Windows Firewall with Advanced Security

Applies To: Windows 7, Windows Server 2008

This topic provides an overview of Windows Firewall with Advanced Security. It includes conceptual information about what it is, how it works, and the tools you can use to configure Windows Firewall with Advanced Security and Internet Protocol security (IPsec) settings.

What is Windows Firewall with Advanced Security?

Windows Firewall with Advanced Security combines a host firewall and IPsec. Unlike a perimeter firewall, Windows Firewall with Advanced Security runs on each computer running this version of Windows and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security that allows you to require authentication and data protection for communications.

Windows Firewall with Advanced Security is a stateful firewall and inspects and filters all packets for IP version 4 (IPv4) and IP version 6 (IPv6) traffic. By default, incoming traffic is blocked unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can explicitly allow traffic by specifying a port number, application name, service name, or other criteria by configuring Windows Firewall with Advanced Security settings.

Windows Firewall with Advanced Security also allows you to request or require that computers authenticate each other before communicating and use data integrity or data encryption when communicating.

How does Windows Firewall with Advanced Security work?

Windows Firewall with Advanced Security uses two sets of rules to configure how it responds to incoming and outgoing traffic. Firewall rules determine which traffic is allowed or blocked. Connection Security rules determine how traffic between this computer and other computers is secured. These rules, along with other settings, can be applied by using a firewall profile, which is applied depending on where the computer is connected. You can also monitor the firewall activities and rules.

Firewall rules

You configure firewall rules to determine whether traffic is blocked or allowed through Windows Firewall with Advanced Security. When an incoming packet reaches your computer, Windows Firewall with Advanced Security inspects the packet and determines whether it meets criteria specified in a firewall rule. If the packet matches the criteria in a rule, Windows Firewall with Advanced Security performs the action specified in the rule, either block the connection or allow the connection. If the packet does not match the criteria in a rule, Windows Firewall with Advanced Security discards the packet and creates an entry in the firewall log file (if logging is enabled). You can select from a variety of criteria when configuring a rule: for example, application names, system service names, TCP ports, UDP ports, local IP addresses, remote IP addresses, profile, interface type (for example, network adapter), users, user groups, computers, computer groups, protocols, ICMP types, and more. The criteria within a rule are added together; the more criteria you add, the more narrowly Windows Firewall with Advanced Security matches incoming traffic. For more information, see Firewall Rules.

Connection Security rules

You can use Connection Security rules to configure IPsec settings for specific connections between this computer and other computers. Windows Firewall with Advanced Security uses the rule to evaluate network traffic and then blocks or allows messages based on the criteria you establish in the rule. Under some circumstances Windows Firewall with Advanced Security will block the communication. If you have configured a setting that requires security for a connection (in either direction), and the two computers cannot authenticate each other, the connection will be blocked. For more information, see Connection Security Rules.

Firewall profiles

Firewall rules and Connection Security rules, as well as other settings, can be applied to one or more firewall profiles. These profiles are then applied to the computer, depending on where the computer is connected. You can configure a profile for when the computer is connected to a domain, a private network, such as a home network, or a public network, such as an Internet kiosk. For more information, see Firewall Profiles.

Monitoring

The Monitoring node shows information about the computer to which you are currently connected, either the local computer or a remote computer. This node is not present if you are using the snap-in to manage a Group Policy object rather than the local computer. For more information, see Monitoring Windows Firewall with Advanced Security.

Firewall and IPsec configuration tools

There are several ways to configure Windows Firewall and IPsec settings and options, including the following:

Using the Windows Firewall with Advanced Security MMC snap-in

The Windows Firewall with Advanced Security snap-in enables you to configure both firewall settings and security (IPsec) settings in one interface. You can also view the currently applied policy, rules, and other information in the Monitor node.

Note

The snap-in can be used to configure all settings for policies that are to be applied to computers running this version of Windows. To create IPsec policies for computers running an earlier version of Windows, use the IP Security Policies snap-in.

Using the Windows Firewall Control Panel

The Windows Firewall Control Panel, which is available for the local computer, also configures a limited set of the settings available through the Windows Firewall with Advanced Security MMC snap-in. For more information, see the Windows Firewall Control Panel Help.

Using the IP Security Policy MMC snap-in

This MMC snap-in can be used for configuring IPsec policies that apply to computers running earlier version of Windows and to computers running this version of Windows. This MMC snap-in is useful for environments where computers running these versions of Windows co-exist. You cannot use this snap-in to configure Windows Firewall with Advanced Security settings. For more information, see the IP Security Policy snap-in Help.

Using the IP Security Monitor MMC snap-in

This MMC snap-in can be used for monitoring IPsec security associations on earlier versions of Windows and on computers running this version of Windows. The snap-in includes a Statistics node that displays various statistics for the combined activities of both policies created with the IP Security Policy snap-in and with the Windows Firewall with Advanced Security snap-in.

Netsh commands

Netsh is a command-line tool that you can use to configure settings for network components. Windows Firewall with Advanced Security provides the netsh advfirewall context, which you can use to configure Windows Firewall with Advanced Security settings. Using netsh advfirewall, you can create scripts to automatically configure a set of Windows Firewall with Advanced Security settings for both IPv4 and IPv6 traffic. You can also use netsh advfirewall commands to display the configuration and status of Windows Firewall with Advanced Security. For more information, see the Netsh advfirewall Help.

You can also configure connection security rules by using the netsh ipsec commands and configure a more limited set of firewall settings by using netsh firewall commands. For more information, see the Netsh IPsec Help and the Netsh Firewall Help.

Group Policy settings

Windows Firewall with Advanced Security provides Group Policy settings that you can use to centrally configure and manage large numbers of computers in an organization that uses the Active Directory® Domain Service. These Group Policy settings allow you to configure Windows Firewall with Advanced Security rules, and other settings. You can find the snap-in by navigating to Computer Configuration/Windows Settings/Security Settings/Windows Firewall with Advanced Security. You can also use the Windows Firewall Administrative Template to apply settings available in earlier versions of Windows.

You can also use Group Policy to configure and distribute IPsec policies created in the IP Security Policies snap-in. For more information, see the IP Security Policy snap-in Help or the Group Policy Help.

Additional references

Firewall Rules

Connection Security Rules

Firewall Profiles

Monitoring Windows Firewall with Advanced Security