Windows firewall is a useful mechanism which is used to control network traffic and ports. There are different ways to manage Windows firewall like GUI, Powershell and MS-DOS. Today we will look in detail how to manage windows firewall from command line with a popular tool named
netsh . Netsh is a built-in tool which exists all Windows versions like Windows Server 2008, Windows Server 2012, windows Server 2016, Windows 7, Windows 8 and Windows 10.
netsh command can be printed with
$ netsh /?
As we can see from the output netsh command provides a lot of network management features like Wlan, Bridge, Dhcp, Ras etc.
Netsh command can be used from command line just issuing commands. But there is also an interactive shell where the same commands can be used to manage network. While using interactive shell
netsh command is eliminated. Interactive shell can be started just using
netsh command like below.
There is also sub shells or modules where they can be used issuing command like
As we know Windows operating systems comes with built-in profiles where different network security settings are application according to these profiles. After the network connection is established Windows ask us what type of network is the connected network. We select one of the following profiles.
- Domain Profile
- Private Profile
- Public Profile
List All Network Profiles
All existing network profiles can be listed with
advfirewall show allprofiles command like below.
$ advfirewall show allprofiles
As we can see from command output following information about network profiles are provided.
Stateshow whether this profiles is available and useable
Firewall Policyshow Inbound and Outbound connection policy whether inbound or outbound connection can be made in this profile by default.
Local Firewall Rulesshows whether local firewall rules exists or Group Policy inherited.
Local Con Sec Rules
Inbound User Notificationshow if an inbound connection is established whether a notification will be shown users desktop
Remote Managementspecifies whether remote management ports and mechanisms can be used.
Loggingis partition about creating logs.
Log Allowed Connectionsshows the configuration whether allowed connections will be logged
Log Dropped Connectionsshows the configuration whether dropped connections will be logged
File Namespecifies the path and name of the firewall log.
Max File Sizeshows the size of a log file which can be the maximum
Domain profile is designed Windows systems those are in the Windows Domain.
Private profile is designed to be used in private life areas like home or at friend where we can semi trust to the network and not controlled by domain controller.
Public profile is designed to be used in public areas where real security threads exists. These areas are libraries, cafe etc.
Turn Off Firewall
Windows firewall is by default enabled. Firewall rules are strict and generally do not give ability to run 3. party applications on different ports. Another scenario is we have all ready installed an end point security solution and we do not need Windows built-in firewall. We can simply turn off Firewall. This will disable firewall for currently active network profile.
$ advfirewall set currentprofile state off
Turn On Firewall
As we stated previous step firewall of Windows operating systems are enabled by default. But we may need to enable and start firewall in some situations. This will enable firewall for currently active network profile.
$ advfirewall set currentprofile state on
Turn On Firewall For All Network Profiles
Previous steps turn on and off firewall for the current provide. We can also turn on firewall for all existing profile with the following command. This will turn on firewall for Domain, Private and Public Profiles for the default configuration.
$ advfirewall set allprofiles state on
List Current Firewall Configuration
We have previously listed all existing profiles configurations. We can also list only current profile configuration.
$ advfirewall show currentprofile
Now we can start the real firewall management operations. One of the most used command and feature is opening firewall port. We will specify the Layer 4 protocol type like
UDP and the port number with related name for identifier. In this example we will enable the port number
443 and name it
$ advfirewall firewall add portopening tcp 443 MyHttps
We may need to close a port to make our system more secure and fortify our system. We will use
delete command to remove existing open ports or exceptions. In this example we remote the port number
443 with the name of
$ firewall delete portopening tcp 443
Drop ICMP or Ping Packets
One of the most used technique to troubleshoot the network connectivity in IT environment is using ICMP packets in Ping mechanism. We generally ping remote system to decide whether the network is running and remote system is up. But this may create some security hole in critical environments. So disabling ping is the more secure way.
We can disable the ping and drop ICMP packets with the following command.
$ firewall set icmpsetting type=all mode=disable
Logging creates structural information about the events occurred in the Windows firewall. These logs may provide information about users, remote IP addresses, ports and actions. Logs can be used for security related mechanisms like Log Collection and SIEM. We can enable logs with
set logging command like below.
$ firewall set logging %systemroot%\system32\LogFiles\Firewall\pfirewall.log 4096 ENABLE
In this example we enable logging by specifying log file path, the maximum line count of log file and status. After the maximum line count is reached the old logs will be deleted.