Configure firewall settings |
If enabled, you can configure global settings, network settings, and custom firewall rules on
traffic to and from your Windows endpoints. |
Windows 10+ Professional, Education, Enterprise |
Global settings |
Disable file transfer protocol |
If enabled, this option sets how the firewall handles FTP traffic. If you select
No, the firewall tracks all FTP traffic. If you select
Yes, the firewall does not inspect FTP traffic.
|
Windows 10+ Professional, Education, Enterprise |
Security association idle time before deletion |
Set the maximum amount of time (in seconds) the device waits before deleting idle security
associations. Range is 300 - 3600 seconds. Security associations are an agreement between two
peers or endpoints. These agreements contain all the information required to securely exchange
data.
|
Windows 10+ Professional, Education, Enterprise |
Pre-shared key encoding |
Select the type of encoding used for the pre-shared key. A pre-shared key (PSK) is a
secret key that is shared between two devices (for example, a client and a server) that are
connected by a secured channel. The PSK is used by the server to authenticate the client. A PSK
might be used in environments where it is not possible to use client certificates for mutual
authentication.
|
Windows 10+ Professional, Education, Enterprise |
IPsec exemptions |
Select the traffic that is exempt from performing IPsec. IPsec is a framework of open
standards for ensuring private, secure communications over Internet Protocol (IP) networks through
the use of cryptographic security services. IPsec supports network-level peer authentication, data
origin authentication, data integrity, data confidentiality (encryption), and replay protection.
Internet Protocol Security (IPsec) is a set of security protocols used to transfer IP packets
confidentially across the Internet. IPsec is mandatory for all IPv6 implementations and optional for
IPv4.
- Exempt neighbor discover IPv6 ICMP-type codes
- Exempt ICMP
- Exempt router discover IPv6 ICMP-type codes
- Exempt both IPv4 and IPv6 DHCP traffic
|
Windows 10+ Professional, Education, Enterprise |
Certificate revocation list verification |
Select how to enforce the certificate revocation list verification.
- Disable CRL verification (default): Disables the CRL checking.
- Fail CRL verification on revoked certificate only: CRL checking is
attempted and certificate validation fails only if the certificate is revoked. Other failures that
are encountered during CRL checking (such as the revocation URL being unreachable) do not cause
certificate validation to fail.
- Fail CRL check on any error encountered: CRL checking is required and
certificate validation fails if any error is encountered during CRL processing.
|
Windows 10+ Professional, Education, Enterprise |
Enable opportunistically match authentication set per keying
module |
Sets how key modules ignore authentication suites. Enabling this option forces key modules to
ignore only the authentication suites they do not support. Disabling this option forces key modules
to ignore the entire authentication set if they do not support all the authentication suites in the
set. |
Windows 10+ Professional, Education, Enterprise |
Packet queuing |
Select how packet queuing works on the device. This setting allows you to ensure proper
scaling. This value specifies how scaling for the software on the receive side is enabled for
both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Using
this option ensures that packet order is preserved. The data type for this option value is integer
and is a combination of flags. Valid values:
- Disabled queueing: All queuing is disabled.
- Queue inbound encrypted packets: Inbound encrypted packets are be
queued.
- Queue only after packet encryption: Packets are queued after decryption
is performed for forwarding.
|
Windows 10+ Professional, Education, Enterprise |
- Configure domain (workplace) network
- Configure private (non-discoverable) network
- Configure public (discoverable) network
|
- Enable stealth mode: If this option is enabled, the device is set in
stealth mode.
Stealth mode helps prevent malicious users from gaining information about network
devices and services. When enabled, stealth mode blocks outgoing ICMP unreachable and TCP reset
messages from ports without an app actively listening on that port.
- Disable IPsec secured packet exemption with stealth mode: If enabled,
this option sets how the firewall handles unsolicited traffic secured by IPsec.
If this option is
not enabled, the firewall allows unsolicited network traffic secured by IPsec.
This setting
only applies when you enable Stealth Mode.
- Enable shielded: If this option is enabled and the firewall is enabled,
the server must block all incoming traffic regardless of other policy settings. The default value is
to clear the check box.
- Disable unicast responses to multicast broadcasts: If enabled, this
option sets the behavior for the responses to multicast or broadcast network traffic.
If you
disable this option, the firewall blocks all responses to multicast or broadcast network
traffic.
- Disable inbound notifications: If enabled, this option sets the
notification behavior for the firewall. The firewall might notifications to the user when it blocks
a new app
If this option is disabled (check box is clear), the firewall does not send any
notifications.
- Block outbound connections: If enabled, the firewall blocks outbound
connections. The firewall blocks all outbound traffic unless explicitly specified otherwise
- Block inbound connections: If enabled, the firewall blocks all inbound
connections. The firewall blocks all inbound traffic unless explicitly specified otherwise.
- Enforce authorized application firewall rules from the local store: If
you select Yes, authorized application firewall rules in the local store are
applied because they are recognized and enforced by the firewall.
- Enforce Defender firewall rules from the local store: If you select
Yes, firewall rules in the local store are applied because they are
recognized and enforced by the firewall.
- Enforce global port Defender firewall rules from the local store: If you
select Yes, global port firewall rules in the local store are applied because
they are recognized and enforced by the firewall.
- Enforce IPsec rules from the local store: If you select
Yes, connection security rules from the local store are applied, regardless
of schema or connection security rule versions.
|
Windows 10+ Professional, Education, Enterprise |
Configure firewall rules |
A list of rules controlling traffic through the Windows Firewall. To add a rule, click the
Add (+) icon in the right corner of this section.
- Rule name: A unique alphanumeric identifier for the rule. The rule name
cannot include a forward slash (/).
- Rule description: A description of the rule.
- Traffic direction: The rule is enabled based on traffic direction.
- Outbound (default): The rule applies to outbound traffic.
- Inbound: The rule applies to inbound traffic.
- Block traffic: The rule blocks traffic based on the option used in the
Traffic direction setting. By default, this option allows all traffic.
- Network types: The type of network (domain, private, or public) that
applies to the rule. If no network type is selected, the default is all types of networks.
- Application configurations: The rules that control connections for an
app, program, or service.
- All (default): The rule applies to all apps, programs, or services.
- Package family name: The unique name of the Microsoft Store app. For more
information on how to obtain the package family name, see Examples of obtaining Windows app IDs manually.
- File path: The full file path of the app. For example:
C:\Windows\System\Notepad.exe
- Windows service: The service name that is used when a service, not an
app, is sending or receiving traffic.
- IP address configuration - local address: The local IP addresses that
apply to the rule:
- Any address
- Specific addresses: A comma-separated list of local addresses that are
covered by the rule.
- A valid IPv6 address.
- An IPv4 address range in the format of "start address-end address" with no spaces included. For
example: 24.194.231.8-24.194.231.12
- An IPv6 address range in the format of "start address-end address" with no spaces included. For
example: 2001:0DB8:ABCD:0012:0000:0000:0000:0000-2001:0DB8:ABCD:0012:FFFF:FFFF:FFFF:FFF
- IP address configuration - remote address: The remote IP addresses that
apply to the rule:
- Any address
- Specific addresses: A comma-separated list of tokens that specify the
remote addresses that are covered by the rule.
- "Defaultgateway"
- "DHCP"
- "DNS"
- "WINS"
- "Intranet" (This token is supported on Windows 10+ version 1809 and later.)
- "RmtIntranet" (This token is supported on Windows 10+ version 1809 and later.)
- "Internet" (This token is supported on Windows 10+ version 1809 and later.)
- "Ply2Renders" (This token is supported on Windows 10+ version 1809 and later.)
- "LocalSubnet" indicates any local address on the local subnet. This token is not
case-sensitive.
- A valid IPv6 address.
- An IPv4 address range in the format of "start address-end address" with no spaces included. For
example: 24.194.231.8-24.194.231.12
- An IPv6 address range in the format of "start address-end address" with no spaces included. For
example: 2001:0DB8:ABCD:0012:0000:0000:0000:0000-2001:0DB8:ABCD:0012:FFFF:FFFF:FFFF:FFF
- Protocols and ports: The local and remote protocols or ports that apply
to the rule.
- Any (default): Any port or protocol applies to the rule.
- TCP: (Transmission Control Protocol) A communication protocol used in the
Internet and in any network that follows the Internet Engineering Task Force (IETF) standards for
internetwork protocol. TCP provides a reliable host-to-host protocol in packet-switched
communication networks and in interconnected systems of such networks.
- All ports
- Specific ports: A comma-separated list of port ranges.
- UDP: (User Datagram Protocol) An Internet protocol that provides
unreliable, connectionless datagram service. It enables an application program on one machine or
process to send a datagram to an application program on another machine or process.
- All ports
- Specific ports: A comma-separated list of port ranges.
- Custom port: A comma-separated list of port numbers. Valid values are 0 -
255.
- Interface types: The type of network connection that applies to the rule.
- Remote access
- Wireless
- LAN
- Authorized users: The list of authorized local users for this rule. The
list is a string in the Security Descriptor Definition Language (SDDL) format. For more information
on SDDL, see https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format.
|
Windows 10+ Professional, Education, Enterprise |