Netsh AdvFirewall MainMode Commands

  • Article

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Typing the command mainmode at the netsh advfirewall context changes to the netsh advfirewall mainmode context, where you can view, create, and modify main mode rules that specify how IPsec negotiates main mode security associations between computers on the network. This context has no equivalent in the Windows Firewall with Advanced Security MMC snap-in.

Note

The mainmode context is available only on computers that are running Windows 7 or Windows Server 2008 R2.

In earlier versions of Windows, there is only one main mode configuration available. It is available from the Windows Firewall with Advanced Security MMC snap-in. To find it, select Windows Firewall Properties, select the IPsec Settings tab, and then under IPsec defaults click Customize. You can also configure these settings in netsh by using the netsh advfirewall set global mainmode command.

Starting in Windows 7 and Windows Server 2008 R2, you can create rules that are compared to inbound and outbound network traffic. When the network traffic matches a rule, the main mode settings specified in that rule are used to negotiate and establish the connection to the remote host. You can create rules for each network location profile, or rules that match only certain network or host addresses. If no rule matches, then the global default values set as described in the previous paragraph are used for the connection. If a policy containing these rules is applied to a computer running an earlier version of Windows, then the rules are ignored and the global settings are used instead.

This netsh context is subject to the requirements of the Common Criteria mode. If enabled, then administrators can create main mode rules, but they cannot specify the mmsecmethods or mmkeylifetime parameters. Only members of the Cryptographic Operators group can set or modify those parameters. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (https://go.microsoft.com/fwlink/?linkid=147070).

Important

If multiple main mode rules match a given network packet, then the choice of rule that is applied to the packet is non-deterministic, which can result in failed communications. We recommend that you avoid creating rules that have overlapping parameters to help prevent this situation.

To view the syntax of commands available in the mainmode context, click a command:

  • add

  • delete

  • set

  • show

add

In the netsh advfirewall mainmode context, the add command only has one variation, the add rule command.

add rule

Adds a main mode rule that defines how IPsec negotiates a main mode security association (SA) with a remote computer when a network connection matches the specified criteria.

Syntax

add rule

name = RuleName

mmsecmethods =KeyExch**:Encryption-**Integrity [ ,… ] | default }

mmforcedh = { yes | no } ]

mmkeylifetime = Lifemin,Numsess ]

description = DescriptionOfRule ]

enable = { yes | no } ]

profile = { public | private | domain | any } [ , ...] ]

endpoint1 = Addresses

endpoint2 = Addresses

auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ , ...] } ]

auth1psk = PreSharedKey ]

[ **auth1ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } ] [ | ... ]" ]

auth1healthcert = { yes | no } ]

[ **auth1ecdsap256ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap256healthcert = { yes | no } ]

[ **auth1ecdsap384ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap384healthcert = { yes | no } ]

type = { dynamic | static } ]

Parameters

  • ****name=RuleName
    Required. Specifies the name of this main mode rule. The name should be unique, and cannot be "all."

  • mmsecmethods =KeyExch:Encryption-Integrity [ ,… ] | default }
    Required. Specifies the Diffie-Hellman key exchange group, integrity, and encryption protocols that are offered in IPsec negotiations with other computers. The format is either:

    • KeyExch**:Encryption-Integrity[,**…]

      Where:

      KeyExch is one of:

      dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384

      Encryption is one of:

      des | 3des | aes128 | aes192 | aes256

      Integrity is one of:

      md5 | sha1 | sha256 | sha384

      You can enter multiple combinations of enc-integrity algorithms that use the same KeyExch algorithm, by following the KeyExch entry with the first Encryption-integrity pair, followed by additional Encryption-integritypairs that are separated by commas. You can also enter multiple complete KeyExch:Encryption-Integrity, by separating them with commas.

    • default. When managing the local computer policy store, this entry is equivalent to entering the following entry: dhgroup2:aes128-sha1,3des-sha1

  • mmforcedh = { yes | no } ]
    Specifies that IPsec uses Diffie-Hellman exchanges to protect the main mode key exchange when AuthIP is used. This provides stronger security for the key exchange.

    The default setting is no.

  • mmkeylifetime = Lifemin**,Numsess ]**
    Specifies the number of minutes and number of sessions established for a Main Mode SA before it expires and must be renegotiated.

    A value of 0 for either parameter means that the SA does not expire based on the type specified. For example, the values 480min,0sess indicate that the SA expires every eight hours, but does not expire because of a certain number of sessions established.

    notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default value is 480min,0sess. The lifetime can range from 1 to 2880 minutes, or 0 to 2,147,483,647 sessions.

  • **[ **description = DescriptionOfRule ]
    Provides information about the main mode rule. Include quotation marks if the description includes any spaces.

  • **[ **enable = yes | no } ]
    Specifies whether the rule is currently enabled.

    If enable is not specified, the default is yes.

  • **[ **profile = public | private | domain | any | [ ,... ] } ]
    Specifies the profile(s) to which the main mode rule is assigned. The rule is active on the local computer only when the specified profile is currently active.

    If profile is not specified, the default is any.

  • ****endpoint1=**Addresses **endpoint2=Addresses
    Specifies the computers that are subject to the requirements of this main mode rule. Computers that match endpoint1 can communicate with computers that match endpoint2 only when the requirements of this rule are satisfied. Endpoint1 and endpoint2 can be any of the following values:

    • any. Matches a computer with any IPv4 or IPv6 address.

    • localsubnet. Matches any computer that is on the same subnet as the local computer.

    • dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.

Note

These values are valid in endpoint2 only. 

  - *IPAddress*. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.  
      
  - *IPSubnet*. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.  
      
  - *IPRange*. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.  
      

Multiple entries can be specified for either **endpoint1** or **endpoint2** by separating them with a comma. Do not include any spaces in the completed comma separated text.

  • **[ **auth1 = computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,...] } ]
    Specifies the methods offered for main mode first authentication during IPsec negotiations. Multiple values can be included by separating them with commas. Do not include any spaces. If the negotiation uses IKE, the first match between the two computers is attempted. If it fails, the negotiation fails. If the negotiation uses AuthIP, then each match is tried in order, until one succeeds. If they all fail, then the negotiation fails. Windows uses IKE when it can, and uses AuthIP if you specify any options that are not supported by IKE.

    For computers to communicate by using this rule, one of the specified authentication methods must be successful unless anonymous is specified, indicating that first authentication is optional.

    The value can be any of the following:

    • computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

    • computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

    • computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. The preshared key is stored in plaintext. We strongly recommend the use of a more secure authentication method.

    • computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

    • anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk.

  • auth1psk = PreSharedKey ]
    Required only if computerpsk is included in the auth1 parameter. Specifies the preshared key value that is used for authentication if the computerpsk option is negotiated. The value is stored in plaintext, and we recommend that you do not use preshared key authentication.

  • auth1ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies RSA-signed certificate authentication options for main mode first authentication, and is valid only if auth1 includes computercert. Multiple certificates can be referenced by separating each entry by using the '|' character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

    • CAName
      Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.
    • ****certmapping:yes | no }
      Specifies whether to enable certificate-to-account mapping.
    • ****excludecaname:yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
    • ****catype:root | intermediate }
      Specifies the type of CA that issued the certificate. The value can be root or intermediate. If not specified, the default is root.

  • **[ **auth1healthcert = yes | no } ]
    Specifies that the computer certificate specified in auth1ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercert.

    If auth1healthcert is not specified, the default is no.

  • auth1ecdsap256ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 256-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertecdsap256. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap256healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap256ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap256.
  • auth1ecdsap384ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 384-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertedcsap384. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap384healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap384ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap384.

  • **[ **type = dynamic | static } ]
    Specifies how the rule is applied to the current session and whether the rule is stored. The value can be one of the following:

    • dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not stored in any policy container and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

    • static. The rule is stored in the policy container currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer. If the computer's local policy store is the active store, then the rule is immediately applied.

    If type is not specified, the default is static.

Remarks

  • Main mode rules are valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

  • If the operating system is running in Common Criteria mode, then only administrators can create main mode rules, but they cannot specify the mmsecmethods or mmkeylifetime parameters. Members of the Cryptographic Operators group can then use the set rule command to add those parameters to the existing rule created by the administrator. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (https://go.microsoft.com/fwlink/?linkid=147070).

  • Do not create a main mode rule with the name all. Doing this creates a conflict with the netsh option to select all main mode rules (for example, delete rule name=all).

  • Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote (\')

  • We recommend that you do not use the options DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backward compatibility only.

Examples

  • The following command creates a main mode rule that specifies using alternate authentication and security methods for clients that communicate with the server at address 192.168.0.5 only.

    add rule name="Alternate Main Mode Rule" description="Use alternate sec methods for HR server" endpoint1=any endpoint2=192.168.0.5 mmsecmethods=dhgroup2:3des-sha256,3des-sha384 auth1=computercert auth1ca="insert CA name here" auth1cahealthcert=no keylifetime=2mins profile=domain

delete

In the netsh advfirewall consec context, the Delete command only has one variation, the Delete Rule command.

delete rule

Deletes all main mode rules that match the specified criteria.

Syntax

delete rule

name =all | RuleName }

[ **profile = **{ public | private | domain | any | [ ,... ] } ]

[ **type = **{ dynamic | static } ]

Parameters

  • ****name = all | RuleName }
    Required. You can specify one of the following values:

    • The rule name of the main mode rule you want deleted. Only the rule with the specified name is deleted.

    • all. Specifies that all rules matching the criteria in the other parameters are deleted. If no other parameters are included in the command then all main mode rules are deleted.

  • **[ **profile = public | private | domain | any | [ ,... ] } ]
    Specifies that only main mode rules assigned to the specified profile(s) are deleted.
  • **[ **type = dynamic | static } ]
    Specifies that only rules of the selected type are deleted.

Remarks

  • If multiple rules are found that match the specified criteria, then they are all deleted.

  • If the operating system is running in Common Criteria mode, then only administrators can delete main mode rules, but they cannot delete a rule that contains a crypto set. First, a member of the Cryptographic Operators group must use the set rule command with the mmsecmethods=none parameter to remove the existing crypto sets, after which the administrator can delete the rule. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (https://go.microsoft.com/fwlink/?linkid=147070).

Examples

  • The following example deletes a rule based on its exact name:

    Delete rule name="MMRule1"

  • The following example deletes all dynamic rules from all profiles:

    delete rule name=all type=dynamic

set

In the netsh advfirewall consec context, the set command only has one variation, the Set Rule command.

set rule

Modifies an existing connection security rule identified by name, or found by matching the specified criteria. Criteria that precede the keyword new identify the rule(s) to be modified. Criteria that follow the keyword new indicate properties that are modified or added.

Syntax

set rule

name = RuleName

profile = { public | private | domain | any } [ , ...] ]

type = { dynamic | static } ]

new

mmsecmethods =KeyExch**:Encryption-**Integrity [ ,… ] | default }

mmforcedh = { yes | no } ]

mmkeylifetime = Lifemin,Numsess ]

description = DescriptionOfRule ]

enable = { yes | no } ]

profile = { public | private | domain | any } [ , ...] ]

endpoint1 = Addresses

endpoint2 = Addresses

auth1 = { computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ , ...] } ]

auth1psk = PreSharedKey ]

[ **auth1ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } ] [ | ... ]" ]

auth1healthcert = { yes | no } ]

[ **auth1ecdsap256ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap256healthcert = { yes | no } ]

[ **auth1ecdsap384ca = "**CAName [ **certmapping: **{ yes | no } ] [ excludecaname: yes | no } ] [ catype: { root | intermediate } [ | ... ]" ]

auth1ecdsap384healthcert = { yes | no } ]

type = { dynamic | static } ]

Parameters

  • ****name=RuleName
    Required. Specifies the rule name assigned to an existing main mode rule that you want to modify. If name=all, then all rules that match the other criteria listed before the new keyword are modified.

    If name=all, and no other parameters are included before the new keyword, then all rules are modified as indicated.

  • **[ **profile = public | private | domain | any | [ ,... ] } ]
    Specifies that only rules assigned to the specified profile(s) match the rule and are modified.
  • **[ **type = dynamic | static } ]
    Specifies that only rules of the indicated type are match the rule and are modified. The value of type can be either dynamic or static.
  • new
    Any parameter that precedes this keyword is used to find a match for the rules that are modified. Any parameter that follows this keyword indicates a value that is modified in the rules that match the specified criteria.
  • ****name=RuleName
    Specifies the modified name of this main mode rule. The name should be unique, and cannot be "all."

  • mmsecmethods =KeyExch:Encryption-Integrity [ ,… ] | default }
    Specifies the Diffie-Hellman key exchange group, integrity, and encryption protocols that are offered in IPsec negotiations with other computers. The format is either:

    • KeyExch**:Encryption-Integrity[,**…]

      Where:

      KeyExch is one of:

      dhgroup1 | dhgroup2 | dhgroup14 | ecdhp256 | ecdhp384

      Encryption is one of:

      des | 3des | aes128 | aes192 | aes256

      Integrity is one of:

      md5 | sha1 | sha256 | sha384

      You can enter multiple combinations of enc-integrity algorithms that use the same KeyExch algorithm, by following the KeyExch entry with the first Encryption-integrity pair, followed by additional Encryption-integritypairs that are separated by commas. You can also enter multiple complete KeyExch:Encryption-Integrity, by separating them with commas.

    • default. When managing the local computer policy store, this entry is equivalent to entering the following entry: dhgroup2:aes128-sha1,3des-sha1

  • mmforcedh = { yes | no } ]
    Specifies that IPsec uses Diffie-Hellman exchanges to protect the main mode key exchange when AuthIP is used. This provides stronger security for the key exchange.

    The default setting is no.

  • mmkeylifetime = Lifemin**,Numsess ]**
    Specifies the number of minutes and number of sessions established for a Main Mode SA before it expires and must be renegotiated.

    A value of 0 for either parameter means that the SA does not expire based on the type specified. For example, the values 480min,0sess indicate that the SA expires every eight hours, but does not expire because of a certain number of sessions established.

    notconfigured. Valid only when netsh is configuring a Group Policy object by using the set store command. Removes the setting from the GPO, which results in the policy not changing the value on the computer when the policy is applied.

    The default value is 480min,0sess. The lifetime can range from 1 to 2880 minutes, or 0 to 2,147,483,647 sessions.

  • **[ **description = DescriptionOfRule ]
    Provides information about the main mode rule. Include quotation marks if the description includes any spaces.

  • **[ **enable = yes | no } ]
    Specifies whether the rule is currently enabled.

    If enable is not specified, the default is yes.

  • **[ **profile = public | private | domain | any | [ ,... ] } ]
    Specifies the profile(s) to which the main mode rule is assigned. The rule is active on the local computer only when the specified profile is currently active.

    If profile is not specified, the default is any.

  • ****endpoint1=**Addresses **endpoint2=Addresses
    Specifies the computers that are subject to the requirements of this main mode rule. Computers that match endpoint1 can communicate with computers that match endpoint2 only when the requirements of this rule are satisfied. Endpoint1 and endpoint2 can be any of the following values:

    • any. Matches a computer with any IPv4 or IPv6 address.

    • localsubnet. Matches any computer that is on the same subnet as the local computer.

    • dns|dhcp|wins|defaultgateway. Matches any computer that is configured as the identified server type on the local computer.

Note

These values are valid in endpoint2 only. 

  - *IPAddress*. Specifies an IPv4 or IPv6 address that matches only the computer currently communicating by using that address.  
      
  - *IPSubnet*. Specifies an IPv4 or IPv6 subnet that matches any computer that is using an IP address that is part of the subnet. The format is the subnet address, followed by '/' and then either the number of bits in the subnet mask or the subnet mask itself.  
      
  - *IPRange*. Specifies a range of IPv4 or IPv6 addresses that matches any computer that is using an IP address that falls within the range. The format is the starting and ending IP addresses of the range separated by a '-'.  
      

Multiple entries can be specified for either **endpoint1** or **endpoint2** by separating them with a comma. Do not include any spaces in the completed comma separated text.

  • **[ **auth1 = computerkerb | computercert | computercertecdsap256 | computercertecdsap384 | computerpsk | computerntlm | anonymous | [ ,...] } ]
    Specifies the methods offered for main mode first authentication during IPsec negotiations. Multiple values can be included by separating them with commas. Do not include any spaces. If the negotiation uses IKE, the first match between the two computers is attempted. If it fails, the negotiation fails. If the negotiation uses AuthIP, then each match is tried in order, until one succeeds. If they all fail, then the negotiation fails. Windows uses IKE when it can, and uses AuthIP if you specify any options that are not supported by IKE.

    For computers to communicate by using this rule, one of the specified authentication methods must be successful unless anonymous is specified, indicating that first authentication is optional.

    The value can be any of the following:

    • computerkerb. This method uses the Kerberos v5 protocol to authenticate the computer account.

    • computercert. This method uses a computer certificate issued by a Certification Authority (CA), and signed with the default RSA algorithm.

    • computercertecdsap256. This method uses a computer certificate issued by a CA, and signed with the 256-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computercertecdsap384. This method uses a computer certificate issued by a CA, and signed with the 384-bit version of the Elliptic Curve Digital Signature Algorithm.

    • computerpsk. This method uses a manually entered shared key that must be the same on both computers for them to communicate successfully. The use of a preshared key is not recommended, and is provided for interoperability and for conformance to IPsec standards. The preshared key is stored in plaintext. We strongly recommend the use of a more secure authentication method.

    • computerntlm. This method uses the Windows Challenge/Response NTLMv2 protocol to authenticate the computer account. You cannot include both computerntlm and computerpsk.

    • anonymous. Including this keyword as one of the choices has the effect of making this authentication optional. If included, it should be last. You cannot include both anonymous and computerpsk.

  • auth1psk = PreSharedKey ]
    Required only if computerpsk is included in the auth1 parameter. Specifies the preshared key value that is used for authentication if the computerpsk option is negotiated. The value is stored in plaintext, and we recommend that you do not use preshared key authentication.

  • auth1ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies RSA-signed certificate authentication options for main mode first authentication, and is valid only if auth1 includes computercert. Multiple certificates can be referenced by separating each entry by using the '|' character. The completed value must be enclosed with double quotation marks ("). Each entry in the value is a text string that contains the following elements:

    • CAName
      Specifies the distinguished name of the certificate to be used for authentication. The format must conform to the standards for certificate fields, such as including the qualifiers CN=, OU=, and so on, as required.
    • ****certmapping:yes | no }
      Specifies whether to enable certificate-to-account mapping.
    • ****excludecaname:yes | no }
      Specifies whether to exclude from the certificate request the list of trusted root CA names from which a certificate is accepted.
    • ****catype:root | intermediate }
      Specifies the type of CA that issued the certificate. The value can be root or intermediate. If not specified, the default is root.

  • **[ **auth1healthcert = yes | no } ]
    Specifies that the computer certificate specified in auth1ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercert.

    If auth1healthcert is not specified, the default is no.

  • auth1ecdsap256ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 256-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertecdsap256. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap256healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap256ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap256.
  • auth1ecdsap384ca = "CANamecertmapping: { yes | no } ] [ excludecaname:yes | no } ] [ catype: { root | intermediate } [ |... ]" ]
    Specifies 384-bit ECDSA signed certificate options for main mode first authentication, and is valid only if auth1 includes computercertedcsap384. The parameters of this option are identical to the authca1 option described above.
  • auth1ecdsap384healthcert = { yes | no } ]
    Specifies that the computer certificate specified in auth1ecdsap384ca must be a computer health certificate provided by a Network Access Protection (NAP) server on the domain. You can use this value only if auth1 includes computercertecdsap384.

  • **[ **type = dynamic | static } ]
    Specifies how the rule is applied to the current session and whether the rule is stored. The value can be one of the following:

    • dynamic. The rule is immediately applied to the current Windows Firewall with Advanced Security operational state. It is not stored in any policy container and will not be reapplied if the Windows Firewall with Advanced Security service is stopped and started, such as when you restart the computer.

    • static. The rule is stored in the policy container currently specified by the advfirewall set store command. The rule is not activated until the policy in which it is stored is applied to the computer. If the computer's local policy store is the active store, then the rule is immediately applied.

    If type is not specified, the default is static.

Remarks

  • Main mode rules are valid on computers that are running Windows 7 or Windows Server 2008 R2 only.

  • If the operating system is running in Common Criteria mode, then administrators can modify the main mode rules, with the exception of the mmsecmethods or mmkeylifetime parameters. Only members of the Cryptographic Operators group can modify those parameters. For information about Common Criteria mode and how to enable it, see Description of the Crypto Operators Security Group (https://go.microsoft.com/fwlink/?linkid=147070).

  • Do not create a main mode rule with the name all. Doing this creates a conflict with the netsh option to select all main mode rules (for example, delete rule name=all).

  • Any embedded double-quote characters (") in the CA name must be replaced with a backslash and single quote (\')

  • We recommend that you do not use DES, MD5, or DHGroup1. They are no longer considered secure, and are included for backward compatibility only.

Examples

  • The following command renames "Rule1" to "Rule2":

    set rule name="MMRule1" new name="MMRule2"

  • The following command changes a rule to use a different key lifetime, and assumes that the other parameters required by the new action value were already set:

    set rule name="MMRule3" new mmkeylifetime=20min

show

In the netsh advfirewall mainmode context, the show command only has one variation, the Show Rule command.

show rule

Displays existing main mode rules.

Syntax

show rule

name = { all | RuleName }

profile = { public | private | domain | any } [ ,... ] ]

type = { dynamic | static } ]

verbose ]

Parameters

  • name = { all | RuleName }
    Required. Specifies the rule name assigned to an existing rule that you want to display. If name=all, then all rules that match the other criteria are displayed.

    If name=all, and no other parameters are included, then all rules are displayed.

  • profile = { public | private | domain | any | [ ,... ] } ]
    Specifies that you only want those rules that match the specified profile(s) displayed. If you specify more than one profile, then only rules that include the exact same list of profiles match.

    If you do not specify profile, the default is any.

  • type = { dynamic | static } ]
    Specifies that you only want those rules of the selected type displayed.

    • If you select dynamic, the rules displayed are from the currently active configuration.

    • If you select static, the rules displayed are from the current store, as determined by the set store command.

    If you do not specify type, the default is static.

  • verbose ]
    Specifies that you want additional details for each rule displayed.

Examples

  • The following command displays all currently defined rules in the current store:

    show rule name=all

  • The following command displays all static rules in the current store:

    show rule name=all type=static