2.2.38 FW_PROFILE_CONFIG

This enumeration identifies each of the per-profile configuration options supported by this protocol. Each configuration option has a merge law that is used to determine how to merge the values of these options across stores.

 typedef  enum _tag_FW_PROFILE_CONFIG
 {
   FW_PROFILE_CONFIG_INVALID = 0,
   FW_PROFILE_CONFIG_ENABLE_FW = 1,
   FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE = 2,
   FW_PROFILE_CONFIG_SHIELDED = 3,
   FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST = 4,
   FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS = 5,
   FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS = 6,
   FW_PROFILE_CONFIG_LOG_IGNORED_RULES = 7,
   FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE = 8,
   FW_PROFILE_CONFIG_LOG_FILE_PATH = 9,
   FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS = 10,
   FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE = 11,
   FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE = 12,
   FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE = 13,
   FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE = 14,
   FW_PROFILE_CONFIG_DISABLED_INTERFACES = 15,
   FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION = 16,
   FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION = 17,
   FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE_IPSEC_SECURED_PACKET_EXEMPTION = 18,
   FW_PROFILE_CONFIG_MAX = 19
 } FW_PROFILE_CONFIG;

FW_PROFILE_CONFIG_INVALID:  This value is invalid and MUST NOT be used. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 0.

FW_PROFILE_CONFIG_ENABLE_FW:  This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 1.

FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE:  This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific.<9> The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 2.

FW_PROFILE_CONFIG_SHIELDED:  This value is a DWORD used as an on/off switch. If this value is on and FW_PROFILE_CONFIG_ENABLE_FW is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. This symbolic constant has a value of 3.

FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST:  This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 4.

FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS:  This value is a DWORD used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. This symbolic constant has a value of 5.

FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS:  This value is a DWORD used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. This symbolic constant has a value of 6.

FW_PROFILE_CONFIG_LOG_IGNORED_RULES:  This value is a DWORD used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. This symbolic constant has a value of 7.<10>

FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE:  This value is a DWORD and specifies the size, in kilobytes, of the log where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 8.

FW_PROFILE_CONFIG_LOG_FILE_PATH:  This configuration value is a string that represents a file path to the log for when the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 9.

FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS:  This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.<11>  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 10.

FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE:  This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 11.

The authorized application firewall rules consist of the FW_RULE objects where all of the following are true:

wszLocalApplication is not NULL

wszLocalService == NULL

(wIpProtocol == 6) || (wIpProtocol == 17)

LocalPorts.Ports.dwNumEntries == 0

LocalPorts.wPortKeywords == FW_PORT_KEYWORD_NONE

Note that for the wIpProtocol condition, the numbers 6 and 17 are the assigned Internet protocol numbers for TCP and UDP respectively (for more information, see [IANA-PROTO-NUM]).

FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE:  This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 12.

The global port firewall rules consist of the FW_RULE objects where all of the following are true:

wszLocalApplication == NULL

wszLocalService == NULL

(wIpProtocol == 6) || (wIpProtocol == 17)

LocalPorts.Ports.dwNumEntries == 1

LocalPorts.wPortKeywords == FW_PORT_KEYWORD_NONE

Note that for the wIpProtocol condition, the numbers 6 and 17 are the assigned Internet protocol numbers for TCP and UDP respectively (for more information, see [IANA-PROTO-NUM]).

FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE:  This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. This symbolic constant has a value of 13.

FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE:  This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This symbolic constant has a value of 14.

FW_PROFILE_CONFIG_DISABLED_INTERFACES:  This value is an FW_INTERFACE_LUIDS structure that represents the network adapters where the firewall (only the firewall rules and actions) is off. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 15.

FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION:  This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 16.

FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION:  This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. This symbolic constant has a value of 17.

FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE_IPSEC_SECURED_PACKET_EXEMPTION:  This value is a DWORD used as an on/off switch. This option is ignored if FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. This symbolic constant has a value of 18.

FW_PROFILE_CONFIG_MAX:  This value and values that exceed this value are not valid and MUST NOT be used. It is defined for simplicity in writing IDL definitions and code. This symbolic constant has a value of 19.