server" endpoint1=any endpoint2=192.168.0.5 mmsecmethods=dhgroup2:3des-sha256,3des-sha384 auth1=computercert auth1ca="insert CA name here" auth1cahealthcert=no keylifetime=2mins profile=domain

delete
In the netsh advfirewall consec context, the Delete command only has one variation, the Delete Rule command.
delete rule
Deletes all main mode rules that match the specified criteria.
Syntax
delete rule
name = { all | RuleName }
[ profile = { public | private | domain | any | [ ,... ] } ]
[ type = { dynamic | static } ]
Parameters
name = { all | RuleName }
Required
The rule name of the main mode rule you want deleted. Only the rule with the specified name is deleted.

all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all main mode rules are deleted.

[ profile = { public | private | domain | any | [ ,... ] } ]
[ type = { dynamic | static } ]
Remarks
If multiple rules are found that match the specified criteria, then they are all deleted.

If the operating system is running in Common Criteria mode, then only administrators can delete main mode rules, but they cannot delete a rule that contains a crypto set. First, a member of the Cryptographic Operators group must use the set rule command with the mmsecmethods=none parameter to remove the existing crypto sets, after which the administrator can delete the rule. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (http://go.microsoft.com/fwlink/?linkid=147070).

Examples
The following example deletes a rule based on its exact name:

Delete rule name="MMRule1"

The following example deletes all dynamic rules from all profiles:

delete rule name=all type=dynamic

set
In the netsh advfirewall consec context, the set command only has one variation, the Set Rule command.
set rule
Modifies an existing connection security rule identified by name, or found by matching the specified criteria. Criteria that precede the keyword new identify the rule(s) to be modified. Criteria that follow the keyword new indicate properties that are modified or added.
Syntax
set rule
name = RuleName
[ profile = { public | private | domain | any } [ , ...] ]
[ type = { dynamic | static } ]
new
mmsecmethods = { KeyExch:Encryption-Integrity [ ,… ] | default }
[ mmforcedh = { yes | no } ]
[ mmkeylifetime = Lifemin,Numsess ]
[ description = DescriptionOfRule ]
[ enable = { yes | no } ]
[ profile = { public | private | domain | any } [ , ...] ]
endpoint1 = Addresses
endpoint2 = Addresses
[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ , ...] } ]
[ auth1psk = PreSharedKey ]
[ auth1ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } ] [ | ... ]" ]
[ auth1healthcert = { yes | no } ]
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap256healthcert = { yes | no } ]
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname: { yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]
[ auth1ecdsap384healthcert = { yes | no } ]
[ type = { dynamic | static } ]
Parameters
name= RuleName
Required
name=all
new
name=all
new
[ profile = { public | private | domain | any | [ ,... ] } ]
[ type = { dynamic | static } ]
type
dynamic
static
new
name= RuleName
mmsecmethods = { KeyExch:Encryption-Integrity [ ,… ] | default }
KeyExch:Encryption-Integrity[,…]

Where:

KeyExch is one of:

dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384

Encryption is one of:

des | 3des | aes128 | aes192 | aes256

Integrity is one of:

md5 | sha1 | sha256 | sha384

You can enter multiple combinations of enc-integrity algorithms that use the same KeyExch algorithm, by following the KeyExch entry with the first Encryption-integrity pair, followed by additional Encryption-integritypairs that are separated by commas. You can also enter multiple complete KeyExch:Encryption-Integrity, by separating them with commas.

default. When managing the local computer policy store, this entry is equivalent to entering the following entry: dhgroup2:aes128-sha1,3des-sha1

[ mmforcedh = { yes | no } ]
no
[ mmkeylifetime = Lifemin,Numsess ]
480min,0sess
notconfigured
480min,0sess
[ description = DescriptionOfRule ]
[ enable = { yes | no } ]
enable
yes
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
any
endpoint1= Addresses endpoint2= Addresses
endpoint1
endpoint2
Endpoint1
endpoint2
any. Matches a computer with any IPv4 or IPv6 address.

localsubnet. Matches any computer that is on the same subnet as the local computer.

dns|dhcp|wins|defaultgateway
Note
note
endpoint2
IPAddress. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.

IPSubnet. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.

IPRange. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.

endpoint1
endpoint2
[ auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,...] } ]
anonymous
computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. The preshared key is stored in plaintext. We strongly recommend the use of a more secure authentication method.

computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk.

[ auth1psk = PreSharedKey ]
Required
computerpsk
auth1
computerpsk
[ auth1ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercert
CAName
CN=
OU=
certmapping:{ yes | no }
excludecaname:{ yes | no }
catype:{ root | intermediate }
root
intermediate
root
[ auth1healthcert = { yes | no } ]
auth1ca
auth1
computercert
auth1healthcert
no
[ auth1ecdsap256ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertecdsap256
authca1
[ auth1ecdsap256healthcert = { yes | no } ]
auth1ecdsap256ca
auth1
computercertecdsap256
[ auth1ecdsap384ca = "CAName [ certmapping: { yes | no } ] [ excludecaname:{ yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
auth1
computercertedcsap384
authca1
[ auth1ecdsap384healthcert = { yes | no } ]
auth1ecdsap384ca
auth1
computercertecdsap384
[ type = { dynamic | static } ]
dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not stored in any policy container and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

static. The rule is stored in the policy container currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer. If the computer's local policy store is the active store, then the rule is immediately applied.

type
static
Remarks
Main mode rules are valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

If the operating system is running in Common Criteria mode, then administrators can modify the main mode rules, with the exception of the mmsecmethods or mmkeylifetime parameters. Only members of the Cryptographic Operators group can modify those parameters. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (http://go.microsoft.com/fwlink/?linkid=147070).

Do not create a main mode rule with the name all. Doing this creates a conflict with the netsh option to select all main mode rules (for example, delete rule name=all).

Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote (\')

We recommend that you do not use DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backward compatibility only.

Examples
The following command renames "Rule1" to "Rule2":

set rule name="MMRule1" new name="MMRule2"

The following command changes a rule to use a different key lifetime, and assumes that the other parameters required by the new action value were already set:

set rule name="MMRule3" new mmkeylifetime=20min

show
In the netsh advfirewall mainmode context, the show command only has one variation, the Show Rule command.
show rule
Displays existing main mode rules.
Syntax
show rule
name = { all | RuleName }
[ profile = { public | private | domain | any } [ ,... ] ]
[ type = { dynamic | static } ]
[ verbose ]
Parameters
name = { all | RuleName }
Required
name=all
name=all
[ profile = { public | private | domain | any | [ ,... ] } ]
profile
any
[ type = { dynamic | static } ]
If you select dynamic, the rules displayed are from the currently active configuration.

If you select static, the rules displayed are from the current store, as determined by the set store command.

type
static
[ verbose ]
Examples
The following command displays all currently defined rules in the current store:

show rule name=all

The following command displays all static rules in the current store:

show rule name=all type=static

Server 2008 R1 netsh advfirewall set global mainmode mmsecmethods integrity options missing
Master Technician Technology Services
Netsh Technical Reference
Netsh Commands for Wireless Local Area Network (WLAN)
NetshCmdForWlan2
NetshCmdForWlan1
NetshCmdForWinsock0
NetshCmdForInternetNameService
NetshCmdForWinhttp
NetshCmdForFirewall
NetshCmdForAllContexts
Netsh Command Reference
NetshAdvfirewallMonitorCmds
netsh advfirewall mainmode commands
netsh advfirewall firewall commands
netsh advfirewall consec commands
NetshCmdForFirewallAdvancedSecurity