Main Page Windows 7 DLLs NirSoft Utilities
Windows 10 DLL File Information - authfwcfg.dll

The following DLL report was generated by automatic DLL script that scanned and loaded all DLL files in the system32 directory of Windows 10, extracted the information from them, and then saved it into HTML reports. If you want to view a report of another DLL, go to the main page of this Web site.

 

General Information

File Description: Windows Firewall with Advanced Security Configuration Helper  
File Version: 10.0.10130.0 (fbl_impressive.150522-2224)  
Company: Microsoft Corporation  
Product Name: Microsoft® Windows® Operating System  
DLL popularity Very Low - There is no any other DLL in system32 directory that is statically linked to this file.
File Size: 348 KB
Total Number of Exported Functions: 2
Total Number of Exported Functions With Names: 2
 

Section Headers

Name Virtual Address Raw Data Size % of File Characteristics Section Contains...
.text 0x00001000 322,560 Bytes 90.4% Read, Execute Code
.data 0x00050000 2,048 Bytes 0.6% Write, Read Initialized Data
.idata 0x00051000 6,656 Bytes 1.9% Read Initialized Data
.didat 0x00053000 512 Bytes 0.1% Write, Read Initialized Data
.rsrc 0x00054000 1,536 Bytes 0.4% Read Initialized Data
.reloc 0x00055000 22,528 Bytes 6.3% Read, Discardable Initialized Data
 

Static Linking

authfwcfg.dll is statically linked to the following files:

msvcrt.dll
ntdll.dll
NETSH.EXE
OLEAUT32.dll
bcrypt.dll
WS2_32.dll
api-ms-win-eventing-classicprovider-l1-1-0.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-com-l1-1-1.dll
api-ms-win-core-heap-l1-2-0.dll
api-ms-win-core-errorhandling-l1-1-1.dll
api-ms-win-core-processenvironment-l1-2-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-datetime-l1-1-1.dll
api-ms-win-core-sysinfo-l1-2-1.dll
api-ms-win-security-base-l1-2-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-processthreads-l1-1-2.dll
api-ms-win-core-debug-l1-1-1.dll
api-ms-win-core-profile-l1-1-0.dll
FWPolicyIOMgr.dll
FirewallAPI.dll
api-ms-win-core-delayload-l1-1-1.dll
api-ms-win-core-apiquery-l1-1-0.dll

This means that when authfwcfg.dll is loaded, the above files are automatically loaded too. If one of these files is corrupted or missing, authfwcfg.dll won't be loaded.

 

General Resources Information

Resource Type Number of Items Total Size % of File
Icons 0 0 Bytes 0.0%
Animated Icons 0 0 Bytes 0.0%
Cursors 0 0 Bytes 0.0%
Animated Cursors 0 0 Bytes 0.0%
Bitmaps 0 0 Bytes 0.0%
AVI Files 0 0 Bytes 0.0%
Dialog-Boxes 0 0 Bytes 0.0%
HTML Related Files 0 0 Bytes 0.0%
Menus 0 0 Bytes 0.0%
Strings 518 190,584 Bytes 53.4%
Type Libraries 0 0 Bytes 0.0%
Manifest 0 0 Bytes 0.0%
All Others 2 1,204 Bytes 0.3%
Total 520 191,788 Bytes 53.7%
 

Icons in this file

No icons found in this file

 

Cursors in this file

No cursors found in this file

 

Dialog-boxes list (up to 1000 dialogs)

No dialog resources in this file.

 

String resources in this dll (up to 1000 strings)

String ID String Text
11000 %1!s! Settings: ----------------------------------------------------------------------
11001 State %1!s!
11002 Firewall Policy %1!s!
11003 LocalFirewallRules %1!s! LocalConSecRules %2!s! InboundUserNotification %3!s! RemoteManagement %4!s! UnicastResponseToMulticast %5!s!
11004 Logging:
11005 LogAllowedConnections %1!s! LogDroppedConnections %2!s! FileName %3!s! MaxFileSize %4!s!
11006 Main Mode:
11007 KeyLifetime %1!u!min,%2!u!sess SecMethods %3!s! ForceDH %4!s!
11008 IPsec:
11009 StrongCRLCheck %1!s! SAIdleTimeMin %2!s! DefaultExemptions %3!s! IPsecThroughNAT %4!s! AuthzUserGrp %5!s! AuthzComputerGrp %6!s! AuthzUserGrpTransport %7!s! AuthzComputerGrpTransport %8!s!
11010 StatefulFTP %1!s!
11011 StatefulPPTP %1!s!
11012 Policy Store %1!s!
11013 Domain Profile
11014 Private Profile
11015 Disabled
11016 Check
11017 Enforce
11018 Rule Name: %1!s! ----------------------------------------------------------------------
11019 Description: %1!s!
11020 Enabled: %1!s!
11021 Profiles: %1!s!
11022 Type: %1!s!
11023 LocalTunnelEndpoint: %1!s!
11024 RemoteTunnelEndpoint: %1!s!
11025 InterfaceTypes: %1!s!
11026 Endpoint1: %1!s!
11027 Endpoint2: %1!s!
11028 Port1: %1!s!
11029 Port2: %1!s!
11030 Protocol: %1!s!
11031 Action: %1!s!
11032 Auth1: %1!s!
11033 Auth1PSK: %1!s!
11034 Auth1CAName: %1!s!
11035 Auth1CertMapping: %1!s!
11036 Auth1ExcludeCAName: %1!s!
11037 Auth1HealthCert: %1!s!
11038 Auth2: %1!s!
11039 Auth2CAName: %1!s!
11040 Auth2CertMapping: %1!s!
11041 Auth2HealthCert: %1!s!
11042 MainModeSecMethods: %1!s!
11043 MainModeKeyLifetime: %1!u!min,%2!u!sess
11044 QuickModeSecMethods: %1!s!
11045 QuickModePFS: %1!s!
11046 Current Profile
11047 N/A (GPO-store only)
11048 Deleted %1!u! rule(s).
11049 Updated %1!u! rule(s).
11050 Mode: %1!s!
11051 Rule Name: %1!s! ----------------------------------------------------------------------
11052 Description: %1!s!
11053 Grouping: %1!s!
11054 Enabled: %1!s!
11055 Profiles: %1!s!
11056 LocalIP: %1!s!
11057 RemoteIP: %1!s!
11058 LocalPort: %1!s!
11059 RemotePort: %1!s!
11060 Protocol: %1!s!
11061 Program: %1!s!
11062 Service: %1!s!
11063 InterfaceTypes: %1!s!
11064 RemoteComputerGroup: %1!s!
11065 RemoteUserGroup: %1!s!
11066 Security: %1!s!
11067 Action: %1!s!
11068 Main Mode SA at %1!s! ----------------------------------------------------------------------
11069 Local IP Address: %1!s!
11070 Remote IP Address: %1!s!
11071 Auth1: %1!s!
11072 Auth2: %1!s!
11073 MM Offer: %1!s!
11074 Cookie Pair:
11075 Health Cert: %1!s!
11076 Quick Mode SA at %1!s! ----------------------------------------------------------------------
11077 Local IP Address: %1!s!
11078 Remote IP Address: %1!s!
11079 Local Port: %1!s!
11080 Remote Port: %1!s!
11081 Protocol: %1!s!
11082 Direction: %1!s!
11083 QM Offer: %1!s!
11084 Deleted %1!u! SA(s).
11085 Dynamic Store
11086 Skipped deleting %1!u! dynamic rule(s) because they did not originate from the dynamic store.
11087 Not Configured
11088 The %1!s! MainMode settings in the specified GPO store cannot be shown because they have not been configured.
11089 The following GPOs were found with the name "%1!s!":
11090 Use one of these GPO IDs to identify the desired GPO.
11091 PFS: %1!s!
11092 KeyLifetime %1!s! SecMethods %2!s! ForceDH %3!s!
11093 Access Denied
11094 Skipped updating %1!u! dynamic rule(s) because they did not originate from the dynamic store.
11095 Public Profile
11096 Generate Consec Rules: %1!s!
11097 Type Code
11098 %1!-4s! %2!-4s!
11099 Edge traversal: %1!s!
11100 Direction: %1!s!
11101 Auth1 Local ID: %1!s!
11102 Auth1 Remote ID: %1!s!
11103 UNKNOWN
11104 None
11105 Never
11106 Server behind NAT
11107 Server and client behind NAT
11110 Allow
11111 Block
11112 Bypass
11118 Global
11120 Local
11121 Store
11122 Enable
11123 Disable
11125 RequireInRequestOut
11126 RequestInRequestOut
11127 RequireInRequireOut
11128 NoAuthentication
11129 DHGroup1
11130 DHGroup2
11131 DHGroup14
11132 ECDHP256
11133 ECDHP384
11134 MainMode
11135 Dynamic
11136 Static
11137 Tunnel
11138 Transport
11139 Both
11140 ComputerKerb
11141 ComputerCert
11142 ComputerPSK
11143 ComputerNTLM
11144 Anonymous
11145 UserCert
11146 UserKerb
11147 UserNTLM
11148 3DES
11150 AES128
11151 AES192
11152 AES256
11154 SHA1
11157 ICMPv4
11158 ICMPv6
11161 NeighborDiscovery
11162 ICMP
11163 Authenticate
11164 AuthEnc
11165 NotRequired
11166 Wireless
11169 Domain
11170 Private
11171 Public
11172 BlockInbound
11173 BlockInboundAlways
11174 AllowInbound
11175 BlockOutbound
11176 AllowOutbound
11181 %umin
11182 %ukb
11183 Auth2 Local ID: %1!s!
11184 Auth2 Remote ID: %1!s!
11185 %1!02x!
11186 ComputerCertECDSAP256
11187 ComputerCertECDSAP384
11188 UserCertECDSAP256
11189 UserCertECDSAP384
11190 AESGCM128
11191 AESGCM192
11192 AESGCM256
11193 SHA256
11194 SHA384
11195 AESGCM128
11196 AESGCM192
11197 AESGCM256
11198 AESGMAC128
11199 AESGMAC192
11200 AESGMAC256
11201 Auth1ECDSAP256CAName: %1!s! Auth1ECDSAP256CertMapping: %2!s! Auth1ECDSAP256ExcludeCAName: %3!s! Auth1ECDSAP256CertType: %4!s! Auth1ECDSAP256HealthCert: %5!s!
11202 Auth1ECDSAP384CAName: %1!s! Auth1ECDSAP384CertMapping: %2!s! Auth1ECDSAP384ExcludeCAName: %3!s! Auth1ECDSAP384CertType: %4!s! Auth1ECDSAP384HealthCert: %5!s!
11203 Auth2ECDSAP256CAName: %1!s! Auth2ECDSAP256CertMapping: %2!s! Auth2ECDSAP256CertType: %3!s! Auth2ECDSAP256HealthCert: %4!s!
11204 Auth2ECDSAP384CAName: %1!s! Auth2ECDSAP384CertMapping: %2!s! Auth2ECDSAP384CertType: %3!s! Auth2ECDSAP384HealthCert: %4!s!
11205 Auth2ECDSAP256CAName: %1!s! Auth2ECDSAP256CertMapping: %2!s! Auth2ECDSAP256CertType: %3!s!
11206 Auth2ECDSAP384CAName: %1!s! Auth2ECDSAP384CertMapping: %2!s! Auth2ECDSAP384CertType: %3!s!
11207 %1!s!: ----------------------------------------------------------------------
11208 %1!s!
11209 AuthDynEnc
11210 BootTimeRuleCategory %1!s! FirewallRuleCategory %2!s! StealthRuleCategory %3!s! ConSecRuleCategory %4!s!
11211 Windows Firewall
11212 Categories:
11213 Rule Name: %1!s! ----------------------------------------------------------------------
11214 Description: %1!s!
11215 Profiles: %1!s!
11216 KeyLifetime: %1!u!min,%2!u!sess
11217 Endpoint1: %1!s!
11218 Endpoint2: %1!s!
11219 Auth1: %1!s!
11220 Auth1PSK: %1!s!
11221 Auth1CAName: %1!s!
11222 Auth1CertMapping: %1!s!
11223 Auth1ExcludeCAName: %1!s!
11224 Auth1HealthCert: %1!s!
11225 SecMethods: %1!s!
11226 Enabled: %1!s!
11227 Receive fail : %1!S!
11228 Send fail : %1!S!
11229 Acquire Heap size : %1!S!
11230 Receive Heap size : %1!S!
11231 Negotiation Failures : %1!S!
11232 Invalid Cookies Rcvd : %1!S!
11233 Total Acquire : %1!S!
11234 TotalGetSpi : %1!S!
11235 TotalKeyAdd : %1!S!
11236 TotalKeyUpdate : %1!S!
11237 GetSpiFail : %1!S!
11238 KeyAddFail : %1!S!
11239 KeyUpdateFail : %1!S!
11240 IsadbListSize : %1!S!
11241 ConnListSize : %1!S!
11242 Invalid Packets Rcvd : %1!S!
11243 IPsec Statistics
11244 ----------------
11245 IPsecStatistics not available.
11246 Active Assoc : %1!S!
11247 Offload SAs : %1!S!
11248 Pending Key : %1!S!
11249 Key Adds : %1!S!
11250 Key Deletes : %1!S!
11251 ReKeys : %1!S!
11252 Active Tunnels : %1!S!
11253 Bad SPI Pkts : %1!S!
11254 Pkts not Decrypted : %1!S!
11255 Pkts not Authenticated : %1!S!
11256 Pkts with Replay Detection : %1!S!
11257 Confidential Bytes Sent : %1!S!
11258 Confidential Bytes Received : %1!S!
11259 Authenticated Bytes Sent : %1!S!
11260 Authenticated Bytes Received: %1!S!
11261 Transport Bytes Sent : %1!S!
11262 Transport Bytes Received : %1!S!
11263 Offloaded Bytes Sent : %1!S!
11264 Offloaded Bytes Received : %1!S!
11265 Bytes Sent In Tunnels : %1!S!
11266 Bytes Received In Tunnels : %1!S!
11267 IKE Statistics
11268 --------------
11269 IKEStatistics not available.
11270 Main Modes : %1!S!
11271 Quick Modes : %1!S!
11272 Soft SAs : %1!S!
11273 Authentication Failures : %1!S!
11274 Active Acquire : %1!S!
11275 Active Receive : %1!S!
11276 Acquire fail : %1!S!
11277 Rule source: %1!s!
11278 Quick Mode:
11279 QuickModeSecMethods %1!s! QuickModePFS %2!s!
11280 Security Associations:
11281 GPO Name %1!s!
11282 Global Policy State: ----------------------------------------------------------------------
11283 Windows Firewall Rules: ----------------------------------------------------------------------
11284 Connection Security Rules:
11285 Auth1CertType: %1!s!
11286 Auth2CertType: %1!s!
11287 AuthNoEncap
11288 ExemptIPsecProtectedConnections: %1!s!
11289 RequireInClearOut
11290 ApplyAuthorization: %1!s!
11291 Defer to application
11292 Defer to user
11293 Deny
11294 Local Group Policy Setting
11295 Local Setting
11296 Dynamic Setting
11297 ForceDH: %1!s!
11298 Mainmode Rules:
11299 DHCP
11300 Group Policy Setting
11301 The 'netsh advfirewall dump' command is not implemented in this version of Windows. Instead, use the 'netsh advfirewall export' command to write the current Windows Firewall with Advanced Security configuration from the current policy store to a file on disk. You can then use 'netsh advfirewall import' to read the file and load it into another policy store, such as a Group Policy object or the current policy store on another computer. To set the current policy store, use the 'netsh advfirewall set store' command. For more information about the commands in the netsh advfirewall context, see Netsh Commands for Windows Firewall with Advanced Security at http://go.microsoft.com/fwlink/?linkid=111237.
11302 DHGroup24
11303 ComputerNegoEx
11304 UserNegoEx
11305 Auth1CriteriaType: %1!s!
11306 Auth1CertNameType: %1!s!
11307 Auth1CertName: %1!s!
11308 Auth1CertEku: %1!s!
11309 Auth1CertHash: %1!s!
11310 Auth1FollowCertRenewal: %1!s!
11311 Auth1ECDSAP256CriteriaType: %1!s!
11312 Auth1ECDSAP256CertNameType: %1!s!
11313 Auth1ECDSAP256CertName: %1!s!
11314 Auth1ECDSAP256CertEku: %1!s!
11315 Auth1ECDSAP256CertHash: %1!s!
11316 Auth1ECDSAP256FollowCertRenewal: %1!s!
11317 Auth1ECDSAP384CriteriaType: %1!s!
11318 Auth1ECDSAP384CertNameType: %1!s!
11319 Auth1ECDSAP384CertName: %1!s!
11320 Auth1ECDSAP384CertEku: %1!s!
11321 Auth1ECDSAP384CertHash: %1!s!
11322 Auth1ECDSAP384FollowCertRenewal: %1!s!
11323 Auth2CriteriaType: %1!s!
11324 Auth2CertNameType: %1!s!
11325 Auth2CertName: %1!s!
11326 Auth2CertEku: %1!s!
11327 Auth2CertHash: %1!s!
11328 Auth2FollowCertRenewal: %1!s!
11329 Auth2ECDSAP256CriteriaType: %1!s!
11330 Auth2ECDSAP256CertNameType: %1!s!
11331 Auth2ECDSAP256CertName: %1!s!
11332 Auth2ECDSAP256CertEku: %1!s!
11333 Auth2ECDSAP256CertHash: %1!s!
11334 Auth2ECDSAP256FollowCertRenewal: %1!s!
11335 Auth2ECDSAP384CriteriaType: %1!s!
11336 Auth2ECDSAP384CertNameType: %1!s!
11337 Auth2ECDSAP384CertName: %1!s!
11338 Auth2ECDSAP384CertEku: %1!s!
11339 Auth2ECDSAP384CertHash: %1!s!
11340 Auth2ECDSAP384FollowCertRenewal: %1!s!
11341 Auth1KerbProxyFQDN: %1!s!
11342 Auth1ProxyServerFQDN: %1!s!
11343 Auth2ProxyServerFQDN: %1!s!
11344 Machine authorization SDDL %1!s!
11345 User authorization SDDL %1!s!
12000 Resets the policy to the default out-of-box policy.
12001 Usage: reset [export <path\filename>] Remarks: - Restores the Windows Firewall with Advanced Security policy to the default policy. The current active policy can be optionally exported to a specified file. - In a Group Policy object, this command returns all settings to notconfigured and deletes all connection security and firewall rules. Examples: Backup the current policy and restore out-of-box policy: netsh advfirewall reset export "c:\backuppolicy.wfw"
12002 Sets the per-profile or global settings.
12003 Sets properties in the domain profile.
12004 Usage: set domainprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: <string>|notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures domain profile settings. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off when the domain profile is active: netsh advfirewall set domainprofile state off Set the default behavior to block inbound and allow outbound connections when the domain profile is active: netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound Turn on remote management when the domain profile is active: netsh advfirewall set domainprofile settings remotemanagement enable Log dropped connections when the domain profile is active: netsh advfirewall set domainprofile logging droppedconnections enable
12005 Sets properties in the private profile.
12006 Usage: set privateprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: <string>|notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures private profile settings. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off when the private profile is active: netsh advfirewall set privateprofile state off Set the default behavior to block inbound and allow outbound connections when the private profile is active: netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound Turn on remote management when the private profile is active: netsh advfirewall set privateprofile settings remotemanagement enable Log dropped connections when the private profile is active: netsh advfirewall set privateprofile logging droppedconnections enable
12007 Sets properties in the active profile.
12008 Usage: set currentprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: <string>|notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures profile settings for the currently active profile. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off on the currently active profile: netsh advfirewall set currentprofile state off Set the default behavior to block inbound and allow outbound connections on the currently active profile: netsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound Turn on remote management on the currently active profile: netsh advfirewall set currentprofile settings remotemanagement enable Log dropped connections on the currently active profile: netsh advfirewall set currentprofile logging droppedconnections enable
12009 Sets properties in all profiles.
12010 Usage: set allprofiles (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: <string>|notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures profile settings for all profiles. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off for all profiles: netsh advfirewall set allprofiles state off Set the default behavior to block inbound and allow outbound connections on all profiles: netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound Turn on remote management on all profiles: netsh advfirewall set allprofiles settings remotemanagement enable Log dropped connections on all profiles: netsh advfirewall set allprofiles logging droppedconnections enable
12011 Sets the global properties.
12012 Usage: set global statefulftp|statefulpptp enable|disable|notconfigured set global ipsec (parameter) (value) set global mainmode (parameter) (value) | notconfigured IPsec Parameters: strongcrlcheck - Configures how CRL checking is enforced. 0: Disable CRL checking (default) 1: Fail if cert is revoked 2: Fail on any error notconfigured: Returns the value to its not configured state. saidletimemin - Configures the security association idle time in minutes. - Usage: 5-60|notconfigured (default=5) defaultexemptions - Configures the default IPsec exemptions. Default is to exempt IPv6 neighbordiscovery protocol and DHCP from IPsec. - Usage: none|neighbordiscovery|icmp|dhcp|notconfigured ipsecthroughnat - Configures when security associations can be established with a computer behind a network address translator. - Usage: never|serverbehindnat| serverandclientbehindnat| notconfigured(default=never) authzcomputergrp - Configures the computers that are authorized to establish tunnel mode connections. - Usage: none|<SDDL string>|notconfigured authzusergrp - Configures the users that are authorized to establish tunnel mode connections. - Usage: none|<SDDL string>|notconfigured Main Mode Parameters: mmkeylifetime - Sets main mode key lifetime in minutes or sessions, or both. - Usage: <num>min,<num>sess minlifetime: <1> min, maxlifetime: <2880> min minsessions: <0> sessions, maxsessions: <2,147,483,647> sessions mmsecmethods - configures the main mode list of proposals - Usage: keyexch:enc-integrity,keyexch:enc-integrity[,...]|default - keyexch=dhgroup1|dhgroup2|dhgroup14|dhgroup24| ecdhp256|ecdhp384 - enc=3des|des|aes128|aes192|aes256 - integrity=md5|sha1|sha256|sha384 mmforcedh - configures the option to use DH to secure key exchange. - Usage: yes|no (default=no) Remarks: - Configures global settings, including advanced IPsec options. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The mmsecmethods keyword default sets the policy to: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 Examples: Disable CRL checking: netsh advfirewall set global ipsec strongcrlcheck 0 Turn on the Firewall support for stateful FTP: netsh advfirewall set global statefulftp enable Set global main mode proposals to the default value: netsh advfirewall set global mainmode mmsecmethods default Set global main mode proposals to a customer list: netsh advfirewall set global mainmode mmsecmethods dhgroup1:des-md5,dhgroup1:3des-sha1
12013 Sets the policy store for the current interactive session.
12014 Usage: set store local|gpo=<computer name>|gpo=<domain\GPO name>| gpo=<domain\GPO unique ID> Remarks: - Sets the policy store to a Group Policy object (GPO) identified by a computer name, domain and GPO name or GPO unique identifier, or the local policy store. - The default value is local. - You must stay in the same interactive session, otherwise the store setting is lost. - When specifying a domain name, you must enter a fully qualified domain name (FQDN). Examples: Set the policy store to the GPO on computer1: netsh advfirewall set store gpo=computer1 Set the policy store to the GPO called laptops in the office domain: netsh advfirewall set store gpo=office.acme.com\laptops Set the policy store to the GPO with unique identifier {842082DD-7501-40D9-9103-FE3A31AFDC9B} in the office domain: netsh advfirewall set store gpo=office.acme.com\{842082DD-7501-40D9-9103-FE3A31AFDC9B}
12015 Displays profile or global properties.
12016 Displays properties for the domain properties.
12017 Usage: show domainprofile [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for the domain profile. If a parameter is not specified, all properties are displayed. Examples: Display the domain profile firewall state: netsh advfirewall show domainprofile state
12018 Displays properties for the private profile.
12019 Usage: show privateprofile [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for the private profile. If a parameter is not specified, all properties are displayed. Examples: Display the private profile firewall state: netsh advfirewall show privateprofile state
12020 Displays properties for the active profile.
12021 Usage: show currentprofile [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for the active profile. If a parameter is not specified, all properties are displayed. Examples: Display the active profile firewall state: netsh advfirewall show currentprofile state
12022 Displays properties for all profiles.
12023 Usage: show allprofiles [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for all profiles. If a parameter is not specified, all properties are displayed. Examples: Display the firewall state for all propfiles: netsh advfirewall show allprofiles state
12024 Displays the global properties.
12025 Usage: show global [property] Parameters: ipsec - Shows IPsec specific settings. statefulftp - Shows stateful ftp support. statefulpptp - Shows stateful pptp support. This value is Ignored in Windows 7 and is available only to manage downlevel Windows Firewall with Advanced Security systems. mainmode - Shows Main Mode settings. categories - Shows Firewall Categories. Remarks: - Displays the global property settings. If a parameter is not specified, all properties are displayed. Examples: Display IPsec settings: netsh advfirewall show global ipsec Display main mode settings: netsh advfirewall show global mainmode
12026 Displays the policy store for the current interactive session.
12027 Usage: show store Remarks: - This command displays the current policy store. Example: netsh advfirewall show store
12028 Imports a policy file into the current policy store.
12029 Usage: import <path\filename> Remarks: - Imports policy from the specified file. Example: netsh advfirewall import "c:\newpolicy.wfw"
12030 Exports the current policy to a file.
12031 Usage: export <path\filename> Remarks: - Exports the current policy to the specified file. Example: netsh advfirewall export "c:\advfirewallpolicy.wfw"
12032 Adds a new connection security rule.
12034 Sets new values for properties of an existing rule.
12036 Deletes all matching connection security rules.
12037 Usage: delete rule name=<string> [type=dynamic|static] [profile=public|private|domain|any[,...] (default=any)] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [port1=0-65535|<port range>[,...]|any (default=any)] [port2=0-65535|<port range>[,...]|any (default=any)] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] Remarks: - Deletes a rule identified by name and optionally by profiles, endpoints, ports, protocol, and type. - If multiple matches are found, all matching rules are deleted. Examples: Delete a rule called "rule1" from all profiles: netsh advfirewall consec delete rule name="rule1" Delete all dynamic rules from all profiles: netsh advfirewall consec delete rule name=all type=dynamic
12038 Displays a specified connection security rule.
12039 Usage: show rule name=<string> [profile=public|private|domain|any[,...]] [type=dynamic|static (default=static)] [verbose] Remarks: - Displays all instances of the rule identified by name, and optionally profiles and type. Examples: Display all rules: netsh advfirewall consec show rule name=all Display all dynamic rules: netsh advfirewall consec show rule name=all type=dynamic
12040 Adds a new inbound or outbound firewall rule.
12041 Usage: add rule name=<string> dir=in|out action=allow|block|bypass [program=<program path>] [service=<service short name>|any] [description=<string>] [enable=yes|no (default=yes)] [profile=public|private|domain|any[,...]] [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)] [remoteport=0-65535|<port range>[,...]|any (default=any)] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any (default=any)] [interfacetype=wireless|lan|ras|any] [rmtcomputergrp=<SDDL string>] [rmtusrgrp=<SDDL string>] [edge=yes|deferapp|deferuser|no (default=no)] [security=authenticate|authenc|authdynenc|authnoencap|notrequired (default=notrequired)] Remarks: - Add a new inbound or outbound rule to the firewall policy. - Rule name should be unique and cannot be "all". - If a remote computer or user group is specified, security must be authenticate, authenc, authdynenc, or authnoencap. - Setting security to authdynenc allows systems to dynamically negotiate the use of encryption for traffic that matches a given Windows Firewall rule. Encryption is negotiated based on existing connection security rule properties. This option enables the ability of a machine to accept the first TCP or UDP packet of an inbound IPsec connection as long as it is secured, but not encrypted, using IPsec. Once the first packet is processed, the server will re-negotiate the connection and upgrade it so that all subsequent communications are fully encrypted. - If action=bypass, the remote computer group must be specified when dir=in. - If service=any, the rule applies only to services. - ICMP type or code can be "any". - Edge can only be specified for inbound rules. - AuthEnc and authnoencap cannot be used together. - Authdynenc is valid only when dir=in. - When authnoencap is set, the security=authenticate option becomes an optional parameter. Examples: Add an inbound rule with no encapsulation security for browser.exe: netsh advfirewall firewall add rule name="allow browser" dir=in program="c:\programfiles\browser\browser.exe" security=authnoencap action=allow Add an outbound rule for port 80: netsh advfirewall firewall add rule name="allow80" protocol=TCP dir=out localport=80 action=block Add an inbound rule requiring security and encryption for TCP port 80 traffic: netsh advfirewall firewall add rule name="Require Encryption for Inbound TCP/80" protocol=TCP dir=in localport=80 security=authdynenc action=allow Add an inbound rule for browser.exe and require security netsh advfirewall firewall add rule name="allow browser" dir=in program="c:\program files\browser\browser.exe" security=authenticate action=allow Add an authenticated firewall bypass rule for group acmedomain\scanners identified by a SDDL string: netsh advfirewall firewall add rule name="allow scanners" dir=in rmtcomputergrp=<SDDL string> action=bypass security=authenticate Add an outbound allow rule for local ports 5000-5010 for udp- Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010 action=allow
12042 Sets new values for properties of a existing rule.
12043 Usage: set rule group=<string> | name=<string> [dir=in|out] [profile=public|private|domain|any[,...]] [program=<program path>] [service=service short name|any] [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any] [remoteport=0-65535|<port range>[,...]|any] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] new [name=<string>] [dir=in|out] [program=<program path> [service=<service short name>|any] [action=allow|block|bypass] [description=<string>] [enable=yes|no] [profile=public|private|domain|any[,...]] [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [localport=0-65535|RPC|RPC-EPMap|any[,...]] [remoteport=0-65535|any[,...]] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] [interfacetype=wireless|lan|ras|any] [rmtcomputergrp=<SDDL string>] [rmtusrgrp=<SDDL string>] [edge=yes|deferapp|deferuser|no (default=no)] [security=authenticate|authenc|authdynenc|notrequired] Remarks: - Sets a new parameter value on an identified rule. The command fails if the rule does not exist. To create a rule, use the add command. - Values after the new keyword are updated in the rule. If there are no values, or keyword new is missing, no changes are made. - A group of rules can only be enabled or disabled. - If multiple rules match the criteria, all matching rules will be updated. - Rule name should be unique and cannot be "all". - If a remote computer or user group is specified, security must be authenticate, authenc or authdynenc. - Setting security to authdynenc allows systems to dynamically negotiate the use of encryption for traffic that matches a given Windows Firewall rule. Encryption is negotiated based on existing connection security rule properties. This option enables the ability of a machine to accept the first TCP or UDP packet of an inbound IPsec connection as long as it is secured, but not encrypted, using IPsec. Once the first packet is processed, the server will re-negotiate the connection and upgrade it so that all subsequent communications are fully encrypted. - Authdynenc is valid only when dir=in. - If action=bypass, the remote computer group must be specified when dir=in. - If service=any, the rule applies only to services. - ICMP type or code can be "any". - Edge can only be specified for inbound rules. Examples: Change the remote IP address on a rule called "allow80": netsh advfirewall firewall set rule name="allow80" new remoteip=192.168.0.2 Enable a group with grouping string "Remote Desktop": netsh advfirewall firewall set rule group="remote desktop" new enable=yes Change the localports on the rule "Allow port range" for udp- Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
12044 Deletes all matching firewall rules.
12045 Usage: delete rule name=<string> [dir=in|out] [profile=public|private|domain|any[,...]] [program=<program path>] [service=<service short name>|any] [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|any] [remoteport=0-65535|<port range>[,...]|any] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] Remarks: - Deletes a rule identified by name and optionally by endpoints, ports, protocol, and type. - If multiple matches are found, all matching rules are deleted. - If name=all is specified all rules are deleted from the specified type and profile. Examples: Delete all rules for local port 80: netsh advfirewall firewall delete rule name=all protocol=tcp localport=80 Delete a rule called "allow80": netsh advfirewall firewall delete rule name="allow80"
12046 Displays a specified firewall rule.
12047 Usage: show rule name=<string> [profile=public|private|domain|any[,...]] [type=static|dynamic] [verbose] Remarks: - Displays all matching rules as specified by name and optionally, profiles and type. If verbose is specified all matching rules are displayed. Examples: Display all dynamic inbound rules: netsh advfirewall firewall show rule name=all dir=in type=dynamic Display all the settings for all inbound rules called "allow browser": netsh advfirewall firewall show rule name="allow browser" verbose
12064 Deletes all matching security associations.
12065 Usage: delete mmsa|qmsa [(source destination)|all] Remarks: - This command deletes the matching security association as specified by (source destination) pair. - Source and destination are each a single IPv4 or IPv6 address. Examples: Delete all quick mode security associations: netsh advfirewall monitor delete qmsa all Delete all main mode security associations between the two specified addresses: netsh advfirewall monitor delete mmsa 192.168.03 192.168.0.6
12066 Shows the runtime Firewall policy settings.
12068 Sets properties in the public profile.
12069 Usage: set publicprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: <string>|notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures public profile settings. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off when the public profile is active: netsh advfirewall set publicprofile state off Set the default behavior to block inbound and allow outbound connections when the public profile is active: netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound Turn on remote management when the public profile is active: netsh advfirewall set publicprofile settings remotemanagement enable Log dropped connections when the public profile is active: netsh advfirewall set publicprofile logging droppedconnections enable
12070 Displays properties for the public profile.
12071 Usage: show publicprofile [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for the public profile. If a parameter is not specified, all properties are displayed. Examples: Display the public profile firewall state: netsh advfirewall show publicprofile state
12072 Usage: add rule name=<string> endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list> endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list> action=requireinrequestout|requestinrequestout| requireinrequireout|requireinclearout|noauthentication [description=<string>] [mode=transport|tunnel (default=transport)] [enable=yes|no (default=yes)] [profile=public|private|domain|any[,...] (default=any)] [type=dynamic|static (default=static)] [localtunnelendpoint=any|<IPv4 address>|<IPv6 address>] [remotetunnelendpoint=any|<IPv4 address>|<IPv6 address>] [port1=0-65535|<port range>[,...]|any (default=any)] [port2=0-65535|<port range>[,...]|any (default=any)] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any (default=any)] [interfacetype=wiresless|lan|ras|any (default=any)] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=<string>] [auth1kerbproxyfqdn=<fully-qualified dns name>] [auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] |..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [auth2=computercert|computercertecdsap256|computercertecdsap384| userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm| anonymous[,...]] [auth2kerbproxyfqdn=<fully-qualified dns name>] [auth2ca="<CA Name> [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."]
12073 Remarks: - Rule name should be unique and cannot be "all". - When mode=tunnel,tunnel endpoints must be specified, except when the action is noauthentication. When specific IP addresses are entered, they must be the same IP version. In addition, When configuring dynamic tunnels: Tunnel endpoints can be set to any. Local tunnel endpoint need not be specified for Client policy (i.e any). Remote tunnel endpoints need not be specified for Gateway Policy (i.e any). Also, action must be requireinrequireout, requireinclearout, or noauthentication. - requireinclearout is not valid when mode=Transport. - At least one authentication must be specified. - Auth1 and auth2 can be comma-separated lists of options. - Computerpsk and computerntlm methods cannot be specified together for auth1. - Computercert cannot be specified with user credentials for auth2. - Certsigning options ecdsap256 and ecdsap384 are only supported on Windows Vista SP1 and later. - Qmsecmethods can be a list of proposals separated by a ",". - For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192| aesgmac256|aesgcm128|aesgcm192|aesgcm256 and encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256. - If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for both ESP integrity and encryption. - Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256, sha256 are only supported on Windows Vista SP1 and later. - Qmpfs=mainmode uses the main mode key exchange setting for PFS. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The default value for certmapping and excludecaname is 'no'. - The " characters within CA name must be replaced with \' - For auth1ca and auth2ca, the CA name must be prefixed by 'CN='. - catype can be used to specify the Certification authority type - catype=root/intermediate - authnoencap is supported on Windows 7 and later. - authnoencap means that the computers will only use authentication, and will not use any per packet encapsulation or encryption algorithms to protect subsequent network packets exchanged as part of this connection. - QMPFS and authnoencap cannot be used together on the same rule. - AuthNoEncap must be accompanied by at least one AH or ESP integrity suite. - applyauthz can only be specified for tunnel mode rules. - exemptipsecprotectedconnections can only be specified for tunnel mode rules. By setting this flag to "Yes", ESP traffic will be exempted from the tunnel. AH only traffic will NOT be exempted from the tunnel. - Valuemin(when specified) for a qmsecmethod should be between 5-2880 minutes. Valuekb(when specified) for a qmsecmethod should be between 20480-2147483647 kilobytes. - Certhash specifies the thumbprint, or hash of the certificate. - Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). - Certeku specifies the comma separated list of EKU OIDs to match in the certificate. - Certname specifies the string to match for certificate name (requires certnametype). - Certnametype specifies the certificate field for the certname to be matched against (requires certname).
12074 Examples: Add a rule for domain isolation using defaults: netsh advfirewall consec add rule name="isolation" endpoint1=any endpoint2=any action=requireinrequestout Add a rule with custom quick mode proposals: netsh advfirewall consec add rule name="custom" endpoint1=any endpoint2=any qmsecmethods=ah:sha1+esp:sha1-aes256+60min+20480kb,ah:sha1 action=requireinrequestout Add a rule with custom quick mode proposals: netsh advfirewall consec add rule name="custom" endpoint1=any endpoint2=any qmsecmethods=authnoencap:sha1,ah:aesgmac256+esp:aesgmac256-none action=requireinrequestout Create a tunnel mode rule from subnet A (192.168.0.0, external ip=1.1.1.1) to subnet B (192.157.0.0, external ip=2.2.2.2): netsh advfirewall consec add rule name="my tunnel" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 remotetunnelendpoint=2.2.2.2 localtunnelendpoint=1.1.1.1 action=requireinrequireout Create a dynamic tunnel mode rule from subnet A (192.168.0.0/16) to subnet B (192.157.0.0, remoteGW=2.2.2.2) Client Policy: netsh advfirewall consec add rule name="dynamic tunnel" mode=tunnel endpoint1=any endpoint2=192.157.0.0/16 remotetunnelendpoint=2.2.2.2 action=requireinrequireout Gateway Policy (Applied only to the Gateway device): netsh advfirewall consec add rule name="dynamic tunnel" mode=tunnel endpoint1=192.157.0.0/16 endpoint2=any localtunnelendpoint=2.2.2.2 action=requireinrequireout Add a rule with CA name: netsh advfirewall consec add rule name="cert rule" endpoint1=any endpoint2=any action=requireinrequestout auth1=computercert auth1ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" Add a rule, with multiple authentication methods, using a variety of cert criteria: netsh advfirewall consec add rule name="cert rule" endpoint1=any endpoint2=any action=requireinrequireout auth1=computercert auth1ca="CN=\'CN1\' certcriteriatype:Selection certname:MyGroup certnametype:SubjectOU certeku:1.2.3.4.5|CN=\'CN2\' certcriteriatype:Validation certeku:2.3.4.5.6,9.10.11.12|CN=\'CN3\' certhash:0123456789abcdef01234567890ABCDEF0123456"
12075 Usage: set rule group=<string> | name=<string> [type=dynamic|static] [profile=public|private|domain|any[,...] (default=any)] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [port1=0-65535|<port range>[,...]|any] [port2=0-65535|<port range>[,...]|any] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] new [name=<string>] [profile=public|private|domain|any[,...]] [description=<string>] [mode=transport|tunnel] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [action=requireinrequestout|requestinrequestout| requireinrequireout|requireinclearout|noauthentication] [enable=yes|no] [type=dynamic|static] [localtunnelendpoint=any|<IPv4 address>|<IPv6 address>] [remotetunnelendpoint=any|<IPv4 address>|<IPv6 address>] [port1=0-65535|<port range>[,...]|any] [port2=0-65535|<port range>[,...]|any] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] [interfacetype=wiresless|lan|ras|any] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=<string>] [auth1kerbproxyfqdn=<fully-qualified dns name>] [auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1healthcert=yes|no] [auth1ecdsap256ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."]
12076 Remarks: - Sets a new parameter value on an identified rule. The command fails if the rule does not exist. To create a rule, use the add command. - Values after the new keyword are updated in the rule. If there are no values, or keyword new is missing, no changes are made. - A group of rules can only be enabled or disabled. - If multiple rules match the criteria, all matching rules will be updated. - Rule name should be unique and cannot be "all". - Auth1 and auth2 can be comma-separated lists of options. - Computerpsk and computerntlm methods cannot be specified together for auth1. - Computercert cannot be specified with user credentials for auth2. - Certsigning options ecdsap256 and ecdsap384 are only supported on Windows Vista SP1 and later. - Qmsecmethods can be a list of proposals separated by a ",". - For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192| aesgmac256|aesgcm128|aesgcm192|aesgcm256 and encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256. - If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for both ESP integrity and encryption. - Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256, sha256 are only supported on Windows Vista SP1 and later. - If qmsemethods are set to default, qmpfs will be set to default as well. - Qmpfs=mainmode uses the main mode key exchange setting for PFS. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The " characters within CA name must be replaced with \' - For auth1ca and auth2ca, the CA name must be prefixed by 'CN='. - catype can be used to specify the Certification authority type - catype=root/intermediate - authnoencap is supported on Windows 7 and later. - authnoencap means that the computers will only use authentication, and will not use any per packet encapsulation or encryption algorithms to protect subsequent network packets exchanged as part of this connection. - QMPFS and authnoencap cannot be used together on the same rule. - AuthNoEncap must be accompanied by at least one AH or ESP integrity suite. - When mode=tunnel action must be requireinrequireout, requireinclearout or noauthentication. - requireinclearout is not valid when mode=Transport. - applyauthz can only be specified for tunnel mode rules. - exemptipsecprotectedconnections can only be specified for tunnel mode rules. By setting this flag to "Yes", ESP traffic will be exempted from the tunnel. AH only traffic will NOT be exempted from the tunnel. - Port1, Port2 and Protocol can only be specified when mode=transport. - Valuemin(when specified) for a qmsecmethod should be between 5-2880 minutes. Valuekb(when specified) for a qmsecmethod should be between 20480-2147483647 kilobytes. - Certhash specifies the thumbprint, or hash of the certificate. - Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). - Certeku specifies the comma separated list of EKU OIDs to match in the certificate. - Certname specifies the string to match for certificate name (requires certnametype). - Certnametype specifies the certificate field for the certname to be matched against (requires certname).
12077 Examples: Rename rule1 to rule 2: netsh advfirewall consec set rule name="rule1" new name="rule2" Change the action on a rule: netsh advfirewall consec set rule name="rule1" endpoint1=1.2.3.4 endpoint2=4.3.2.1 new action=requestinrequestout Add a rule with custom quick mode proposals: netsh advfirewall consec set rule name="Custom QM" new endpoint1=any endpoint2=any qmsecmethods=authnoencap:aesgmac256,ah:aesgmac256+esp:aesgmac256-none
12078 Displays the main mode SAs
12079 Usage: show mmsa [(source destination)|all] Remarks: - This command shows the security association, or as filtered by (source destination) pair. - Source and destination are each a single IPv4 or IPv6 address. Examples: Show all main mode SAs: netsh advfirewall monitor show mmsa Show the main mode SAs between the two addresses: netsh advfirewall monitor show mmsa 192.168.0.3 192.168.0.4
12080 Displays the quick mode SAs.
12081 Usage: show qmsa [(source destination)|all] Remarks: - This command shows the security association, or as filtered by (source destination) pair. - Source and destination are each a single IPv4 or IPv6 address. Examples: Show all quick mode SAs: netsh advfirewall monitor show qmsa Show the quick mode SAs between the two addresses: netsh advfirewall monitor show qmsa 192.168.0.3 192.168.0.4
12082 Adds a new mainmode rule.
12084 Sets new values for properties of an existing rule.
12086 Deletes all matching mainmode rules.
12087 Usage: delete rule name=<string>|all [profile=any|current|public|private|domain[,...]] [type=dynamic|static (default=static)] Remarks: - Deletes an existing main mode setting that matches the name specified. Optionally, profile can be specified. Command fails if setting with the specified name does not exist. - If name=all is specified all rules are deleted from the specified type and profile. If profile is not specified, the delete applies to all profiles. Examples: Delete a main mode rule with name test: Netsh advfirewall mainmode delete rule name="test"
12088 Displays a specified mainmode rule.
12089 Usage: show rule name=<string>|all [profile=all|current|public|private|domain[,...]] [type=dynamic|static (default=static)] [verbose] Remarks: - Display existing main mode settings that match the name specified. Displays all matching rules as specified by name and optionally, profile can be specified. If "all" is specified in the name, all mainmode settings will be shown for the profiles specified. Examples: Display a main mode rule by name test: Netsh advfirewall mainmode show rule name="test"
12090 Displays current firewall state information.
12091 Usage: show firewall [rule name=<string> [dir=in|out] [profile=public|private|domain|active|any[,...]] ] [verbose] Remarks: - Displays the Windows Firewall properties for all available network profiles. - The profile= argument enables the administrator to filter the output to specific profiles on the system. - The Verbose argument adds support for displaying detailed security and advanced rule 'source name' information. Examples: Display the current Firewall state: netsh advfirewall monitor show firewall Display the current outbound firewall rule for public profie: netsh advfirewall monitor show firewall rule name=all dir=out profile=public
12092 Displays current consec state information.
12093 Usage: show consec [rule name=<string> [profile=public|private|domain|active|any[,...]] ] [verbose] Remarks: - Displays the Connection Security configuration for all available network profiles - The [profile=] command enables the administrator to filter the output to specific profiles on the system or to only return results from Active or Inactive profiles - The [rule] command allows the administrator to scope the rule output to certain rule names and status to scope the output - The Verbose command adds support for displaying detailed security and advanced rule 'source name' information Examples: Display the current connection security state: netsh advfirewall monitor show consec Display the current connection security information for public profie: netsh advfirewall monitor show consec rule name=all profile=public
12094 Displays the currently active profiles.
12095 Usage: show currentprofile Remarks: - This command shows the network connections associated with currently active profiles. Examples: Shows all networks associated with the currently active profiles: netsh advfirewall monitor show currentprofile
12096 Displays current mainmode state information.
12097 Usage: show mainmode [rule name=<string> [profile=public|private|domain|active|any[,...]] ] [verbose] Remarks: - Displays the Main mode Security configuration for all available network profiles - The [profile=] command enables the administrator to filter the output to specific profiles on the system or to only return results from Active or Inactive profiles - The [rule] command allows the administrator to scope the rule output to certain rule names and status to scope the output - The Verbose command adds support for displaying detailed security and advanced rule 'source name' information Examples: Display the current main mode information for public profie: netsh advfirewall monitor show mainmode rule name=all profile=public
12098 [auth2ecdsap256ca="<CA Name> [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth2ecdsap384ca="<CA Name> [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384| mainmode|none (default=none)] [qmsecmethods=authnoencap:<integrity>+[valuemin]+[valuekb]| ah:<integrity>+esp:<integrity>-<encryption>+[valuemin]+[valuekb] |default] [exemptipsecprotectedconnections=yes|no (default=no)] [applyauthz=yes|no (default=no)]
12099 - Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both. - Within a computercert authentication mapping, multiple certificates can be referenced by separating each entry by using the '|' character.
12100 [auth1ecdsap384healthcert=yes|no (default=no)] [auth2=computercert|computercertecdsap256|computercertecdsap384| userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm| anonymous[,...]] [auth2kerbproxyfqdn=<fully-qualified dns name>] [auth2ca="<CA Name> [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth2ecdsap256ca="<CA Name> [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth2ecdsap384ca="<CA Name> [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384| mainmode|none] [qmsecmethods=authnoencap:<integrity>+[valuemin]+[valuekb]| ah:<integrity>+esp:<integrity>-<encryption>+[valuemin]+[valuekb] |default] [exemptipsecprotectedconnections=yes|no (default=no)] [applyauthz=yes|no (default=no)]
12101 - Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both.
12102 Remarks: - Add a new mainmode rule to the firewall policy. - Rule name should be unique and cannot be "all". - Computerpsk and computerntlm methods cannot be specified together for auth1. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The minimum main mode keylifetime is mmkeylifetime=1min. The maximum main mode mmkeylifetime= 2880min. The minimum number of sessions= 0 sessions. The maximum = 2,147,483,647 sessions. - The mmsecmethods keyword default sets the policy to: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 - Certhash specifies the thumbprint, or hash of the certificate. - Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). - Certeku specifies the comma separated list of EKU OIDs to match in the certificate. - Certname specifies the string to match for certificate name (requires certnametype). - Certnametype specifies the certificate field for the certname to be matched against (requires certname). - Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both. Examples: -Add a main mode rule Netsh advfirewall mainmode add rule name="test" description="Mainmode for RATH" Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384 auth1=computercert,computercertecdsap256 auth1ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" auth1healthcert=no auth1ecdsap256ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" auth1ecdsap256healthcert=yes mmkeylifetime=2min profile=domain
12103 Remarks: -Sets a new parameter value on an identified rule. The command fails if the rule does not exist. To create a rule, use the add command. -Values after the new keyword are updated in the rule. If there are no values, or keyword new is missing, no changes are made. -If multiple rules match the criteria, all matching rules will be updated. -Rule name should be unique and cannot be "all". -Auth1 can be comma-separated lists of options. Computerpsk and computerntlm methods cannot be specified together for auth1. -The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. -The minimum main mode keylifetime is mmkeylifetime=1min. The maximum main mode mmkeylifetime= 2880min. The minimum number of sessions= 0 sessions. The maximum = 2,147,483,647 sessions. -The mmsecmethods keyword default sets the policy to: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 -Certhash specifies the thumbprint, or hash of the certificate. -Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). -Certeku specifies the comma separated list of EKU OIDs to match in the certificate. -Certname specifies the string to match for certificate name (requires certnametype). -Certnametype specifies the certificate field for the certname to be matched against (requires certname). -Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both. Examples: Change the mmescmethods, description and keylifetime of a rule named test Netsh advfirewall mainmode set rule name="test" new description="Mainmode for RATH2" Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384 auth1=computerntlm mmkeylifetime=2min profile=domain
12104 Usage: add rule name=<string> mmsecmethods=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256| ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256 |sha384[,...]|default [mmforcedh=yes|no (default=no)] [mmkeylifetime=<num>min,<num>sess] [description=<string>] [enable=yes|no (default=yes)] [profile=any|current|public|private|domain[,...]] [endpoint1=any|<IPv4 address>|<IPv6 address>|<subnet> |<range>|<list>] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=<string>] [auth1kerbproxyfqdn=<fully-qualified dns name>] [auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [type=dynamic|static (default=static)]
12105 Usage: set rule name=<String> [profile=public|private|domain|any[,...]] [type=dynamic|static (default=static)] new [name=<string>] [mmsecmethods= dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256| ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256| sha384[,...]|default] [mmforcedh=yes|no (default=no)] [mmkeylifetime=<num>min,<num>sess] [description=<string>] [enable=yes|no] [profile=public|private|domain|any[,...]] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=<string>] [auth1kerbproxyfqdn=<fully-qualified dns name>] [auth1ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca="<CA Name> [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:<Hex hash string, with no spaces or leading 0x>] [followrenewal:yes|no (default=no)] [certeku:<EKU, EKU, ...>] [certname:<CertName>] [certnametype:<SubjectAltDNS| SubjectAltEmail|SubjectCN|SubjectOU|SubjectO|SubjectDC>] [certcriteriatype:<Selection|Validation|Both (default=both)>] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [profile= any|current|domain|private|public[,...]]
13000 The store cannot be a Group Policy object when a remote machine is specified. Set the store to 'Local' or set the machine to be the local computer.
13001 An unrecoverable Windows Firewall error (0x%1!x!) occurred.
13002 An error occurred while attempting to retrieve a Windows Firewall setting.
13003 An error occurred while attempting to contact the Windows Firewall service. Make sure that the service is running and try your request again.
13004 The string 'all' cannot be used as the name of a rule.
13005 An unrecoverable netsh advfirewall error (0x%1!x!) occurred.
13006 No rules match the specified criteria.
13007 The specified cryptographic set was not found.
13008 'CurrentProfile' cannot be used to configure a Group Policy Object (GPO) store. Use 'DomainProfile', 'PrivateProfile', 'PublicProfile', or 'AllProfiles' instead.
13009 This setting can only be changed when configuring a Group Policy object (GPO) store.
13010 This setting can only be changed when configuring a local store.
13011 Ports can only be specified if the protocol is TCP or UDP.
13012 The dynamic rule type cannot be used when configuring a Group Policy object (GPO) store.
13013 The auth1 parameter is required when specifying auth1 options.
13014 The auth2 parameter is required when specifying auth2 options.
13015 The specified authentication set was not found.
13016 The specified auth1 set is missing a required parameter.
13017 The specified auth2 set is missing a required parameter.
13018 Unable to export policy with error 0x%1!x!. Make sure that the file name is correct and the file is accessible. The firewall policy has not been reset.
13019 The monitor context cannot be used when configuring a Group Policy object (GPO) store.
13020 The specified endpoints do not have the same IP version. Specify two IPv4 or two IPv6 endpoints.
13021 No SAs match the specified criteria.
13022 Unable to export policy (error 0x%1!x!). Make sure that the file name is correct and the file is accessible.
13023 Unable to import policy (error 0x%1!x!). Make sure that the file name is correct, that the file is accessible, and that it is a valid Windows Firewall policy file.
13024 An error occurred while attempting to connect to the remote computer. Make sure that the Windows Firewall service on the remote computer is running and configured to allow remote management, and then try your request again.
13025 An error occurred while attempting to configure the specified Group Policy object (GPO) store. Make sure that the GPO is valid and accessible, and then try your request again.
13026 An unexpected error (0x%1!x!) occurred while performing validation.
13027 The number of arguments provided is not valid. Check help for the correct syntax.
13028 A specified IP address or address keyword is not valid.
13029 A specified port value is not valid.
13030 A specified protocol value is not valid.
13031 The specified auth1 value is not valid.
13032 The specified auth2 value is not valid.
13033 For 'set' commands, the 'new' keyword must be present and must not be the last argument provided.
13034 A specified value is not valid.
13035 The specified argument is not valid. The only valid argument for reset is 'export'.
13036 The specified store is not valid.
13037 A specified firewall policy setting is not valid.
13038 A numeric value was expected. The input is either non-numeric or not valid.
13039 The specified mmkeylifetime value is not valid.
13040 The specified strongcrlcheck value is not valid.
13041 The specified saidletimemin value is not valid.
13042 The specified statefulftp or statefulpptp value is not valid.
13043 The specified security value is not valid.
13044 Specify either a source and destination pair or the keyword 'all' to identify security associations (SAs).
13045 The specified mmsecmethods value is not valid.
13046 The specified qmsecmethods value is not valid.
13047 A protocol specified in qmsecmethods is not valid.
13048 The key lifetime value specified in qmsecmethods is not valid.
13049 If the first protocol specified for a proposal in qmsecmethods is ESP, then no other protocols are allowed in that proposal.
13050 When using both AH and ESP protocols in a qmsecmethods proposal, the same integrity value must be used for both protocols.
13051 The same protocol was specified more than once in a qmsecmethods proposal.
13052 The specified Group Policy object (GPO) store could not be opened because it does not exist. Create the GPO store, and then try your request again.
13053 Auth2 cannot be specified when auth1 contains computerpsk.
13054 The specified Group Policy object (GPO) ID is not valid.
13055 Unable to open the Group Policy object (GPO) on the specified computer. Make sure that the specified GPO is valid and accessible, and then try your request again.
13056 Unable to contact the specified domain. Make sure that the domain is valid and accessible, and then try your request again.
13057 Unable to open the specified Group Policy object (GPO). Make sure that the GPO is valid and accessible, and then try your request again.
13058 Multiple Group Policy objects (GPOs) with the specified name were found. Specify the GUID of the GPO that you want to configure.
13059 Localtunnelendpoint and remotetunnelendpoint must both be specified when the rule mode is tunnel.
13060 Localtunnelendpoint and remotetunnelendpoint cannot be specified when the rule mode is transport.
13061 Auth2 must be computercert when auth2healthcert is specified.
13062 The specified interface type is not valid.
13063 Unable to set log file path (error 0x%1!x!). Failed to set the security attributes on the file path.
13064 Log file size must be between 1 and 32767.
13065 In Common Criteria mode, the administrator cannot set anything else on the rule when setting qmsecmethods=None.
13066 Auth1, auth2, qmpfs, and qmsecmethods cannot be specified when the action is set to noauthentication.
13067 Computerntlm and computerpsk cannot be specifed in the same rule.
13068 One or more of the specified profiles is not valid. 'Any' cannot be specified if other profiles are specified.
13069 Group cannot be specified with other identification conditions.
13070 Only the enable parameter can be used to update rules specified by a group.
13071 Qmpfs cannot be specified when qmsecmethods is set to default.
13072 Notconfigured value can only be used when configuring a Group Policy object (GPO) store.
13073 Anonymous cannot be specified as the only proposal in auth2.
13074 Auth1 is required when auth2 is specified.
13075 'None' cannot be specified with other values for defaultexemptions.
13076 Auth1 cannot be updated to contain computerpsk when Auth2 is already specified.
13077 Auth1 cannot contain the same authentication method more than once.
13078 Auth2 cannot contain the same authentication method more than once.
13079 The specified option is not valid: %1!ls!.
13080 You must specify at least one integrity suite in addition to the AuthNoEncap option.
13081 If AuthNoEncap is specified as a protocol for a proposal in qmsecmethods, then no other protocols are allowed in that proposal.
13082 Group policy management tool is not available. Download the tool from - http://go.microsoft.com/fwlink/?LinkID=126644 and execute the command again.
13083 Group policy management feature is not enabled. Enable group policy management through server manager and execute the command again.
13084 Ports can only be specified if the protocol is TCP or UDP. Port ranges are only supported when action="noauthentication".
13085 The SDDL string is not valid.
13086 Per rule machineSDDL and userSDDL cannot be specified on tunnel rule.
 

COM Classes/Interfaces

There is no type library in this file with COM classes/interfaces information

 

Exported Functions List

The following functions are exported by this dll:
GetResourceString InitHelperDll

 

Imported Functions List

The following functions are imported by this dll: