Firewall Rule Properties - General
Applies To: Windows Server 2008
General rule properties
This is the name of the firewall rule.
As a best practice, give the firewall rules a unique name. Unique names makes management using the netsh commands much easier.
This is a description of the rule. You can use this to provide information about the rule that can be useful, such as the rule owner, the rule requestor, or the date of creation.
Select this check box to enable the rule. Enabling a rule causes Windows Firewall with Advanced Security to filter connections according to the criteria in this rule.
Select one of these options to determine which action Windows Firewall with Advanced Security will take for incoming or outgoing packets that match the firewall rule criteria.
Firewall rules are applied with the following precedence:
Allow this firewall rule to override block rules
Default profile behavior (allow connection or block connection, as specified on the Profile tab of the Windows Firewall with Advanced Security Properties dialog)
Allow the connections
Use this option to allow a connection that matches all specified criteria. This option will allow connections whether or not they have been protected by using IPsec, as defined by a connection security rule.
Allow only secure connections
Use this option to specify that only connections that are protected by using IPsec are allowed. These settings are defined in a connection security rule. Connections from computers or users that do not match the criteria in this rule will be filtered according to another rule or according to the settings for the active profile.
If you use this option and then select authorized users or authorized computers on the Users and Computers tab, you must use an authentication method that includes user or computer information as appropriate because Windows Firewall with Advanced Security will use the authentication method from the connection security rule to match the users and computers you specify on the Users and Computers tab. For example, for computers, the authentication method must include Computer (Kerberos V5) or a Computer Certificate with certificate-to-account mapping. If you do not specify users or computers, you can use any authentication method.
Use this option to require that all communications that match the rule criteria use data encryption as defined in a connection security rule. If the peer computer does not support data encryption, then the connection is blocked. Windows Firewall with Advanced Security uses the Data Protection settings on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.
Override block rules
Use this option to allow the connections that match this firewall rule to override any firewall rules that explicitly block connections. This option is also known as authenticated bypass. Normally, rules that explicitly block connections have priority over rules that allow connections. If you use this option, the connection is allowed even if another rule blocks the connection. This option is most often used for vulnerability scanners. If you do not use this option, any blocking firewall rules that match the same firewall rule criteria will take precedence and the connections will be blocked. If you select this option, you must specify at least one computer or computer group for authorization on the Users and Computers tab.
The Override block rules option is not for outbound firewall rules.
Also, if you have configured Inbound connections to be Block all connections under State on the Windows Firewall with Advanced Security Properties dialog box, then the connections will be blocked regardless of this option's setting.
Block the connections
Use this option to explicitly block communications with peers when the packet information matches the firewall rule criteria. The block action takes precedence over the allow action unless the Override block rules option is selected when the firewall rule is created.