7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.

Windows Client Releases

Server Role

Client Role

Windows Vista operating system

Yes

Yes

Windows 7 operating system

Yes

Yes

Windows 8 operating system

Yes

Yes

Windows 8.1 operating system

Yes

Yes

Windows 10 operating system

Yes

Yes

Windows 11 operating system

Yes

Yes

Windows Server Releases

Server Role

Client Role

Windows Server 2008 operating system

Yes

Yes

Windows Server 2008 R2 operating system

Yes

Yes

Windows Server 2012 operating system

Yes

Yes

Windows Server 2012 R2 operating system

Yes

Yes

Windows Server 2016 operating system

Yes

Yes

Windows Server operating system

Yes 

Yes

Windows Server 2019 operating system

Yes

Yes

Windows Server 2022 operating system

Yes

Yes

Windows Server 2025 operating system

Yes

Yes

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.2.6: For Windows Vista operating system with Service Pack 1 (SP1), Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating system, unspecified addresses are allowed. Unspecified addresses are also allowed on Windows Vista if the Security Update for Windows Vista specified in [MSKB-935807] is applied.

<2> Section 2.2.14:  The following port keywords are supported in Windows 10 v1809 operating system and Windows Server v1809 operating system and later, in Windows Server 2019 and later, and in Windows 10 v1903 operating system and Windows Server v1903 operating system and later.

Enum Flag Name

Enum Value

FW_PORT_KEYWORD_MDNS

0x80

FW_PORT_KEYWORD_CORTANA_OUT

0x100

FW_PORT_KEYWORD_PROXIMAL_TCP_CDP

0x200

FW_PORT_KEYWORD_MAX_V2_20

0x80

FW_PORT_KEYWORD_MAX_V2_24

0x100

FW_PORT_KEYWORD_MAX_V2_25

0x200

<3> Section 2.2.14:  The enum value 0x400 for enum flag FW_PORT_KEYWORD_MAX is supported in Windows 10 v1809 and Windows Server v1809 and later, and in Windows Server 2019 and later.

<4> Section 2.2.23:  The Dynamic Keyword Addresses feature is supported in Windows 11, version 22H2 operating system and later and in Windows Server 2022 and later.

<5> Section 2.2.32: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary AuthenticationSet objects if these objects are not already present in LocalStore and GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

  
 #define FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR           
                          L"Default Phase1 Primary AuthSet"
 #define FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR           
                          L"Default Phase2 Primary AuthSet"
 #define RTL_NUMBER_OF(A)   (sizeof(A)/sizeof((A)[0]))
 FW_AUTH_SUITE g_DefaultPrimaryAuthSuitePhase1[] = 
 {
     { FW_AUTH_METHOD_MACHINE_KERB, {0} }
 };
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase1 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     RTL_NUMBER_OF(g_DefaultPrimaryAuthSuitePhase1),
     g_DefaultPrimaryAuthSuitePhase1,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase2 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     0,
     NULL,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
  

During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary CryptoSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

 #define FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase1 Primary CryptoSet"
 #define FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase2 Primary CryptoSet"
  
 FW_PHASE1_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase1[] = 
 {
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_CRYPTO_HASH_SHA1},
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_CRYPTO_HASH_SHA1}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase1 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         0, // flags
         0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1),
         0, // g_DefaultPrimaryCryptoSuitesPhase1,
         0, //480,
         0
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
  
 FW_PHASE2_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase2[] = 
 {
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_AH, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase2 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         {
             0, // FW_PHASE2_CRYPTO_PFS_DISABLE,
             0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2),
             0, // g_DefaultPrimaryCryptoSuitesPhase2
         }
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 void FwDefaultPrimaryCryptoSetsInit()
 {
     // Init Phase 1 Crypto.
     g_DefaultPrimaryCryptoSetPhase1.dwNumPhase1Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1);
     g_DefaultPrimaryCryptoSetPhase1.pPhase1Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase1;
     g_DefaultPrimaryCryptoSetPhase1.dwTimeOutMinutes = 480;
  
     //Init Phase 2 Crypto
     g_DefaultPrimaryCryptoSetPhase2.Pfs = 
                         FW_PHASE2_CRYPTO_PFS_DISABLE;
     g_DefaultPrimaryCryptoSetPhase2.dwNumPhase2Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2);
     g_DefaultPrimaryCryptoSetPhase2.pPhase2Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase2;
 }
  

<6> Section 2.2.37: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.37) and FW_CS_RULE (section 2.2.55) rules.

<7> Section 2.2.37: Rules with wSchemaVersion less than 0x000200 but greater than or equal to 0x000100 are not allowed to be written to the local store.

<8> Section 2.2.37: On Windows 7 and Windows Server 2008 R2 the wszRuleId size cannot be greater than or equal to 512 characters. On Windows Vista and Windows Server 2008 it cannot be greater than or equal to 1000 characters.

<9> Section 2.2.38: When Windows is operating in stealth mode, it blocks the following outbound packets:

  • ICMP Destination Unreachable

  • ICMP Parameter Problem for IPv6 only

  • TCP Reset (RST) packets sent because no application is listening on the destination port

<10> Section 2.2.38: In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the FW_PROFILE_CONFIG_LOG_IGNORED_RULES option is ignored.

<11> Section 2.2.38: When an application is blocked from listening on a port and inbound notifications are not disabled, Windows displays a notification to the user only when there is not an FW_RULE object in the Group Policy RSoP, local, or dynamic policy stores with a wszLocalApplication field that matches the application.

<12> Section 2.2.42:  Supported policy versions are mapped to Windows product releases in the table that follows:

Table 1. Windows product releases vs Firewall policy versions

Windows Client Release

Windows Server Release

Policy Version

Windows Vista

0x0200

Windows Vista SP1

Windows Server 2008

0x0201

Windows 7

Windows Server 2008 R2

0x020A

Windows 8

Windows Server 2012

0x0214

Windows 8.1

Windows Server 2012 R2

0x0216

Windows 10

0x0218, 0x0219

Windows 10 v1607 operating system

Windows Server 2016

0x021A

Windows 10 v1703 operating system

0x021B

Windows 10 v1709 operating system

Windows Server operating system

Ox021B

Windows 10 v1803 operating system

Windows Server v1803 operating system

0x021C

Windows 10 v1809

Windows Server v1809

Windows Server 2019

0x021D

Windows 10 v1903

Windows Server v1903

0x021E

Windows Server 2022

0x021F

Windows 11 v22H2

0x0220

Windows Server 2025

0x0221?

<13> Section 2.2.43: Windows selects a default value for the profile configuration options and the global configurations options. These configurations default values are secure, and it is recommended to use these values as default values. Profile configuration options default values:

  
 FW_PROFILE_CONFIG_ENABLE_FW .- TRUE.
 FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE .- FALSE.
 FW_PROFILE_CONFIG_SHIELDED .- FALSE.
 FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST 
                                                            .- FALSE.
 FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS .- FALSE.
 FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS .- FALSE.
 FW_PROFILE_CONFIG_LOG_IGNORED_RULES .- TRUE.
 FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE .- 1024.
 FW_PROFILE_CONFIG_LOG_FILE_PATH .- L"".
 FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS .- FALSE.
 FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_DISABLED_INTERFACES .- {0}.
 FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION .- 0 (0 is allow).
 FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION.- 1 (1 is block).
  

Global configuration options default values:

  
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0200 
 on Windows Vista.
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0201 
 on Windows Vista SP1 and Windows Server 2008.
 FW_GLOBAL_CONFIG_CURRENT_PROFILE .- FW_PROFILE_TYPE_PUBLIC.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP .- FALSE.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP .- FALSE.
 FW_GLOBAL_CONFIG_SA_IDLE_TIME .- 300.
 FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING 
                    .- FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8.
 FW_GLOBAL_CONFIG_IPSEC_EXEMPT 
                    .- FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC.
 FW_GLOBAL_CONFIG_CRL_CHECK .- 0.
 FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT 
             .- FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT_SERVER_BEHIND_NAT.
 FW_GLOBAL_CONFIG_POLICY_VERSION .- 0x0200.
 FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED .- 0x201. This value is 
 present only in Windows Vista SP1 and Windows Server 2008.
  

<14> Section 2.2.55: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.37) and FW_CS_RULE (section 2.2.55) rules.

<15> Section 2.2.55: On Windows 7 and Windows Server 2008 R2 the wszRuleId size is less than 512 characters. On Windows Vista and Windows Server 2008 it is less than 1000 characters.

<16> Section 2.2.55: On Windows 7 and Windows Server 2008 R2 the wszPhase1AuthSet, wszPhase2AuthSet, and wszPhase2CryptoSet sizes are less than 255 characters. On Windows Vista and Windows Server 2008 they are less than 1000 characters.

<17> Section 2.2.64: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<18> Section 2.2.64: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<19> Section 2.2.65: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<20> Section 2.2.65: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<21> Section 2.2.83: Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 set TransportFilterId to the filter key of the Windows Filtering Platform filter used to enforce the security association (for more information, see [MSWFPSDK]).

<22> Section 2.2.85: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.37) and FW_CS_RULE (section 2.2.55) rules.

<23> Section 2.2.96: By default, Windows uses the IKEv1 and AuthIP keying modules.

<24> Section 2.2.97:  The following table shows the tuple keyword flags added to the enum _tag_FW_TRUST_TUPLE_KEYWORD_NONE type definition in Windows 10 v1803 and  Windows Server v1803 and later.

Enum Tuple Keyword Flag Name

Enum Value

FW_TRUST_TUPLE_KEYWORD_WFD_CDP

0x0080

FW_TRUST_TUPLE_KEYWORD_MAX_V2_27

0x0080

<25> Section 2.2.97: In schema version 0x0214, the value for the FW_TRUST_TUPLE_KEYWORD_MAX flag is 0x0004.

<26> Section 2.2.97:  In Windows 10 v1803 and Windows Server v1803 and later, the enum value for the FW_TRUST_TUPLE_KEYWORD_MAX tuple keyword flag is updated from '0x0080' to '0x0100'.

<27> Section 2.2.103: In Windows, audit events that are generated by rules that specify the FW_RULE_FLAGS2_CALLOUT_AND_AUDIT flag are sent to the audit event log.

<28> Section 3.1.1:  The new boolean fields 'IsMDNS', 'IsCortanaOut', and 'IsProximalTCPCDP' are added to the PortInUse ADM element in Windows 10 v1809 and Windows Server v1809 and later, and in Windows Server 2019 and later.

<29> Section 3.1.3: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary AuthenticationSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

 #define FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR
                                  L"Default Phase1 Primary AuthSet"
 #define FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR
                                  L"Default Phase2 Primary AuthSet"
 #define RTL_NUMBER_OF(A)   (sizeof(A)/sizeof((A)[0]))
 FW_AUTH_SUITE g_DefaultPrimaryAuthSuitePhase1[] = 
 {
     { FW_AUTH_METHOD_MACHINE_KERB, {0} }
 };
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase1 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     RTL_NUMBER_OF(g_DefaultPrimaryAuthSuitePhase1),
     g_DefaultPrimaryAuthSuitePhase1,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase2 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     0,
     NULL,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  

<30> Section 3.1.3: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary CryptoSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

 #define FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase1 Primary CryptoSet"
 #define FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase2 Primary CryptoSet"
  
 FW_PHASE1_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase1[] = 
 {
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_CRYPTO_HASH_SHA1},
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_CRYPTO_HASH_SHA1}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase1 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         0, //flags
         0, //RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1),
         0, //g_DefaultPrimaryCryptoSuitesPhase1,
         0, // 480,
         0
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
  
 FW_PHASE2_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase2[] = 
 {
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_AH, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase2 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         {
             0, // FW_PHASE2_CRYPTO_PFS_DISABLE,
             0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2),
             0, // g_DefaultPrimaryCryptoSuitesPhase2
         }
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 void FwDefaultPrimaryCryptoSetsInit()
 {
     // Init Phase 1 Crypto.
     g_DefaultPrimaryCryptoSetPhase1.dwNumPhase1Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1);
     g_DefaultPrimaryCryptoSetPhase1.pPhase1Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase1;
     g_DefaultPrimaryCryptoSetPhase1.dwTimeOutMinutes = 480;
  
     //Init Phase 2 Crypto
     g_DefaultPrimaryCryptoSetPhase2.Pfs = 
                         FW_PHASE2_CRYPTO_PFS_DISABLE;
     g_DefaultPrimaryCryptoSetPhase2.dwNumPhase2Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2);
     g_DefaultPrimaryCryptoSetPhase2.pPhase2Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase2;
 }
  

<31> Section 3.1.3: Windows selects a default value for the ProfileConfiguration option and the GlobalConfiguration option. These configuration default values are secure, and it is recommended to use these values as default values. ProfileConfiguration option default values:

  
 FW_PROFILE_CONFIG_ENABLE_FW .- TRUE.
 FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE .- FALSE.
 FW_PROFILE_CONFIG_SHIELDED .- FALSE.
 FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST 
                                                            .- FALSE.
 FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS .- FALSE.
 FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS .- FALSE.
 FW_PROFILE_CONFIG_LOG_IGNORED_RULES .- TRUE.
 FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE .- 1024.
 FW_PROFILE_CONFIG_LOG_FILE_PATH .- L"".
 FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS .- FALSE.
 FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_DISABLED_INTERFACES .- {0}.
 FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION .- 0 (0 is allow).
 FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION.- 1 (1 is block).
  

GlobalConfiguration options default values:

  
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0200 
 on Windows Vista.
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0201 
 on Windows Vista SP1 and Windows Server 2008.
 FW_GLOBAL_CONFIG_CURRENT_PROFILE .- FW_PROFILE_TYPE_PUBLIC.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP .- FALSE.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP .- FALSE.
 FW_GLOBAL_CONFIG_SA_IDLE_TIME .- 300.
 FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING 
                    .- FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8.
 FW_GLOBAL_CONFIG_IPSEC_EXEMPT 
                    .- FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC.
 FW_GLOBAL_CONFIG_CRL_CHECK .- 0.
 FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT 
             .- FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT_SERVER_BEHIND_NAT.
 FW_GLOBAL_CONFIG_POLICY_VERSION .- 0x0200.
 FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED .- 0x201. This value is 
 present only in Windows Vista SP1 and Windows Server 2008.
  

<32> Section 3.1.4: In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, security principals are identified by SIDs (see [MS-DTYP] section 2.4.2). The authorized clients are represented by the S-1-5-32-544 and the S-1-5-32-556 SIDs. If the client's identity token (see [MS-DTYP] section 2.5.2) does not contain at least one of these SIDs, the server fails the call.

<33> Section 3.1.4.6: Path validations were not performed in Windows Vista and Windows Server 2008 at edit time.

<34> Section 3.1.4.47: Path validations were not performed in Windows Vista and Windows Server 2008 at edit time.

<35> Section 3.1.6.5: Windows determines whether it is operating in common criteria mode by calling the BCryptGetFipsAlgorithmMode API. For more information, see [MSDN-BCryptGetFipsAlgorithmMode].

<36> Section 3.1.6.6: Windows enforces the effective firewall policy by converting the settings to Windows Filtering Platform filters. For more information, see [MSWFPSDK].