Windows Firewall with Advanced Security Properties Page
Updated: January 20, 2009
Applies To: Windows 7, Windows Server 2008 R2
Use this dialog box to configure the basic firewall properties for each of the network profiles. You can also use the IPsec Settings tab to configure the default values for several IPsec configuration options.
To get to this dialog box
In the Windows Firewall with Advanced Security MMC snap-in, perform one of the following steps:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click Properties.
Select the top node in the navigation pane, and then in the center pane, in the Overview section, click Windows Firewall Properties.
Select the top node in the navigation pane, and in the Actions pane, click Properties.
Domain, Private, and Public Profile tabs
You can configure any profile, even one that is not currently being applied. If you do not alter profile settings, their default values are applied whenever Windows Firewall with Advanced Security uses the profile. We recommend that you enable Windows Firewall with Advanced Security on all three profiles.
You can configure the following settings on each profile tab:
State
State selections determine whether Windows Firewall with Advanced Security uses the profile settings and how the profile handles inbound and outbound network messages.
Firewall state
Select On (recommended) to have Windows Firewall use the settings for this profile to filter network traffic. If you select Off, Windows Firewall will not use any of the firewall rules or connection security rules for this profile.
Important
If you use Group Policy to disable Windows Firewall, or configure Windows Firewall with a rule that allows all inbound network traffic, then Windows Security Center will alert the user that there are security issues that the user should correct. If the user tries to correct the reported problem by clicking Turn on in Windows Security Center, then an error will be displayed because Windows Security Center cannot enable Windows Firewall. This can generate unwanted support calls to your help desk. If you are managing the security of the computers in your organization and do not want Windows Security Center to alert the user about security issues, then you can disable the Windows Security Center by using the Turn on Security Center (Domain PCs only) Group Policy setting found in Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Security Center.
Inbound connections
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. You can choose the following behavior for inbound connections:
Selection | Description |
---|---|
Block (default) |
Blocks all connections that do not have firewall rules that explicitly allow the connection. |
Block all connections |
Blocks all connections, regardless of any firewall rules that explicitly allow the connection. |
Allow |
Allows the connection unless there is a firewall rule that explicitly blocks the connection. |
Outbound connections
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules to block the connection. You can choose the following behavior for outbound connections:
Selection | Description |
---|---|
Block |
Blocks all connections that do not have firewall rules that explicitly allow the connection. |
Allow (default) |
Allows the connection unless there is a firewall rule that explicitly blocks the connection. |
Warning
If you set Outbound connections to Block and then deploy the firewall policy by using a Group Policy object (GPO), computers that receive it will not receive subsequent Group Policy updates unless you first create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying the policy.
Protected network connections
Use these settings to specify which network adapters are subject to the configuration of this profile. Click Customize to display the Customize Protected Network Connections for a Firewall Profile dialog box.
Settings
Use these settings to configure settings for notifications, unicast response to multicast or broadcast traffic, and Group Policy rule merging. Click Customize to display the Customize Settings for a Firewall Profile dialog box.
Logging
Use these settings to configure how Windows Firewall with Advanced Security logs events, how big the log file can grow, and where the log file is located. Click Customize to display the Customize Logging Settings for a Firewall Profile dialog box.
IPsec Settings tab
Use this tab to configure the IPsec default and system-wide settings.
IPsec defaults
Use these settings to configure the key exchange, data protection, and authentication methods used by IPsec to help protect network traffic. Click Customize to display the Customize IPsec Settings dialog box.
IPsec exemptions
Use this option to determine whether network traffic containing Internet Control Message Protocol (ICMP) messages are protected by IPsec.
ICMP is commonly used by network troubleshooting tools and procedures. Many network administrators exempt ICMP packets from IPsec protection to ensure that these messages are not blocked.
Important
This setting exempts ICMP from the IPsec portion of Windows Firewall with Advanced Security only. To ensure that ICMP packets are allowed through Windows Firewall, you must create and enable an inbound rule.
Note
If you enable file and printer sharing in the Network and Sharing Center, Windows Firewall with Advanced Security automatically enables firewall rules that allow commonly used ICMP packet types. However, this will also enable network features that are not related to ICMP. If you want to enable ICMP only, then create and enable a rule in Windows Firewall to allow inbound ICMP network packets.
IPsec tunnel authorization
Use this option when you have a connection security rule that creates an IPsec tunnel mode connection from a remote computer to the local computer, and you want to specify the users and computers that are permitted or denied access to the local computer through the tunnel. Select Advanced, and then click Customize to display the Customize IPsec Tunnel Authorizations dialog box.
The authorizations you specify here are in effect only for those tunnel rules on which the Apply authorization option has been selected on the Customize IPsec Tunneling Settings dialog box.