Firewall Properties - Profiles and IPsec Settings
Applies To: Windows Server 2008
Firewall profiles
A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, that are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security. Only one profile is applied at a time.
The following profiles are available:
Profile | Description |
---|---|
Domain |
Applied when a computer is connected to a network in which the computer's domain account resides. |
Private |
Applied when a computer is connected to a network in which the computer's domain account does not reside, such as a home network. The private profile settings should be more restrictive than the domain profile settings. |
Public |
Applied when a computer is connected to a domain through a public network, such as those available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as within an IT environment. |
You can configure any profile, even one that is not currently being applied. If you do not alter profile settings, their default values are applied whenever Windows Firewall with Advanced Security uses the profile. It is recommended that you enable Windows Firewall with Advanced Security for all three profiles.
A profile must be configured for both firewall rules and connection security rules.
State
State selections determine whether Windows Firewall with Advanced Security uses the profile settings and how the profile handles inbound and outbound network messages.
Firewall state
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.
Important
If you use Group Policy to disable the firewall, or configure the firewall with a rule that allows all inbound network traffic, then Windows Security Center alerts the user that there are security issues that the user should correct. If the user tries to correct the reported problem by clicking Turn on in Windows Security Center, then an error is displayed because Windows Security Center cannot enable the firewall. This can generate unwanted support calls to your help desk. If you are managing the security of the computers in your organization and do not want Windows Security Center to alert the user about issues like this then you can disable the Windows Security Center by using the Group Policy setting Turn on Security Center (Domain PCs only) found in Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Security Center.
Inbound connections
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The installed behavior is to block connections unless there are firewall rules to allow the connection. You can choose the following behavior for inbound connections:
Selection | Description |
---|---|
Block (default) |
Blocks all connections that do not have firewall rules that explicitly allow the connection. |
Block all connections |
Blocks all connections, regardless of any firewall rules that explicitly allow the connection. |
Allow |
Allows the connection unless there is a firewall rule that explicitly blocks the connection. |
Outbound connections
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The installed behavior is to allow connections unless there are firewall rules to block the connection. You can choose the following behavior for outbound connections:
Selection | Description |
---|---|
Block |
Blocks all connections that do not have firewall rules that explicitly allow the connection. |
Allow (default) |
Allows the connection unless there is a firewall rule that explicitly blocks the connection. |
Warning
If you set Outbound connections to Block and then deploy the firewall policy by using a Group Policy object, computers that receive it cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying.
Settings
Use these settings to configure several Windows Firewall with Advanced Security behaviors, such as who can change Windows Firewall with Advanced Security settings.
Logging
Use these settings to configure how Windows Firewall with Advanced Security logs various events, how big the log file can grow, and where the log file is located.
IPsec Settings
IPsec defaults
Use the Customize button to configure the key exchange, data protection, and authentication methods used by IPsec to help protect network traffic.
IPsec exemptions
Use the Exempt ICMP from IPsec option to determine whether network traffic containing Internet Control Message Protocol (ICMP) messages are protected by IPsec.
ICMP is commonly used by network troubleshooting tools and procedures. Many network administrators exempt ICMP packets from IPsec protection to ensure that these messages are not blocked.
Important
This setting only exempts ICMP from the IPsec part of Windows Firewall with Advanced Security. You must also ensure that ICMP packets are allowed through the firewall by creating or enabling an appropriate inbound rule.
Note
If you enable file and printer sharing in the Network and Sharing Center, Windows Firewall with Advanced Security automatically enables firewall rules that allow commonly used ICMP packet types. However, this also enables many other network features not related to ICMP. If you want to enable only ICMP, then create and enable a rule in the firewall to allow inbound ICMP network packets.
Additional references
Customize Settings for a Firewall Profile