Using the Netsh Advfirewall Command-Line Tool

Updated: December 1, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Netsh is a command-line tool that you can use to configure settings for network components. You can configure Windows Firewall with Advanced Security settings through commands in the netsh advfirewall context. Using Netsh, you can create scripts to automatically configure Windows Firewall with Advanced Security settings, create firewall rules and connection security rules, monitor active connections, and display the configuration and status of Windows Firewall with Advanced Security.

To enter the netsh context, at an elevated command prompt, type:


When you enter the netsh context, the command prompt will display the netsh> prompt. From there, enter the advfirewall context by typing:


After you are in the advfirewall context, you can type commands in that context. Commands include the following:

  • export. Exports the current firewall policy to a file.

  • dump. This command is not implemented in the advfirewall context. No output is produced, and no error messages are generated.

  • help. Displays a list of available commands.

  • import. Imports a firewall policy from the specified file.

  • reset. Restores Windows Firewall with Advanced Security to the default configuration.

  • set. Supports the following commands:

    • set file. Copies the console output to a file.

    • set machine. Sets the current computer on which to operate.

  • show. Shows the properties for a particular profile. For example:

    • show allprofiles

    • show domainprofile

    • show privateprofile

    • show publicprofile

In addition to the commands available for the advfirewall context, advfirewall also supports subcontexts. To enter a subcontext, type the name of the subcontext at the netsh advfirewall> prompt. The available subcontexts are:

  • consec. Allows you to view and configure computer security connection rules.

  • firewall. Allows you to view and configure firewall rules.

  • mainmode. Allows you to view and configure main mode configuration rules.

  • monitor. Allows you to view the current IPsec, firewall, and main mode states, and the current quick mode and main mode security associations established on the local computer. You can also monitor other aspects of IPsec by using the Netsh Commands for Windows Filtering Platform (WFP) in Windows Server 2008 R2 context.


In any netsh context, you can type help to view a full list of commands, including commands specific to a context. For information and syntax about using a command, type <commandname> /?.

For more information about netsh, see Netsh Technical Reference (, and Netsh Commands for Windows Firewall with Advanced Security (