On a Windows Vista-based computer, the netsh firewall command together with the profile=all parameter does not configure the public profile. For example, the following command opens local port 80 to TCP traffic for the domain profile and for the private profile. But the following command does not open the public profile:
The Windows Firewall Control Panel program only displays settings for the currently active profile. Therefore, if you run this command, and you then open the Windows Firewall Control Panel program when the public profile is active, you receive the following exception:
"Web Port" was not created for the public profile.
Note This is expected behavior.
If you open the Windows Firewall Control Panel program when the domain profile or the private profile is active, you will receive the following exception:
"Web Port" was created.
The netsh firewall command-line tool is used to configure Windows Firewall on a local computer. This command provides the functionality that was supported by Windows Firewall in versions of Windows that are earlier than Windows Vista. The netsh firewall context will continue to function on Windows Vista. However, this command cannot fully configure many new features, such as the public profile.
The new netsh context is the netsh advfirewall command-line tool. This command fully supports the domain profile, the private profile, and the public profile. To work around this issue, use the netsh advfirewall context instead of the netsh firewall context.
Profiles in versions earlier than Windows Vista
In versions of Windows that are earlier than Windows Vista, Windows Firewall supported the following two profiles:
The domain profile: This profile applies when all interfaces on the computer are connected to the domain of which it is a member.
The standard profile: This profile applies the rest of the time.
When you run the netsh firewall command together with the profile=all parameter, the command applies to both the domain profile and to the standard profile. For example, the following command opens local port 80 to TCP traffic for both the domain profile and the standard profile:
In Windows Vista, profile support has been extended to include the following three profiles:
The domain profile: The domain profile applies when all interfaces are connected to domain locations. A network is automatically considered as a domain network location type when the network is authenticated to the domain of which it is a member.
The private profile: The private profile applies when at least one interface is connected to a private network location, and any additional interfaces are connected to either private or domain locations. A local administrator can classify a non-domain network as private. The private network location type is intended for use in the home or in the small office when it is connected behind an edge device such a router.
The public profile: The public profile applies when an interface is connected to a public network location. Any network is considered a public network when the network is not connected to the domain, and a local administrator has not specified the network as private. The public network location is intended for use in locations such as airports or coffee shops.
When you use netsh firewall to configure the local firewall policy, and you specify the standard profile, a new private profile is configured. When you use the netsh firewall command-line tool together with the profile=all parameter to configure the firewall policy , the netsh firewall command maps only the two profiles that were available in versions of Windows that are earlier than Windows Vista, the domain profile and the standard profile. (However, notice that the private profile replaces the standard profile in this case.) Therefore, the public profile is not configured when you use the netsh firewall command together with profile=all.
When you specify the profile=current parameter, the exception for the public profile is created if the current profile is the public profile. This is not the case when you specify the profile=all parameter. This behavior is intended to maintain application compatibility. For example, when the public profile is the active profile at the time that the command is run, the following command opens local port 80 to TCP traffic for the public profile: