Windows Firewall Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
Windows Firewall Tools
Windows Firewall Group Policy Settings
Windows Firewall Automated Installation Tools and Settings
Windows Firewall Scripting Reference
Netsh Commands for Windows Firewall
Windows Firewall Log File and Security Log Settings
Windows Firewall Tools
The following tools are associated with Windows Firewall.
Firewall.cpl: Windows Firewall Control Panel Tool
Category
Control Panel tool included in the operating system.
Version compatibility
Available on Windows XP with Service Pack 2 (SP2) and Windows Server 2003 with Service Pack 1 (SP1).
You can use Windows Firewall in Control Panel to configure Windows Firewall settings on a local computer. This includes enabling and disabling Windows Firewall, specifying the type of information that is written to the Windows Firewall log file, and configuring the way Windows Firewall handles network traffic to and from specific programs, services, and ports.
Gpedit.msc: Group Policy Object Editor
Category
Microsoft Management Console (MMC) snap-in included in the operating system.
Version compatibility
Available on Windows 2000, Windows XP, and Windows Server 2003.
You can use the Group Policy Object Editor to configure Windows Firewall Group Policy settings. Windows Firewall Group Policy settings are configured on a per-computer basis and are stored in Administrative Templates (.adm files). You can configure Windows Firewall Group Policy settings on a local Group Policy object (GPO) or an Active Directory GPO. Group Policy settings that are configured on a local GPO are applied to the local computer only. Group Policy settings that are configured on an Active Directory GPO can be linked to an Active Directory container, such as a domain, organizational unit, or site.
Gpmc.msc: Group Policy Management Console
Category
MMC snap-in included in the operating system.
Version compatibility
Available on Windows XP with SP2 and Windows Server 2003 with SP1. Also available for download for Windows XP with SP1 and Windows Server 2003.
You can use the Group Policy Management Console (GPMC) to manage GPOs that contain Group Policy settings for Windows Firewall. This includes managing GPOs for multiple domains and sites within one or more forests. This snap-in uses a simplified user interface (UI) with drag-and-drop support. It can be used to perform many other administrative tasks, such as backup, restore, import, copy, and reporting of GPOs.
Netsh.exe: Netsh
Category
Command-line tool included in the operating system.
Version compatibility
Runs on Windows XP and the Windows Server 2003 family.
You can use the Netsh Firewall context to monitor and configure Windows Firewall settings. Several new commands have been added to the Netsh Firewall context for Windows Server 2003 with SP1. The new commands correspond to new Windows Firewall configuration settings.
You can also use Netsh to apply Windows Firewall settings that are stored in a Netfw.inf file. For more information, see “Windows Firewall Netfw.inf Settings” later in this section.
Windows Firewall Group Policy Settings
If your organization uses Group Policy, use the Windows Firewall Group Policy settings to configure Windows Firewall. The Group Policy Object Editor (Gpedit.msc) provides access to the Windows Firewall settings. The settings are stored within the Group Policy Object Editor at Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall.
The following table lists the Windows Firewall Group Policy settings:
| Setting | Description |
|---|---|
Windows Firewall: Allow authenticated IPSec bypass |
Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport. |
Windows Firewall: Protect all network connections |
Turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows Server 2003 with SP1. |
Windows Firewall: Do not allow exceptions |
Specifies that Windows Firewall blocks all unsolicited incoming messages. This Group Policy setting overrides all other Windows Firewall settings that allow such messages. |
Windows Firewall: Define program exceptions |
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. |
Windows Firewall: Allow local program exceptions |
Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. |
Windows Firewall: Allow remote administration exception |
Allows remote administration of this computer using administrative tools such as MMC and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034. |
Windows Firewall: Allow file and printer sharing exception |
Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. |
Windows Firewall: Allow ICMP exceptions |
Defines the set of Internet Control Message Protocol (ICMP) message types allowed by Windows Firewall. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you do not enable the “Allow inbound echo request” message type, Windows Firewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages sent by Ping running on this computer. |
Windows Firewall: Allow Remote Desktop exception |
Allows this computer to receive Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389. |
Windows Firewall: Allow UPnP framework exception |
Allows this computer to receive unsolicited UPnP messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869 and UDP port 1900. |
Windows Firewall: Prohibit notifications |
Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list. |
Windows Firewall: Allow logging |
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. |
Windows Firewall: Prohibit unicast response to multicast or broadcast requests |
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages. |
Windows Firewall: Define port exceptions |
Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. |
Windows Firewall: Allow local port exceptions |
Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. |
Windows Firewall Automated Installation Tools and Settings
There are two automated installation technologies that you can use to deploy or configure Windows Firewall. One technology uses an information file known as Netfw.inf to automate the configuration of Windows Firewall settings. The other technology uses an unattended installation answer file to automate the configuration of Windows Firewall settings.
Windows Firewall Netfw.inf Settings
You can use the Windows Firewall information file (Netfw.inf) to deploy Windows Firewall in a corporate environment; however, this automated installation technology is typically used by OEMs to configure new computers in a manufacturing environment.
The Netfw.inf file configures Windows Firewall by modifying registry settings. To configure a Netfw.inf file, you must use standard .inf file structure and syntax.
The Netfw.inf file is found in the following location: %windir%\Inf\Netfw.inf.
Note
When you restore Windows Firewall default settings, the settings that are specified in Netfw.inf are reapplied to your computer and all existing settings are deleted.
The following is an example of a Netfw.inf file:
[version]
Signature = "$Windows NT$"
DriverVer = MM/DD/YYYY,1.2.3456.7890
[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile
[ICF.AddReg.DomainProfile]
[ICF.AddReg.StandardProfile]
Note
The first two sections contain version and configuration information and do not need to be modified. The sections that require modification are [ICF.AddReg.DomainProfile] and [ICF.AddReg.StandardProfile].
[ICF.AddReg.DomainProfile]
This section is used for defining changes to Windows Firewall’s default configuration when a computer is connected to a network that contains its domain.
[ICF.AddReg.StandardProfile]
This section is used for defining changes to Windows Firewall’s default configuration when a computer is not connected to a network that contains its domain. If a computer is not a member of a domain, then Windows Firewall will always enforce the configuration stored in the standard profile.
Configuration Options
The following settings can be defined in the Windows Firewall Netfw.inf file:
Operational mode
Disable notifications
Block unicast responses to multicast and broadcast packets
Enable remote administration
Allow ICMP messages
Open ports
Allow programs
Note
All of the settings defined in the Windows Firewall Netfw.inf file will be applied to all of the computer’s network interfaces; you cannot use the Netfw.inf file to open ports or allow ICMP messages for individual interfaces. In addition, you cannot use the Netfw.inf file to define logging settings.
Operational Mode
Windows Firewall can be placed in one of the three operational modes by adding the following entries to the Netfw.inf file:
| Mode | Section | Entry |
|---|---|---|
On |
[ICF.AddReg.DomainProfile] |
|
|
||
[ICF.AddReg.StandardProfile] |
|
|
|
||
Off |
[ICF.AddReg.DomainProfile] |
|
|
||
[ICF.AddReg.StandardProfile] |
|
|
|
||
Off with no excep-tions |
[ICF.AddReg.DomainProfile] |
|
|
||
[ICF.AddReg.StandardProfile] |
|
|
|
Disable Notifications
Add the following entries to the Windows Firewall Netfw.inf file to disable notifications:
| Section | Entry |
|---|---|
[ICF.AddReg.DomainProfile] |
|
[ICF.AddReg.StandardProfile] |
|
Block Unicast Responses to Multicast and Broadcast Packets
Add the following entries to the Windows Firewall Netfw.inf file to disable unicast responses to multicast and broadcast packets:
| Section | Entry |
|---|---|
[ICF.AddReg.DomainProfile] |
|
[ICF.AddReg.StandardProfile] |
|
Enable Remote Administration
Add the following entries to the Windows Firewall Netfw.inf file to enable remote administration:
| Section | Entry |
|---|---|
[ICF.AddReg.DomainProfile] |
|
[ICF.AddReg.StandardProfile] |
|
Add the following entries to the Windows Firewall Netfw.inf file to define the default scope for remote administration:
| Section | Entry |
|---|---|
[ICF.AddReg.DomainProfile] |
|
[ICF.AddReg.StandardProfile] |
|
Scope Definition
You can define the set of IP addresses from which unsolicited incoming traffic is allowed when you enable remote administration, open a port, or allow a program. This set of IP addresses from which unsolicited incoming traffic is allowed is referred to as the scope of the exception. There are three options when defining the scope for a Windows Firewall exception:
All IP Addresses – This is the default scope for a Windows Firewall exception and it allows unsolicited incoming traffic that matches the exception from any computer. In the Windows Firewall Netfw.inf file, making an entry’s scope element an asterisk ("*") will result in a scope of all IP addresses for the entry.
Local Subnet Only – This scope allows unsolicited incoming traffic that matches the exception from any computer on the same subnet as the network connection on which the traffic was received through Windows Firewall, while dropping unsolicited incoming traffic from all other computers. When a computer’s subnet changes, the set of allowed IP addresses dynamically changes to match the new subnet. In the Windows Firewall Netfw.inf file, making an entry’s scope element LocalSubnet will result in a local subnet only scope for the entry.
Custom – This scope is a list of IPv4 addresses and address ranges that typically correspond to subnets. Unsolicited incoming traffic that matches the exception and originates from a computer with an IPv4 address in the defined list is allowed through Windows Firewall. Unsolicited incoming traffic from computers with IPv4 addresses that are not in the list is dropped. A custom scope can include the local subnet (using the LocalSubnet string), IPv4 addresses, and IPv4 address ranges, but cannot include IPv6 addresses or IPv6 address ranges. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length (w.x.y.z/n). When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24).
Note
Do not use spaces between the entries in the list of sources or the entire list will be ignored and Windows Firewall will use the default scope of any source IPv4 address.
Allow ICMP Messages
Add the following entries to the Windows Firewall Netfw.inf file to allow certain ICMP messages:
| Section | Entry |
|---|---|
[ICF.AddReg.DomainProfile] |
|
[ICF.AddReg.StandardProfile] |
|
The following table lists the permitted values for certain ICMP message types:
| ICMP Message Type | Number | Description |
|---|---|---|
AllowOutboundPacketTooBig |
2 |
When an IPv6 packet is too large to be forwarded, data will be dropped and a computer will reply to the sender with a “Packet Too Big” message. |
AllowOutboundDestinationUnreachable |
3 |
Data that fails to reach this computer due to an error will be discarded and reported with a “Destination Unreachable” message that explains the failure. |
AllowOutboundSourceQuench |
4 |
When the rate of a transmission exceeds a computer’s ability to process incoming data, data will be dropped and the sender will be asked to transmit more slowly. |
AllowRedirect |
5 |
Data sent from a computer will be rerouted. |
AllowInboundEchoRequest |
8 |
Messages sent to a computer will be repeated back to the sender. This is commonly used for troubleshooting (for example, to ping a computer). |
AllowInboundRouterRequest |
10 |
A computer will respond to router discovery messages. |
AllowOutboundTimeExceeded |
11 |
When a computer discards a packet because its hop count was exceeded or it ran out of time to assemble fragments of a packet, it will reply to the sender with a “Time Exceeded” message. |
AllowOutboundParameterProblem |
12 |
When a computer discards data it has received due to a problematic header, it will reply to the sender with a “Parameter Problem” error message. |
AllowInboundTimestampRequest |
13 |
Data sent to a computer can be responded to with a confirmation message indicating the time that the data was received. |
AllowInboundMaskRequest |
17 |
A computer will listen for and respond to requests for a network subnet mask. |
Open Ports
Add the following entries to the Windows Firewall Netfw.inf file to add static ports to the exceptions list:
| Section | Entry |
|---|---|
[ICF.AddReg.DomainProfile] |
|
[ICF.AddReg.StandardProfile] |
|
In the two preceding entries, the following elements must be defined:
Port Number – A port is specified by the combination of a protocol and a port number. The port number must be between 1 and 65535, inclusively.
Protocol – A protocol is specified by the combination of a protocol and a port number. The protocol must be either TCP or UDP.
Scope – See “Scope Definition” earlier in this section.
Mode – The two permitted values for this element are enabled and disabled. If a port’s entry is enabled, the port is statically opened in Windows Firewall. If a port’s entry is disabled, the port is not statically opened in Windows Firewall.
Port’s Friendly Name – This is the description that will be used to represent the entry in Windows Firewall in Control Panel. It should provide an indication of why the port is statically opened, such as “Web Server (TCP 80)” or “Telnet Server (TCP 23).”
Allow Programs
Add the following entries to the Windows Firewall Netfw.inf file to add programs to the exceptions list:
| Section | Entry |
|---|---|
[ICF.AddReg.DomainProfile] |
|
[ICF.AddReg.StandardProfile] |
|
In the two preceding entries, the following elements must be defined:
Program’s Image Path – This is the fully qualified path for the file to be added to Windows Firewall’s default exception list. It may include environmental variables, such as %ProgramFiles%.
Scope – See “Scope Definition” earlier in this section.
Mode –The two permitted values for this element are enabled and disabled. If a program’s entry is enabled, ports for the program are dynamically opened in Windows Firewall. If a program’s entry is disabled, ports for the program are not dynamically opened in Windows Firewall.
Program’s Friendly Name – This is the name that will be used to represent the entry in the Windows Firewall user interface. It should include the product name and publisher, such as MSN Messenger version 6.1.
Windows Firewall Unattended Installation
You can use an unattended installation answer file, such as Unattend.txt, to automate the configuration of Windows Firewall settings during an unattended installation. Unattended installation is typically used in a corporate environment when you are configuring new computers or deploying a new operating system.
To configure Windows Firewall settings during an unattended installation, you must include the [WindowsFirewall] section along with one or more of the following user-defined sections in your answer file:
[WindowsFirewall.profile_name]
[WindowsFirewall.program_name]
[WindowsFirewall.service_name]
[WindowsFirewall.portopening_name]
[WindowsFirewall.icmpsetting_name]
Important
Applications that are not already installed cannot be added using unattended setup. You must use Netfw.inf to add applications.
Note
When you restore Windows Firewall default settings, any settings that you specified in an answer file are deleted and are not restored. To restore the Windows Firewall settings that you configured during installation with an answer file, you must configure the settings manually.
[WindowsFirewall]
The [WindowsFirewall] section contains entries for specifying the log file settings and which user-defined profiles to use.
The [WindowsFirewall] section contains the following entries:
| Entry | Description |
|---|---|
Profiles |
Specifies the names of the user-defined profiles to use for configuring Windows Firewall (domain, standard, or both domain and standard). |
LogFile |
Specifies the location and file name of the Windows Firewall log file. By default, the log file is named Pfirewall.log. |
LogSize |
Specifies the maximum size of the Windows Firewall log file. |
LogDroppedPackets |
Specifies whether to log dropped packets to the Windows Firewall log file. |
LogConnections |
Specifies whether to log connections to the Windows Firewall log file. |
[WindowsFirewall.profile_name]
The [WindowsFirewall.profile_name] section is a user-defined section that is referenced by the [WindowsFirewall] section to make changes to Windows Firewall's default configuration.
The [WindowsFirewall.profile_name] section contains the following entries:
| Entry | Description |
|---|---|
Type |
Specifies the type of profile to use for changing the default configuration of Windows Firewall. |
Mode |
Specifies whether to enable or disable Windows Firewall. |
Exceptions |
Specifies whether to enable or disable the Windows Firewall exceptions list. |
Notifications |
Specifies whether to enable or disable notifications. |
MulticastBroadcastResponse |
Specifies whether to enable or disable multicast and broadcast packets. |
AllowedPrograms |
Specifies a list of programs that will not be blocked by Windows Firewall. |
Services |
Specifies a list of services that will not be blocked by Windows Firewall. |
PortOpenings |
Specifies a list of open ports that will not be blocked by Windows Firewall. |
IcmpSettings |
Specifies a list of ICMP message types that will not be blocked by Windows Firewall. |
[WindowsFirewall.program_name]
The [WindowsFirewall.program_name] section is a user-defined section that can be used to add programs to the Windows Firewall exceptions list.
The [WindowsFirewall.program_name] section contains the following entries:
| Entry | Description |
|---|---|
Program |
Specifies the path of a program to be added to the exceptions list. This is a required entry. |
Name |
Specifies the name of a program to be added to the exceptions list. This is a required entry. |
Mode |
Specifies whether to enable or disable an entry in the exceptions list. |
Scope |
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified exception (program, service). Mode must be set to 1 (on). |
Addresses |
Specifies the addresses for an entry in the exceptions list. |
[WindowsFirewall.service_name]
Windows Firewall opens static ports used by services in the exceptions list of the current profile. Only services that actually require unsolicited, incoming traffic should be added to the exceptions list. You must add the [WindowsFirewall.service_name] section in the [WindowsFirewall.profile_name] section.
The [WindowsFirewall.service_name] section contains the following entries:
| Entry | Description |
|---|---|
Type |
Specifies the type of service to use for changing the default configuration of Windows Firewall. |
Mode |
Specifies whether to enable or disable an entry in the exceptions lists. |
Scope |
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified exception. The value of the Mode entry must equal 1 (on). |
Addresses |
Specifies the addresses for an entry in the exceptions list. |
[WindowsFirewall.portopening_name]
A static port may need to be opened for a Windows service to receive unsolicited, incoming traffic. To support these scenarios, you can add static ports to the Windows Firewall exceptions list by using the [WindowsFirewall.portopening_name] section. You must add this section to the [WindowsFirewall.profile_name] section.
The [WindowsFirewall.portopening_name] section contains the following entries:
| Entry | Description |
|---|---|
Protocol |
Specifies the protocol of a port. The protocol must be either TCP or UDP. |
Port |
Specifies the port number. The port number must be between 1 and 65535, inclusive. |
Name |
Specifies the friendly name of a port to be added to the exceptions list. This descriptive name is used to represent the entry for Windows Firewall in Control Panel. |
Mode |
Specifies whether to enable or disable an entry in the exceptions list. |
Scope |
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified exception. The value of the Mode entry must equal 1 (on). |
Addresses |
Specifies the addresses for an entry in the exceptions list. |
[WindowsFirewall.icmpsetting_name]
The default configuration for Windows Firewall blocks all ICMP message types; however, you can modify this behavior by adding entries to the Windows Firewall exceptions list that enable certain ICMP message types. You must include the [WindowsFirewall.icmpsetting_name] section in the [WindowsFirewall.profile_name] section.
The [WindowsFirewall.icmpsetting_name] section contains the following entries:
| Entry | Description |
|---|---|
Type |
Specifies the type of ICMP message to enable. |
Mode |
Specifies whether to enable or disable the ICMP message type. |
Windows Firewall Scripting Reference
This section describes the methods and properties associated with Windows Firewall scripting. You can use them in a script, such as Microsoft Visual Basic Scripting Edition (VBScript) or JScript, to configure Windows Firewall settings. All of these methods and properties are implemented in the Hnetcfg.dll. They are grouped in this section according to the following categories:
Policy
Profile
Remote administration
ICMP
Port
Application
Service
Policy
The following table lists the scripting properties used to access a Windows Firewall policy:
| Property | Description |
|---|---|
LocalPolicy |
A read-only element that accesses the local firewall policy. This property is retrieved through the HNetCfg.FwMgr COM Object. |
Profile
The following table lists the scripting methods and properties used to access and configure a Windows Firewall profile:
| Method or Property | Description |
|---|---|
AuthorizedApplications |
A read-only element that accesses the collection of authorized applications in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
CurrentProfile |
A read-only element that accesses the current Windows Firewall profile. This property is retrieved through the HNetCfg.FwMgr COM Object (LocalPolicy property). |
CurrentProfileType |
A read-only element that accesses the type of Windows Firewall profile currently in effect. This property is retrieved through the HNetCfg.FwMgr COM Object. |
ExceptionsNotAllowed |
A read-write element that accesses a Boolean value which is TRUE if Windows Firewall should not allow exceptions. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
FirewallEnabled |
A read-write element that accesses a Boolean value which is TRUE if Windows Firewall is enabled. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
GetProfileByType |
Gets the Windows Firewall profile of the requested type. This method is retrieved through the HNetCfg.FwMgr COM Object (LocalPolicy property). |
GloballyOpenPorts |
A read-only element that accesses the collection of globally-opened ports in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
IcmpSettings |
A read-only element that accesses the ICMP settings in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
NotificationsDisabled |
A read-write element that accesses a Boolean value which is TRUE if interactive notifications are disabled. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
RemoteAdminSettings |
Accesses the object that contains the remote administration settings. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
Services |
A read-only element that accesses the collection of services in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
Type |
A read-only element that accesses the type of a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
UnicastResponsesToMulticastBroadcastDisabled |
A read-write element that accesses a Boolean value which is TRUE if Windows Firewall should not allow unicast responses to multicast and broadcast traffic. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
Remote Administration
The following table lists the scripting properties used to access the settings that control remote administration:
| Property | Description |
|---|---|
Enabled |
A read-write element that accesses a Boolean value which is TRUE if the settings controlling remote administration are currently enabled. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property). |
IpVersion |
A read-write element that accesses the IP version for which remote administration is authorized. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property). |
RemoteAddresses |
Accesses the set of remote addresses from which remote administration is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property). |
Scope |
A read-write element that controls the network scope from which remote administration is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (RemoteAdminSettings property). |
ICMP
The following table lists the scripting methods and properties used to access and configure the settings controlling ICMP packets:
| Method or Property | Description |
|---|---|
AllowInboundEchoRequest |
A read-write element that accesses a Boolean value which is TRUE if InboundEchoRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowInboundMaskRequest |
A read-write element that accesses a Boolean value which is TRUE if InboundMaskRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowInboundRouterRequest |
A read-write element that accesses a Boolean value which is TRUE if InboundRouterRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowInboundTimestampRequest |
A read-write element that accesses a Boolean value which is TRUE if InboundTimestampRequest is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowOutboundDestinationUnreachable |
A read-write element that accesses a Boolean value which is TRUE if OutboundDestinationUnreachable is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowOutboundPacketTooBig |
A read-write element that accesses a Boolean value which is TRUE if OutboundPacketTooBig is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowOutboundParameterProblem |
A read-write element that accesses a Boolean value which is TRUE if OutboundParameterProblem is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowOutboundSourceQuench |
A read-write element that accesses a Boolean value which is TRUE if OutboundSourceQuench is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowOutboundTimeExceeded |
A read-write element that accesses a Boolean value which is TRUE if OutboundTimeExceeded is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
AllowRedirect |
A read-write element that accesses a Boolean value which is TRUE if Redirect is allowed. This property is retrieved through the HNetCfg.FwMgr COM Object (IcmpSettings property). |
IsIcmpTypeAllowed |
Determines whether the specified ICMP type is allowed. This method is retrieved through the HNetCfg.FwMgr COM Object. |
Note
All of the methods and properties associated with ICMP are common to both IPv4 and IPv6.
Port
The following table lists the scripting methods and properties used to access and configure a port that has been opened in Windows Firewall:
| Method or Property | Description |
|---|---|
_NewEnum |
Returns an object supporting IEnumVARIANT that can be used to iterate through all the ports in a collection. This property is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property]. |
Add |
Adds a new port to a collection. This method is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property]. |
BuiltIn |
A read-only element that accesses a Boolean value which is TRUE if a port is defined by the system. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
Count |
A read-only element yielding the number of items in a collection of ports. This property is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property]. |
Enabled |
A read-write element that accesses a Boolean value which is TRUE if the settings for a port are currently enabled. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
IpVersion |
A read-write element that accesses the IP version of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
IsPortAllowed |
Determines whether an application can listen for inbound traffic on a specified port. This method is retrieved through the HNetCfg.FwMgr COM Object. |
Item |
Returns a specified port if it is within a collection. This method is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property]. |
Name |
A read-write element that accesses the friendly name of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
Port |
A read-write element that accesses the port number of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
Protocol |
A read-write element that accesses the protocol type setting of a port. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
RemoteAddresses |
Accesses a set of remote addresses from which a port can listen for traffic. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
Remove |
Removes a port from a collection. This method is retrieved through the HNetCfg.FwMgr COM Object [GloballyOpenPorts (Profile) property]. |
Scope |
A read-write element that controls the network scope from which a port can listen for traffic. This property is retrieved through the HNetCfg.FWOpenPort COM Object. |
Application
The following table lists and gives a short description of the scripting methods and properties used to access and configure an application that has been added to the Windows Firewall exceptions list.
| Method or Property | Description |
|---|---|
_NewEnum |
Returns an object supporting IEnumVARIANT that can be used to iterate through all the applications in a collection. This property is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property). |
Add |
Adds a new application to a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property). |
Count |
A read-only element yielding the number of items in a collection of applications. This property is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property). |
Enabled |
A read-write element that accesses a Boolean value which is TRUE if the settings for an application are currently enabled. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object. |
IpVersion |
A read-write element that accesses the IP version for an application. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object. |
IsPortAllowed |
Determines whether an application can listen for inbound traffic on a specified port. This method is retrieved through the HNetCfg.FwMgr COM Object. |
Item |
Returns a specified application if it is within a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property). |
Name |
A read-write element that accesses the friendly name of an application. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object. |
ProcessImageFileName |
A read-write element that accesses the process image file name of an application. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object. |
RemoteAddresses |
Accesses the set of remote addresses from which an application can listen for traffic. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object. |
Remove |
Removes an application from a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (AuthorizedApplications property). |
Scope |
A read-write element that controls the network scope from which an application can listen for traffic. This property is retrieved through the HNetCfg.FwAuthorizedApplication COM Object. |
Service
The following table lists the scripting methods and properties used to access and configure a service that has been authorized to listen through Windows Firewall:
| Method or Property | Description |
|---|---|
_NewEnum |
Returns an object supporting IEnumVARIANT that can be used to iterate through all the services in a collection. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
Count |
A read-only element yielding the number of items in a collection of services. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
Customized |
A read-only element that indicates whether at least one of the ports associated with a service has been customized. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
Enabled |
A read-write element that accesses a Boolean value which is TRUE if all ports associated with the service are enabled. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
GloballyOpenPorts |
A read-only element that accesses the collection of globally-opened ports associated with a service. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
Item |
Returns a specified service if it is within a collection. This method is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
Name |
A read-only element that accesses the friendly name of a service. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
RemoteAddresses |
Accesses the set of remote addresses from which a service can listen for traffic. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
Scope |
A read-write element that controls the network scope from which a service can listen. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
Services |
A read-only element that accesses the collection of services in a profile. This property is retrieved through the HNetCfg.FwMgr COM Object (CurrentProfile property or the GetProfileByType method). |
Type |
A read-only element that accesses the type of a service. This property is retrieved through the HNetCfg.FwMgr COM Object (Services property). |
For more information about Windows Firewall interfaces, see MSDN.
Netsh Commands for Windows Firewall
You can run these commands from the Windows Server 2003 family command prompt or from the command prompt for the netsh firewall context. For these commands to work at the Windows Server 2003 family command prompt, you must type netsh firewall before typing commands and parameters as they appear in the following syntax. There might be functional differences between netsh context commands on Windows 2000 and the Windows Server 2003 family.
You cannot use the netsh firewall commands to remotely configure Windows Firewall settings, and you cannot use the dump command to create a script based on the current Windows Firewall configuration.
To view help for a command at the command prompt, type the following:
CommandName**/?**
where CommandName is the name of the command.
add allowedprogram
add portopening
delete allowedprogram
delete portopening
set allowedprogram
set icmpsetting
set logging
set multicastbroadcastresponse
set notifications
set opmode
set portopening
set service
show (all commands)
add allowedprogram
The add allowedprogram command is used to add a program-based exception.
Syntax
add allowedprogram [[program =] path] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Parameters
- [[program =] path] Specifies the path and file name of a program to be added to the exceptions list. This is a required entry.
- [[name =] name] Specifies the name of a program to be added to the exceptions list. This is a required entry.
- [[mode =] {ENABLE|DISABLE}]
Specifies whether to enable or disable a program. This is an optional entry.
ENABLE - Allow through Windows Firewall (default).
DISABLE - Do not allow through Windows Firewall.
- [[scope =] {ALL|SUBNET|CUSTOM}]
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified program. This is an optional entry.
ALL - Allow all traffic through Windows Firewall (default).
SUBNET - Allow only local network (subnet) traffic through Windows Firewall.
CUSTOM - Allow only specified traffic through Windows Firewall.
- [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
Remarks
scope must be CUSTOM to specify addresses.
Examples
The following examples show how the add allowedprogram command and preceding parameters can be used to add a program-based exception:
add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE
add allowedprogram C:\MyApp\MyApp.exe MyApp DISABLE
add allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLED
add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = DISABLE
add allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLE scope = CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
add portopening
The add portopening command is used to create a port-based exception.
Syntax
add portopening [[protocol =] {TCP|UDP|ALL}] [[port =] 1-65535] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]
Parameters
- [[protocol =] {TCP|UDP|ALL}]
Specifies the protocol of a port. The protocol must be TCP, UDP, or all. This is a required entry.
TCP - Transmission Control Protocol (TCP).
UDP - User Datagram Protocol (UDP).
ALL - All protocols.
- [[port =] 1-65535**]** Specifies the port number. The port number must be between 1 and 65535, inclusive. This is a required entry.
- [[name =] name] Specifies the friendly name of a port to be added to the exceptions list. This descriptive name is used to represent the entry for Windows Firewall in Control Panel. This is a required entry.
- [[mode =] {ENABLE|DISABLE}]
Specifies whether to enable or disable a port in the exceptions lists. This is an optional entry.
ENABLE - Allow through Windows Firewall (default).
DISABLE - Do not allow through Windows Firewall.
- [[scope =] {ALL|SUBNET|CUSTOM}]
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified port. This is an optional entry.
ALL - Allow all traffic through Windows Firewall (default).
SUBNET - Allow only local network (subnet) traffic through Windows Firewall.
CUSTOM - Allow only specified traffic through Windows Firewall.
- [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
- [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks
profile and interface cannot be specified together; scope and interface cannot be specified together. scope must be CUSTOM to specify addresses.
Examples
The following examples show how the add portopening command and preceding parameters can be used to create a port-based exception:
add portopening TCP 80MyWebPort
add portopening UDP 500IKE ENABLE ALL
add portopening ALL 53DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
add portopening protocol = TCP port = 80name = MyWebPort
add portopening protocol = UDP port = 500name = IKE mode = ENABLE scope = ALL
add portopening protocol = ALL port = 53name = DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
delete allowedprogram
The delete allowedprogram command is used to delete an existing program-based exception.
Syntax
delete allowedprogram [[program =] path [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Parameters
- [[program =] path Specifies the path and file name of the program to be deleted from the exceptions list. This is a required entry.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used for configuring Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
Examples
The following examples show how the delete allowedprogram command and preceding parameters can be used to delete an existing program-based exception:
delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe
delete portopening
The delete portopening command is used to delete a port-based exception.
Syntax
delete portopening [[protocol =] {TCP|UDP|ALL}] [[port =] 1-65535] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]
Parameters
- [[protocol =] {TCP|UDP|ALL}]
Specifies the protocol of the port to be deleted from the exceptions list. The protocol must be TCP, UDP, or all. This is a required entry.
TCP - Transmission Control Protocol (TCP).
UDP - User Datagram Protocol (UDP).
ALL - All protocols.
- [[port =] 1-65535**]** Specifies the number of the port to be deleted from the exceptions list. The port number must be between 1 and 65535, inclusive. This is a required entry.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used for configuring Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
- [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks
profile and interface cannot be specified together.
Examples
The following examples show how the delete portopening command and preceding parameters can be used to delete a port-based exception:
delete portopening TCP 80
delete portopening UDP 500
delete portopening protocol = TCP port = 80
delete portopening protocol = UDP port = 500
set allowedprogram
The set allowedprogram command is used to modify the settings of a program-based exception.
Syntax
set allowedprogram [[program =] path] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Parameters
- [[program =] path] Specifies the path and file name of a program to be added to the exceptions list. This is a required entry.
- [[name =] name] Specifies the name of a program to be added to the exceptions list. This is a required entry.
- [[mode =] {ENABLE|DISABLE}]
Specifies whether to enable or disable a program. This is an optional entry.
ENABLE - Allow through Windows Firewall (default).
DISABLE - Do not allow through Windows Firewall.
- [[scope =] {ALL|SUBNET|CUSTOM}]
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified program. This is an optional entry.
ALL - Allow all traffic through Windows Firewall (default).
SUBNET - Allow only local network (subnet) traffic through Windows Firewall.
CUSTOM - Allow only specified traffic through Windows Firewall.
- [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
Remarks
scope must be CUSTOM to specify addresses.
Examples
The following examples show how the set allowedprogram command and preceding parameters can be used to modify the settings of a program-based exception:
set allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE
set allowedprogram C:\MyApp\MyApp.exe MyApp DISABLE
set allowedprogram C:\MyApp\MyApp.exe MyApp ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
set allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLED
set allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = DISABLE
set allowedprogram program = C:\MyApp\MyApp.exe name = MyApp mode = ENABLE scope = CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
set icmpsetting
The set icmpsetting command is used to specify Internet Control Message Protocol (ICMP) traffic that has been added to the exceptions list.
Syntax
set icmpsetting [[type =] {2|3|4|5|8|9|11|12|13|17|ALL}] [[mode =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]
Parameters
- [[type =] {2|3|4|5|8|9|11|12|13|17|ALL}]
Specifies the type of ICMP message to enable. This is a required entry.
2 - Allow outbound packet too big.
3 - Allow outbound destination unreachable.
4 - Allow outbound source quench.
5 - Allow redirect.
8 - Allow inbound echo request.
9 - Allow inbound router request.
11 - Allow outbound time exceeded.
12 - Allow outbound parameter problem.
13 - Allow inbound timestamp request.
17 - Allow inbound mask request.
ALL - All types.
- [[mode =] {ENABLE|DISABLE}]
Specifies whether to enable or disable the ICMP message type. This is an optional entry.
ENABLE - Allow through Windows Firewall (default).
DISABLE - Do not allow through Windows Firewall.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
- [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks
profile and interface cannot be specified together; type 2 and interface cannot be specified together.
Examples
The following examples show how the set icmpsetting command and preceding parameters can be used to specify ICMP traffic that has been added to the exceptions list:
set icmpsetting 8
set icmpsetting 8ENABLE
set icmpsetting ALL DISABLE
set icmpsetting type = 8
set icmpsetting type = 8mode = ENABLE
set icmpsetting type = ALL mode = DISABLE
set logging
The set logging command is used to specify Windows Firewall logging options.
Syntax
set logging [[filelocation =] path] [[maxfilesize =] 1-32767] [[droppedpackets =] {ENABLE|DISABLE}] [[connections =] {ENABLE|DISABLE}]
Parameters
- [[filelocation =] path] Specifies the location and file name of the Windows Firewall log file. By default, the log file is named Pfirewall.log. This is a required entry.
- [[maxfilesize =] 1-32767**]** Specifies the maximum size (in kilobytes) of the Pfirewall.log file. This is an optional entry.
- [[droppedpackets =] {ENABLE|DISABLE}]
Specifies whether to log dropped packets to the Pfirewall.log file. This is an optional entry.
ENABLE - Log.
DISABLE - Do not log.
- [[connections =] {ENABLE|DISABLE}]
Specifies whether to log connections to the Pfirewall.log file. This is an optional entry.
ENABLE - Log.
DISABLE - Do not log.
Remarks
At least one parameter must be specified.
Examples
The following examples show how the set logging command and preceding parameters can be used to specify Windows Firewall logging options:
set logging %windir%\pfirewall.log 4096
set logging %windir%\pfirewall.log 4096ENABLE
set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096
set logging filelocation = %windir%\pfirewall.log maxfilesize = 4096droppedpackets = ENABLE
set multicastbroadcastresponse
The set multicastbroadcastresponse command is used to specify the unicast response to a multicast or broadcast request.
Syntax
set multicastbroadcastresponse [[mode =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Parameters
- [[mode =] {ENABLE|DISABLE}]
Specifies whether to enable or disable multicast and broadcast packets. This is a required entry.
ENABLE - Allow responses to multicast/broadcast traffic through Windows Firewall.
DISABLE - Do not allow responses to multicast/broadcast traffic through Windows Firewall.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
Examples
The following examples show how the set multicastbroadcastresponse command and preceding parameters can be used to specify the unicast response to a multicast or broadcast request:
set multicastbroadcastresponse ENABLE
set multicastbroadcastresponse DISABLE
set multicastbroadcastresponse mode = ENABLE
set multicastbroadcastresponse mode = DISABLE
set notifications
The set notifications command is used to specify the behavior of Windows Firewall notifications.
Syntax
set notifications [[mode =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Parameters
- [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable notifications. This is a required entry. ENABLE - Allow notifications from Windows Firewall. DISABLE - Do not allow notifications from Windows Firewall.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
Examples
The following examples show how the set notifications command and preceding parameters can be used to specify the behavior of Windows Firewall notifications:
set notifications ENABLE
set notifications DISABLE
set notifications mode = ENABLE
set notifications mode = DISABLE
set opmode
The set opmode command is used to specify the operating mode of Windows Firewall, either globally or for a specific connection (interface).
Syntax
set opmode [[mode =] {ENABLE|DISABLE}] [[exceptions =] {ENABLE|DISABLE}] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]
Parameters
- [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable Windows Firewall. This is a required entry. ENABLE - Enable Windows Firewall. DISABLE - Disable Windows Firewall.
- [[exceptions =] {ENABLE|DISABLE}] Specifies whether to enable or disable the Windows Firewall exceptions list. This is a required entry. ENABLE - Enable the Windows Firewall exceptions list. DISABLE - Disable the Windows Firewall exceptions list.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
- [[interface =] name] Interface name (optional).
Remarks
profile and interface cannot be specified together; exceptions and interface cannot be specified together.
Examples
The following examples show how the set opmode command and preceding parameters can be used to specify the operating mode of Windows Firewall:
set opmode ENABLE
set opmode ENABLE DISABLE
set opmode mode = ENABLE
set opmode mode = ENABLE exceptions = DISABLE
set portopening
The set portopening command is used to modify the settings of a port-based exception.
Syntax
set portopening [[protocol =] {TCP|UDP|ALL}] [[port =] 1-65535] [[name =] name] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses] [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}] [[interface =] name]
Parameters
- [[protocol =] {TCP|UDP|ALL}]
Specifies the protocol of a port. The protocol must be TCP, UDP, or all. This is a required entry.
TCP - Transmission Control Protocol (TCP).
UDP - User Datagram Protocol (UDP).
ALL - All protocols.
- [[port =] 1-65535**]** Specifies the port number. The port number must be between 1 and 65535, inclusive. This is a required entry.
- [[name =] name] Specifies the friendly name of a port to be added to the exceptions list. This descriptive name is used to represent the entry for Windows Firewall in Control Panel. This is a required entry.
- [[mode =] {ENABLE|DISABLE}]
Specifies whether to enable or disable a port in the exceptions lists. This is an optional entry.
ENABLE - Allow through Windows Firewall (default).
DISABLE - Do not allow through Windows Firewall.
- [[scope =] {ALL|SUBNET|CUSTOM}]
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified port. This is an optional entry.
ALL - Allow all traffic through Windows Firewall (default).
SUBNET - Allow only local network (subnet) traffic through Windows Firewall.
CUSTOM - Allow only specified traffic through Windows Firewall.
- [[addresses =] addresses] Specifies the custom scope addresses in the exceptions list. This is an optional entry.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
- [[interface =] name] Specifies the interface name. This is an optional entry.
Remarks
profile and interface cannot be specified together; scope and interface cannot be specified together. scope must be CUSTOM to specify addresses.
Examples
The following examples show how the set portopening command and preceding parameters can be used to modify the settings of a port-based exception:
set portopening TCP 80MyWebPort
set portopening UDP 500IKE ENABLE ALL
set portopening ALL 53DNS ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
set portopening protocol = TCP port = 80name = MyWebPort
set portopening protocol = UDP port = 500name = IKE mode = ENABLE scope = ALL
set portopening protocol = ALL port = 53name = DNS mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
set service
The set service command is used to enable or disable the predefined file and printer sharing, remote administration, Remote Desktop, and UPnP exceptions.
Syntax
set service [[type =] {FILEANDPRINT|REMOTEADMIN|REMOTEDESKTOP|UPNP|ALL}] [[mode =] {ENABLE|DISABLE}] [[scope =] {ALL|SUBNET|CUSTOM}] [[addresses =] addresses [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Parameters
- [[type =] {FILEANDPRINT|REMOTEADMIN|REMOTEDESKTOP|UPNP|ALL}] Specifies the type of service to enable. This is a required entry. FILEANDPRINT - File and printer sharing. REMOTEADMIN - Remote administration. REMOTEDESKTOP - Remote assistance and remote desktop. UPNP - UPnP framework. ALL - All types.
- [[mode =] {ENABLE|DISABLE}] Specifies whether to enable or disable a service. This is a required entry. ENABLE - Allow through Windows Firewall (default). DISABLE - Do not allow through Windows Firewall.
- [[scope =] {ALL|SUBNET|CUSTOM}]
Defines the set of limits on which computers (IP addresses) are allowed to send traffic through the specified service. This is an optional entry.
ALL - Allow all traffic through Windows Firewall (default).
SUBNET - Allow only local network (subnet) traffic through Windows Firewall.
CUSTOM - Allow only specified traffic through Windows Firewall.
- [[addresses =] addresses Specifies the custom scope addresses in the exceptions list. This is an optional entry.
- [[profile =] {CURRENT|DOMAIN|STANDARD|ALL}]
Specifies the names of the profiles used to configure Windows Firewall. This is an optional entry.
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.
Remarks
scope is ignored if mode is DISABLE. scope must be CUSTOM to specify addresses.
Examples
The following examples show how the set service command and preceding parameters can be used to enable or disable the predefined service exceptions:
set service FILEANDPRINT
set service REMOTEADMIN ENABLE SUBNET
set service REMOTEDESKTOP ENABLE CUSTOM 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
set service type = FILEANDPRINT
set service type = REMOTEADMIN mode = ENABLE scope = SUBNET
set service type = REMOTEDESKTOP mode = ENABLE scope = CUSTOM addresses = 157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
show (all commands)
The following show commands are used to display the current configuration of Windows Firewall:
| Command | Description |
|---|---|
show allowedprogram |
Displays the programs that have been added to the exceptions list. |
show config |
Displays the local configuration information. |
show currentprofile |
Displays the current profile. |
show icmpsetting |
Displays the ICMP settings. |
show logging |
Displays the logging settings. |
show multicastbroadcastresponse |
Displays multicast or broadcast response settings. |
show notifications |
Displays the current settings for notifications. |
show opmode |
Displays the operational mode. |
show portopening |
Displays the ports that have been added to the exceptions list. |
show service |
Displays the services. |
show state |
Displays the current state information. |
Remarks
To use the show command parameter, [[verbose =] {ENABLE|DISABLE}], to display more detailed information about the configuration, set the parameter to ENABLE. Verbose mode is disabled by default.
Examples
show state
show state verbose = ENABLE
Windows Firewall Log File and Security Log Settings
Windows Firewall records event data in two locations: the Event Viewer security log and the Windows Firewall log file. Event Viewer security log entries provide a record of Windows Firewall configuration changes, startup status, and behavior. The Windows Firewall log file entries provide a record of network traffic events, such as dropped packets and successful connections. Neither of the logging mechanisms provides intrusion detection or security breach alerting.
Security Log Entries
Windows Firewall writes entries to the security log when a computer is started and when a program or system service attempts to listen for unsolicited incoming traffic but is blocked. These entries provide information about the status and configuration of Windows Firewall, including information about the applications and ports that permit traffic through Windows Firewall. These entries also provide information about which ports and protocols a program or system services is trying to use so you can configure the necessary exceptions in Windows Firewall. These security log entries are viewed with Event Viewer, which can filter the entries by Event IDs. The Event IDs associated with Windows Firewall are in the range of 848 through 861.
Note
Windows Firewall events are written to the event log any time the Windows Firewall/Internet Connection Sharing service is running, even if Windows Firewall is turned off (disabled).
The following table lists the Event IDs associated with Windows Firewall:
| Event ID | Description |
|---|---|
848 |
Displays the startup configuration of Windows Firewall. |
849 |
Displays an application exception configuration. |
850 |
Displays a port exception configuration. |
851 |
Displays a change made to the application exceptions list. |
852 |
Displays a change made to the application exceptions list. |
853 |
Displays a change made to the Windows Firewall operation mode. |
854 |
Displays a change made to Windows Firewall logging settings. |
855 |
Displays a change made to ICMP settings. |
856 |
Displays a change made to the Windows Firewall: Prohibit unicast response to multicast or broadcast requests Group Policy setting. |
857 |
Displays a change made to the remote administration setting. |
858 |
Displays Windows Firewall Group Policy settings have been applied. |
859 |
Displays Windows Firewall Group Policy settings have been removed. |
860 |
Displays a change made to a profile. |
861 |
Displays an application or service attempting to listen for incoming traffic. |
Event ID 848
The following table lists the entries associated with Event ID 848:
| Entry | Possible Values | Notes |
|---|---|---|
Group Policy applied |
Yes/No |
Specifies whether Group Policy is applied. |
Profile used |
Domain/Local |
Specifies if the profile is from the domain or the local computer. |
Interface |
All interfaces/<interface name> |
Specifies the network adapter (interface) to which the settings apply. |
Operational mode |
On/Off/On with no exceptions |
Specifies which mode Windows Firewall is in. |
File and Printer Sharing |
Enabled/Disabled |
Specifies whether File and Printer Sharing is enabled or disabled in the exceptions list. |
Remote Desktop |
Enabled/Disabled |
Specifies whether Remote Desktop is enabled or disabled in the exceptions list. |
UPnP Framework |
Enabled/Disabled |
Specifies whether UPnP is enabled or disabled in the exceptions list. |
Allow remote administration |
Enabled/Disabled |
Specifies whether Remote Assistance is enabled or disabled in the exceptions list. |
Allow unicast responses to multicast/broadcast traffic |
Enabled/Disabled |
Specifies whether Windows Firewall will allow unicast traffic that is in response to multicast or broadcast traffic through Windows Firewall. |
Log dropped packets |
Enabled/Disabled/“-” |
Specifies the log file setting. |
Log successful connections |
Enabled/Disabled/“-” |
Specifies the log file setting. |
Allow incoming echo request |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow incoming timestamp request |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow incoming mask request |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow incoming router request |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow outgoing destination unreachable |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow outgoing source quench |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow outgoing parameter problem |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow outgoing time exceeded |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Allow redirect |
Enabled/Disabled/“-” |
Specifies the ICMP setting. |
Note
The hyphen (“-”) is used to indicate that this setting has not been configured.
Event ID 849
The following table lists the entries associated with Event ID 849:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local Policy/Group Policy |
Specifies whether the application was added to the exceptions list through local policies or domain-wide Group Policy. |
Profile used |
Standard/Domain |
Specifies the profile in which the application is listed as an exception. |
Name |
<file name> |
Specifies the display name, if any, of the executable file. |
Path |
<path> |
Specifies the path to the application. |
State |
Enabled/Disabled |
Specifies whether the application is enabled or disabled in the exceptions list. |
Scope |
All interfaces/Local subnet/<custom scope> |
Specifies the conditions under which the application is processed as an exception. |
Event ID 850
The following table lists the entries associated with Event ID 850:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local Policy/Group Policy |
Specifies whether the port was added to the exceptions list through local policies or domain-wide Group Policy. |
Profile used |
Standard/Domain |
Specifies the profile in which the port is listed as an exception. |
Interface |
All interfaces/<interface name> |
Specifies the network adapter (interface) to which the settings apply. |
Name |
<name> |
Specifies the name of the port. |
Port number |
<port number> |
Specifies the number of the port. |
Protocol |
TCP/UDP |
Specifies the protocol of the port. |
State |
Enabled/Disabled |
Specifies whether the port is enabled or disabled in the exceptions list. |
Scope |
All interfaces/Local subnet/<custom scope> |
Specifies the conditions under which the port is processed as an exception. |
Event ID 851
The following table lists the entries associated with Event ID 851:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local policy/Group Policy |
Specifies whether the change was made through local policies or domain-wide Group Policy. |
Profile changed |
Standard/Domain |
Specifies the profile in which the change occurred. |
Change type |
Add/Remove/Modify |
Specifies whether the application was added or removed from the exceptions list, or whether exception list settings were modified for the application. |
New Settings: Name |
<name> |
Specifies the new display name, if any, of the executable file. |
New Settings: Path |
<path> |
Specifies the new path to the application. |
New Settings: State |
Enabled/Disabled |
Specifies whether the application is currently enabled or disabled in the exceptions list. |
New Settings: Scope |
All interfaces/Local subnet/<custom scope> |
Specifies the new conditions under which the application is processed as an exception. |
Old Settings: Name |
<name> |
Specifies the old display name, if any, of the executable file. |
Old Settings: Path |
<path> |
Specifies the old path to the application. |
Old Settings: State |
Enabled/Disabled |
Specifies whether the application was previously enabled or disabled in the exceptions list. |
Old Settings: Scope |
All interfaces/Local subnet/<custom scope> |
Specifies the old conditions under which the application was processed as an exception. |
Event ID 852
The following table lists the entries associated with Event ID 852:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local policy/Group Policy |
Specifies whether the change was made through local policies or domain-wide Group Policy. |
Profile changed |
Standard/Domain |
Specifies the profile in which the change occurred. |
Change type |
Add/Remove/Modify |
Specifies whether the port was added or removed from the exceptions list, or whether exception list settings were modified for the port. |
Interface |
All interfaces/<interface name> |
Specifies the network adapter (interface) to which the settings apply. |
New Settings: Name |
<name> |
Specifies the new name of the port. |
New Settings: Port number |
<port number> |
Specifies the new number of the port. |
New Settings: Protocol |
TCP/UDP |
Specifies the new protocol of the port. |
New Settings: State |
Enabled/Disabled |
Specifies whether the port is enabled or disabled in the exceptions list. |
New Settings: Scope |
All interfaces/Local subnet/<custom scope> |
Specifies the new conditions under which the port is processed as an exception. |
Old Settings: Name |
<name> |
Specifies the old name of the port. |
Old Settings: Port number |
<port number> |
Specifies the old number of the port. |
Old Settings: Protocol |
TCP/UDP |
Specifies the old protocol of the port. |
Old Settings: State |
Enabled/Disabled |
Specifies whether the port was previously enabled or disabled in the exceptions list. |
Event ID 853
The following table lists the entries associated with Event ID 853:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local policy/Group Policy |
Specifies whether the change was made through local policies or domain-wide Group Policy. |
Profile changed |
Standard/Domain |
Specifies the profile in which the change occurred. |
Interface |
All interfaces/interface name |
Specifies the network adapter (interface) to which the new setting applies. |
New Setting: Operation mode |
On/On with no exceptions/Off |
Specifies which mode Windows Firewall is in currently. |
Old Setting: Operation mode |
On/On with no exceptions/Off |
Specifies which mode Windows Firewall was in previously. |
Event ID 854
The following table lists the entries associated with Event ID 854:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local policy/Group Policy |
Specifies whether the change was made through local policies or domain-wide Group Policy. |
Profile changed |
Standard/Domain |
Specifies the profile in which the change occurred. |
New Settings: Log dropped packets |
Enabled/Disabled/“-” |
Specifies the new log file setting. |
New Settings: Log successful connections |
Enabled/Disabled/“-” |
Specifies the new log file setting. |
Old Setting: Log dropped packets |
Enabled/Disabled/“-” |
Specifies the old log file setting. |
Old Setting: Log successful connections |
Enabled/Disabled/“-” |
Specifies the old log file setting. |
Note
The hyphen (“-”) is used to indicate that this setting has not been configured.
Event ID 855
The following table lists the entries associated with Event ID 855:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local policy/Group Policy |
Specifies whether the change was made through local policies or domain-wide Group Policy. |
Profile changed |
Standard/Domain |
Specifies the profile in which the change occurred. |
Interface |
All interfaces/interface name |
Specifies the network adapter (interface) to which the new setting applies. |
New Setting: Allow incoming echo request |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow incoming timestamp request |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow incoming mask request |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow incoming router request |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow outgoing destination unreachable |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow outgoing source quench |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow outgoing parameter problem |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow outgoing time exceeded |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
New Setting: Allow redirect |
Enabled/Disabled/“-” |
Specifies the new ICMP setting. |
Old Setting: Allow incoming echo request |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow incoming timestamp request |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow incoming mask request |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow incoming router request |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow outgoing destination unreachable |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow outgoing source quench |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow outgoing parameter problem |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow outgoing time exceeded |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Old Setting: Allow redirect |
Enabled/Disabled/“-” |
Specifies the old ICMP setting. |
Note
The hyphen (“-”) is used to indicate that this setting has not been configured.
Event ID 856
The following table lists the entries associated with Event ID 856:
| Entry | Possible Values | Notes |
|---|---|---|
Unicast response to multicast broadcasts is |
On/Off |
Specifies whether the option is enabled or disabled. |
Event ID 857
The following table lists the entries associated with Event ID 857:
| Entry | Possible Values | Notes |
|---|---|---|
Policy origin |
Local policy/Group policy |
Specifies whether the change was made through local policies or domain-wide Group Policy. |
Profile changed |
Standard/Domain |
Specifies the profile in which the change occurred. |
New setting: Allow remote administration |
Enabled/Disabled |
Specifies whether the option is enabled or disabled. |
Old setting: Allow remote administration |
Enabled/Disabled |
Specifies whether the option is enabled or disabled. |
Event ID 858
Note
There are no entries associated with Event ID 858.
Event ID 859
Note
There are no entries associated with Event ID 859.
Event ID 860
The following table lists the entries associated with Event ID 860:
| Entry | Possible Values | Notes |
|---|---|---|
Active profile |
Standard/Domain |
Specifies if the profile has switched from standard to domain, or vice versa. |
Event ID 861
The following table lists the entries associated with Event ID 861:
| Entry | Possible Values | Notes |
|---|---|---|
Name |
<name> |
Specifies the name of the application or service. |
Path |
<path> |
Specifies the path to the application or service. |
Process identifier |
<process identifier> |
Specifies the identifier (label) used to determine the process involved in the listening activity. |
User account |
<user account> |
Specifies the user's account. |
User domain |
<user domain> |
Specifies the user's domain. |
Service |
Yes/No |
Specifies whether the listener is a service. |
RPC server |
Yes/No |
Specifies whether the listener is on an RPC server. |
IP version |
IPv4/IPv6 |
Specifies the IP version of the application or service. |
IP protocol |
TCP/UDP |
Specifies the IP protocol being used by the application or service. |
Port number |
<port number> |
Specifies the port being used by the application or service. |
Allowed |
Yes/No |
Specifies if the application or service is allowed to listen for unsolicited incoming network traffic. |
User notified |
Yes/No |
Specifies whether the user was notified of the listening activity. |
Windows Firewall Log File Entries
When the Windows Firewall log file is enabled, Windows Firewall generates a plaintext security log file (Pfirewall.log), which is found in %Windir%\pfirewall.log. The security log has two sections: the header and the body.
The following table lists the entries contained in the header:
| Item | Description | Example |
|---|---|---|
#Version: |
Displays which version of the Windows Firewall security log is installed. |
1.5 |
#Software: |
Displays the name of the security log. |
Microsoft Windows Firewall |
#Time: |
Indicates that all of the timestamps in the log are in local time. |
Local |
#Fields: |
Displays a static list of fields that are available for security log entries, if data is available. These fields are listed in the following table. Note The hyphen (-) is used for fields for which no information is available. |
src-ip |
The body is the report of information gathered about traffic or attempts to cross Windows Firewall. The body of the security log is a dynamic list; new entries appear at the bottom of the log.
The following table lists the information contained in the body of the log file:
| Item | Description | Example |
|---|---|---|
Date |
Displays the year, month, and day that the recorded transaction occurred. Dates are recorded in the format: YYYY-MM-DD |
2001-01-27 |
Time |
Displays the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the format: HH:MM:SS |
21:36:59 |
Action |
Displays which operation was observed by Windows Firewall. The options available are OPEN, OPEN-INBOUND, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that occurred but were not recorded in the log. |
OPEN |
Protocol |
Displays the protocol that was used for the communication. The options available are TCP, UDP, ICMP, and a protocol number for packets that are not TCP, UDP, or ICMP. |
TCP |
src-ip |
Displays the source IP address (the IP address of the computer attempting to establish communications). |
192.168.0.1 |
dst-ip |
Displays the destination IP address of a communication attempt. |
192.168.0.1 |
src-port |
Displays the source port number of the sending computer. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -. |
4039 |
dst-port |
Displays the port number of the destination computer. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -. |
53 |
size |
Displays the packet size, in bytes. |
60 |
tcpflags |
Displays the TCP control flags found in the TCP header of an IP packet:
Urg Urgent Pointer field significant |
FAP |
tcpsyn |
Displays the TCP sequence number in the packet. |
1315819770 |
tcpack |
Displays the TCP acknowledgement number in the packet. |
2515999782 |
tcpwin |
Displays the TCP window size, in bytes, in the packet. |
64240 |
icmptype |
Displays a number that represents the Type field of the ICMP message. |
8 |
icmpcode |
Displays a number that represents the Code field of the ICMP message. |
0 |
info |
Displays an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action will result in an entry of the number of events that occurred but were not recorded in the log from the time of the last occurrence of this event type. |
23 |
Path |
Displays the direction of the communication. The options available are SEND, RECEIVE, FORWARD, and UNKNOWN. |
RECEIVE |