This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article describes how to use the netsh advfirewall firewall context instead of the netsh firewall context to control Windows Firewall behavior.
Original KB number: 947709
The netsh advfirewall firewall command-line context is available in Windows Server 2012 R2. This context provides the functionality for controlling Windows Firewall behavior that was provided by the netsh firewall firewall context.
This context also provides functionality for more precise control of firewall rules. These rules include the following per-profile settings:
The netsh firewall command-line context might be deprecated in a future version of the Windows operating system. We recommend that you use the netsh advfirewall firewall context to control firewall behavior.
Important
If you are a member of the Administrators group, and User Account Control is enabled on your computer, run the commands from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.
Some examples of frequently used commands are provided in the following tables. You can use these examples to help you migrate from the older netsh firewall context to the new netsh advfirewall firewall context.
Additionally, the netsh advfirewall commands that you can use to obtain detailed inline help are provided.
| Old command | New command |
|---|---|
netsh firewall add allowedprogram C:\MyApp\MyApp.exe "My Application" ENABLE |
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes |
netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=Domain |
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program= "C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain |
netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=ALL |
Run the following commands:netsh advfirewall firewall add rule name="My Application" dir=in action=allow program= "C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domainnetsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private |
For more information about how to add firewall rules, run the following command:
netsh advfirewall firewall add rule ?
| Old command | New command |
|---|---|
netsh firewall add portopening TCP 80 "Open Port 80" |
netsh advfirewall firewall add rule name= "Open Port 80" dir=in action=allow protocol=TCP localport=80 |
For more information about how to add firewall rules, run the following command:
netsh advfirewall firewall add rule ?
| Old command | New command |
|---|---|
netsh firewall delete allowedprogram C:\MyApp\MyApp.exe |
netsh advfirewall firewall delete rule name= rule name program="C:\MyApp\MyApp.exe" |
delete portopening protocol=UDP port=500 |
netsh advfirewall firewall delete rule name= rule name protocol=udp localport=500 |
For more information about how to delete firewall rules, run the following command:
netsh advfirewall firewall delete rule ?
| Old command | New command |
|---|---|
netsh firewall set icmpsetting 8 |
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow |
netsh firewall set icmpsetting type=ALL mode=enable |
netsh advfirewall firewall add rule name= "All ICMP V4" protocol=icmpv4:any,any dir=in action=allow |
netsh firewall set icmpsetting 13 disable all |
netsh advfirewall firewall add rule name="Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block |
For more information about how to configure ICMP settings, run the following command:
netsh advfirewall firewall add rule ?
| Old command | New command |
|---|---|
netsh firewall set logging %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 ENABLE ENABLE |
Run the following commands:netsh advfirewall set currentprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.lognetsh advfirewall set currentprofile logging maxfilesize 4096netsh advfirewall set currentprofile logging droppedconnections enablenetsh advfirewall set currentprofile logging allowedconnections enable |
For more information, run the following command:
netsh advfirewall set currentprofile ?
If you want to set logging for a particular profile, use one of the following options instead of the currentprofile option:
DomainprofilePrivateprofilePublicprofile| Old command | New command |
|---|---|
netsh firewall set opmode ENABLE |
netsh advfirewall set currentprofile state on |
netsh firewall set opmode mode=ENABLE exceptions=enable |
Run the following commands:Netsh advfirewall set currentprofile state onnetsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound |
netsh firewall set opmode mode=enable exceptions=disable profile=domain |
Run the following commands:Netsh advfirewall set domainprofile state onnetsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound |
netsh firewall set opmode mode=enable profile=ALL |
Run the following commands:netsh advfirewall set domainprofile state onnetsh advfirewall set privateprofile state on |
For more information, run the following command:
netsh advfirewall set currentprofile ?
If you want to set the firewall state for a particular profile, use one of the following options instead of the currentprofile option:
DomainprofilePrivateprofilePublicprofile| Old command | New command |
|---|---|
netsh firewall reset |
netsh advfirewall reset |
For more information, run the following command:
netsh advfirewall reset ?
| Old command | New command |
|---|---|
netsh firewall set service FileAndPrint |
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes |
netsh firewall set service RemoteDesktop enable |
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes |
netsh firewall set service RemoteDesktop enable profile=ALL |
Run the following commands:netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domainnetsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=private |
Training
Module
Manage network service settings for Windows devices using PowerShell cmdlets - Training
This module covers the PowerShell modules and cmdlets that are used to configure network settings for Windows devices.
Certification
Microsoft Certified: Windows Server Hybrid Administrator Associate - Certifications
As a Windows Server hybrid administrator, you integrate Windows Server environments with Azure services and manage Windows Server in on-premises networks.