10.

Query firewall rules: One of the first things you'll probably need to use netsh
for is to discover Windows Firewall's current configuration properties. You can
query Windows Firewall settings using the following netsh command:

netsh advfirewall firewall show rule name=all

9. Enable and disable Windows Firewall: It's typically a best practice to leave
Windows Firewall enabled, but sometimes when you're performing testing or
setting up new applications, you need to turn Windows Firewall off for a period.
The following commands illustrate how to turn Windows Firewall off and then
back on:

netsh advfirewall set allprofiles state on

netsh advfirewall set allprofiles state off
8. Reset Windows Firewall: If you make a mistake configuring Windows
Firewall, you might want to use the following netsh command to reset it back to its
default settings:

netsh advfirewall reset

7. Set logging: The default path for the Windows Firewall log files is
\Windows\system32\LogFiles\Firewall\pfirewall.log. The netsh command below
changes the location of the log file to the C:\temp directory:

netsh advfirewall set currentprofile logging filename "C:\temp\pfirewall.log"

6. Allow and prevent ping: You can use netsh to control how and if a given
system responds to ping requests. The following two netsh commands show how
you can block and then open Windows Firewall to ping requests:
netsh advfirewall firewall add rule name="All ICMP V4" dir=in action=block
protocol=icmpv4
netsh advfirewall firewall add rule name="All ICMP V4" dir=in action=allow
protocol=icmpv4
5. Enable and delete a port: One of the most common things you need to do with
Windows Firewall is open ports that are used by different programs. The following
examples show how to use netsh to create a rule to open and then close port 1433,
which is used by Microsoft SQL Server:
netsh advfirewall firewall add rule name="Open SQL Server Port 1433" dir=in
action=allow protocol=TCP localport=1433
netsh advfirewall firewall delete rule name="Open SQL Server Port 1433"
protocol=tcp localport=1433

4. Enable a program: Another common task is opening Windows Firewall for a

given program. The following example illustrates how to add a rule that
enables Windows Live Messenger to work through Windows Firewall:
netsh advfirewall firewall add rule name="Allow Messenger" dir=in action=allow
program="C:\programfiles\messenger\msnmsgr.exe

3. Enable remote management: Another common requirement, especially when

you're setting up new systems, is to enable remote management so that tools such
as the Microsoft Management Console can connect to remote systems. To open
Windows Firewall for remote management, you can use the following command:
netsh advfirewall firewall set rule group="remote administration" new enable=yes

2. Enable Remote Desktop Connection: One of the first things I do with most of
the server systems I set up is enable Remote Desktop Connection for easy remote
systems management. The following command shows how to use netsh to open
Windows Firewall for Remote Desktop Connections:
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
1. Export and import firewall settings: After you get Windows Firewall
configured, it's a good idea to export your settings so that you can easily reapply
them later or import them into another system. In the following netsh commands,
you can see how to export and then import your Windows Firewall configuration:
netsh advfirewall export "C:\temp\WFconfiguration.wfw"
netsh advfirewall import "C:\temp\WFconfiguration.wfw"

Enabling RDP through the Command Prompt will not configure the Windows
Firewall with the appropriate ports to allow RDP connections.
Netsh advfirewall firewall set rule group=”remote desktop” new enable=yes

How to configure SQL Server to use a static port

Issue:
When enabling the firewall to secure data flow within your organization for Vault,
you notice that the web server is not able to communicate to SQL server, even
though the default SQL ports 1433 and 1434 are open in the firewall.

Causes:
When SQL Server is installed with replication services, the default configuration
marks SQL server to use dynamic ports.
Solution:
These are the steps you need to perform to enable SQL Server to communicate
over static port 1433.

Step 1 : On the server running SQL Server, start SQL Server Configuration
Manager. (This tool configure network protocols for SQL Server) -

Start Menu >> All Programs >> Microsoft SQL Server <version> >> SQL Server
configuration Tools >>SQL Server Configuration Manager

Step 2 : From the SQL Server Configuration manager, scroll down to SQL
Network Configuration option and select the node "Protocols for
AUTODESKVAULT". Then on the right pane, right click on "TCP/IP" and
navigate to the "IP Addresses" Tab.
Step 3 : On the TCP/IP properties configuration window, scroll down to the last
option on "IPALL" configuration and empty the values for the 'TCP Dynamic
Ports' if any and type in the port number 1433 on the TCP Port text box
Click Apply.

INTRODUCTION

The netsh advfirewall firewall command-line context is available in Windows

Server 2008 and in Windows Vista. This context provides the functionality for
controlling Windows Firewall behavior that was provided by the netsh
firewall context in earlier Windows operating systems.

This context also provides functionality for more precise control of firewall rules.
These rules include the following per-profile settings:

 Domain
 Private
 Public
 The netsh firewall command-line context might be deprecated in a future version
of the Windows operating system. We recommend that you use the netsh
advfirewall firewall context to control firewall behavior.

Note The netsh firewall command line is not recommended for use in Windows
Vista.

This article describes how to use the netsh advfirewall firewall context instead of
the netsh firewallcontext to control Windows Firewall behavior in Windows Server
2008 and in Windows Vista.

More Information

Important If you are a member of the Administrators group, and User Account
Control is enabled on your computer, run the commands from a command prompt
with elevated permissions. To start a command prompt with elevated permissions,
find the icon or Start menu entry that you use to start a command prompt session,
right-click it, and then click Run as administrator.

Some examples of frequently used commands are provided in the following tables.
You can use these examples to help you migrate from the older netsh
firewall context to the new netsh advfirewall firewall context.

Additionally, the netsh advfirewall commands that you can use to obtain detailed
inline help are provided.

Old command New command

netsh firewall add allowedprogram netsh advfirewall firewall add rule name="My
C:\MyApp\MyApp.exe "My Application" Application" dir=in action=allow
ENABLE program="C:\MyApp\MyApp.exe" enable=yes
netsh firewall add allowedprogram netsh advfirewall firewall add rule name="My
program=C:\MyApp\MyApp.exe name="My Application" dir=in action=allow
Application" mode=ENABLE scope=CUSTOM program="C:\MyApp\MyApp.exe" enable=yes
addresses=157.60.0.1,172.16.0.0/16,LocalSubnet remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet
profile=Domain profile=domain
netsh firewall add allowedprogram Run the following commands:
program=C:\MyApp\MyApp.exe name="My
Application" mode=ENABLE scope=CUSTOM netsh advfirewall firewall add rule name="My
addresses=157.60.0.1,172.16.0.0/16,LocalSubnet Application" dir=in action=allow
profile=ALL program="C:\MyApp\MyApp.exe" enable=yes
remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet
profile=domain

netsh advfirewall firewall add rule name="My

Application" dir=in action=allow
program="C:\MyApp\MyApp.exe" enable=yes
remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet
profile=private

Example 1: Enable a program

For more information about how to add firewall rules, run the following command:
netsh advfirewall firewall add rule ?

Example 2: Enable a port

Old command New command

netsh firewall add portopening netsh advfirewall firewall add rule name="Open Port
TCP 80 "Open Port 80" 80" dir=in action=allow protocol=TCP localport=80
For more information about how to add firewall rules, run the following command:
netsh advfirewall firewall add rule ?

Example 3: Delete enabled programs or ports

Old command New command

netsh firewall delete
netsh advfirewall firewall delete rule name=rule
allowedprogram
name program="C:\MyApp\MyApp.exe"
C:\MyApp\MyApp.exe
delete portopening netsh advfirewall firewall delete rule name=rule
protocol=UDP port=500 name protocol=udp localport=500
For more information about how to delete firewall rules, run the following
command:
netsh advfirewall firewall delete rule ?

Example 4: Configure ICMP settings

Old command New command

 netsh advfirewall firewall add rule name="ICMP Allow
netsh firewall set
incoming V4 echo request"protocol=icmpv4:8,any dir=in
icmpsetting 8
action=allow
netsh firewall set
netsh advfirewall firewall add rule name="All ICMP
icmpsetting type=ALL
V4" protocol=icmpv4:any,any dir=in action=allow
mode=enable
netsh firewall set
netsh advfirewall firewall add rule name="Block Type 13
icmpsetting 13 disable
ICMP V4" protocol=icmpv4:13,any dir=in action=block
all
For more information about how to configure ICMP settings, run the following
command:
netsh advfirewall firewall add rule ?

Example 5: Set logging

Old command New command

Run the following commands:

netsh advfirewall set currentprofile

logging filename
%systemroot%\system32\LogFiles\Fire
wall\pfirewall.log
netsh firewall set logging
%systemroot%\system32\LogFiles\Firewall\
netsh advfirewall set currentprofile
pfirewall.log 4096 ENABLE ENABLE
logging maxfilesize 4096
netsh advfirewall set currentprofile
logging droppedconnections enable

netsh advfirewall set currentprofile

logging allowedconnections enable
For more information, run the following command:
netsh advfirewall set currentprofile ?
If you want to set logging for a particular profile, use one of the following options
instead of the "currentprofile" option:

 Domainprofile
 Privateprofile
 Publicprofile
 Example 6: Enable Windows Firewall

Old command New command

netsh firewall set opmode ENABLE netsh advfirewall set currentprofile state on
Run the following commands:

Netsh advfirewall set currentprofile state on

netsh firewall set opmode mode=ENABLE
exceptions=enable
netsh advfirewall set currentprofile firewallpolicy
blockinboundalways,allowoutbound

Run the following commands:

Netsh advfirewall set domainprofile state on

netsh firewall set opmode mode=enable
exceptions=disable profile=domain
netsh advfirewall set domainprofile firewallpolicy
blockinbound,allowoutbound

Run the following commands:

netsh advfirewall set domainprofile state on

netsh firewall set opmode mode=enable
profile=ALL
netsh advfirewall set privateprofile state on

For more information, run the following command:

netsh advfirewall set currentprofile ?
If you want to set the firewall state for a particular profile, use one of the following
options instead of the "currentprofile" option:

 Domainprofile
 Privateprofile
 Publicprofile

Example 7: Restore policy defaults

Old command New command

 netsh firewall reset
For more information, run the following command:
netsh advfirewall reset ?
Example 8: Enable specific services
Old command
netsh firewall set service FileAndPrint
netsh firewall set service RemoteDesktop
enable
netsh firewall set service RemoteDesktop
enable profile=ALL
netsh advfirewall reset
New command
netsh advfirewall firewall set rule group="File and
Printer Sharing" new enable=Yes
netsh advfirewall firewall set rule group="remote
desktop" new enable=Yes
Run the following commands:
netsh advfirewall firewall set rule group="remote
desktop" new enable=Yes profile=domain
netsh advfirewall firewall set rule group="remote
desktop" new enable=Yes profile=private