wf.msc

wf.msc

Command: wf.msc

Category: Security

Type: GUI

Purpose

Opens Windows Defender Firewall with Advanced Security console, providing comprehensive firewall management including inbound and outbound rules, connection security rules, and monitoring. More powerful than the basic Windows Firewall control panel interface.

Quick Summary

Windows Firewall Advanced Security is your complete firewall management tool. Create detailed firewall rules, monitor active connections, configure connection security, manage profiles (Domain, Private, Public), and troubleshoot network connectivity issues. Essential for network security configuration and advanced firewall troubleshooting.

How to Use

1. Press Win + R to open the Run dialog.
2. Type wf.msc and press Enter.
3. Windows Defender Firewall with Advanced Security opens.
4. Navigate through the left tree to access different features.
5. Right-click rules or sections to create, modify, or delete configurations.

Alternative methods:

• Type wf.msc in Command Prompt, PowerShell, or Start menu search
• Search for "Windows Defender Firewall with Advanced Security" in Start menu
• Control Panel > System and Security > Windows Defender Firewall > Advanced settings
• Server Manager > Tools > Windows Defender Firewall with Advanced Security (on servers)

Main Components

Overview:

• Status of Domain, Private, and Public profiles
• Quick links to firewall state and properties

Inbound Rules:

• Rules controlling incoming network traffic
• Allow or block connections to your computer

Outbound Rules:

• Rules controlling outgoing network traffic
• Allow or block connections from your computer

Connection Security Rules:

• IPsec rules for authenticated and encrypted connections
• Server-to-server, tunnel, or custom rules

Monitoring:

• Active firewall rules
• Connection security rules
• Security associations (IPsec)
• Real-time firewall activity

Tips and Best Practices

• Review existing rules before creating new ones to avoid duplicates.
• Disable rules instead of deleting (easier to re-enable if needed).
• Use descriptive names for custom rules: "Allow SSH from Management Network"
• Test rules immediately after creating them.
• Document why custom rules were created (use Description field).
• Export firewall configuration before major changes.
• Use Groups to organize related rules.
• Monitor the Monitoring section to verify rules are working.

Common Use Cases

• Application blocking: Block specific programs from accessing the internet.
• Port opening: Allow incoming connections on specific ports for servers/services.
• Remote access: Configure rules for Remote Desktop, SSH, or other remote tools.
• Security hardening: Block unnecessary protocols and ports.
• Troubleshooting: Identify which rule is blocking a connection.
• Network segmentation: Create rules for different network profiles.
• VPN configuration: Set up connection security rules for VPN.

Prerequisites

• Administrator rights required to modify firewall rules
• Standard users can view some information but not make changes
• Available on Windows Vista and later
• Domain environment may have Group Policy controlling firewall settings

Firewall Profiles

Three network profiles:

Domain Profile:

• Applies when connected to domain network
• Typically most permissive
• Managed by domain administrators

Private Profile:

• Applies to trusted private networks (home, work)
• More permissive than Public
• User configurable

Public Profile:

• Applies to untrusted public networks (coffee shop, airport)
• Most restrictive by default
• Recommended for maximum security

Configure profile settings:

1. Right-click "Windows Defender Firewall with Advanced Security" node
2. Click "Properties"
3. Configure each profile separately

Creating Inbound Rules

To allow incoming connections:

1. Right-click "Inbound Rules" > New Rule
2. Choose rule type:
   • Program: Specific application
   • Port: TCP or UDP port number
   • Predefined: Windows service or feature
   • Custom: Advanced configurations
3. Follow wizard to configure:
   • Program path or port number
   • Allow or Block action
   • Profile(s) to apply rule
   • Name and description

Example: Allow incoming on port 8080:

1. New Rule > Port
2. TCP, Specific local ports: 8080
3. Allow the connection
4. Apply to: Domain, Private, Public (choose appropriate)
5. Name: "Allow HTTP on port 8080"

Creating Outbound Rules

To block or allow outgoing connections:

1. Right-click "Outbound Rules" > New Rule
2. Follow similar wizard as Inbound Rules
3. Specify program or port to control
4. Choose Allow or Block
5. Select applicable profiles

Example: Block specific application:

1. New Rule > Program
2. Browse to: C:\Path\To\Application.exe
3. Block the connection
4. Apply to all profiles
5. Name: "Block Application Name"

Common Firewall Rules

Allow Remote Desktop:

Inbound Rule
- Port: TCP 3389
- Action: Allow
- Profiles: Domain, Private

Allow HTTP/HTTPS Server:

Inbound Rules
- Port: TCP 80 (HTTP)
- Port: TCP 443 (HTTPS)
- Action: Allow
- Profiles: As needed

Block Outbound for Program:

Outbound Rule
- Program: C:\Path\To\Program.exe
- Action: Block
- Profiles: All

Allow Ping (ICMP):

Inbound Rule
- Protocol: ICMPv4
- ICMP type: Echo Request
- Action: Allow

Rule Properties

Key properties for each rule:

• Name: Descriptive rule name
• Description: Why rule exists (best practice)
• Enabled: Toggle rule on/off
• Action: Allow or Block
• Program: Specific executable path
• Protocol/Port: TCP, UDP, ICMPv4, etc.
• Scope: Local and remote IP addresses
• Advanced: Profiles, edge traversal, interface types
• Group: Organize related rules

Troubleshooting with Firewall

Connection blocked? Check:

1. Go to Monitoring > Firewall
2. View currently active rules
3. Look for rule blocking your connection
4. Adjust or disable blocking rule

Can't reach service? Verify:

1. Check if inbound rule exists for the port
2. Verify rule is enabled
3. Confirm correct profile is active
4. Test with firewall temporarily disabled (for testing only!)

Program can't connect? Check:

1. Outbound rules blocking the program
2. Inbound rules if acting as server
3. Windows Firewall notification for program allow/block decision

Monitoring Section

View real-time firewall activity:

1. Expand "Monitoring" in left tree
2. View active firewall rules currently in effect
3. See connection security rules in use
4. Check security associations (IPsec)

Benefits:

• See which rules are actually active
• Verify rules match your intent
• Troubleshoot why connections succeed or fail

Exporting and Importing Policies

Export firewall configuration:

1. Right-click root node
2. Export Policy
3. Choose location and filename (.wfw)
4. Save for backup or transfer

Import firewall configuration:

1. Right-click root node
2. Import Policy
3. Select .wfw file
4. Confirm import (overwrites current rules)

Use cases:

• Backup before major changes
• Deploy consistent config across multiple computers
• Restore after troubleshooting

Command-Line Alternatives

View firewall status:

netsh advfirewall show allprofiles

Enable/disable firewall:

netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles state off

Create inbound rule:

netsh advfirewall firewall add rule name="Allow Port 8080" dir=in action=allow protocol=TCP localport=8080

Create outbound rule:

netsh advfirewall firewall add rule name="Block Program" dir=out action=block program="C:\Program.exe"

Delete rule:

netsh advfirewall firewall delete rule name="Rule Name"

Reset firewall to defaults:

netsh advfirewall reset

PowerShell Firewall Management

View rules:

Get-NetFirewallRule
Get-NetFirewallRule -DisplayName "*Remote Desktop*"

Create rule:

New-NetFirewallRule -DisplayName "Allow Port 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow

Enable/disable rule:

Enable-NetFirewallRule -DisplayName "Rule Name"
Disable-NetFirewallRule -DisplayName "Rule Name"

Remove rule:

Remove-NetFirewallRule -DisplayName "Rule Name"

Get firewall profile status:

Get-NetFirewallProfile

Security Best Practices

Firewall configuration:

• Keep firewall enabled on all profiles
• Use most restrictive settings on Public profile
• Only open ports that are absolutely necessary
• Block by default, allow by exception
• Regularly review and remove unused rules
• Document all custom rules

Rule creation:

• Use specific IP ranges when possible (not 0.0.0.0/0)
• Limit rules to required profiles only
• Use program paths instead of ports when possible
• Disable rules instead of deleting (for testing)
• Group related rules for organization

Monitoring:

• Regularly check Monitoring section
• Review Windows Firewall logs (if enabled)
• Audit rules quarterly
• Remove or disable obsolete rules

Troubleshooting

• "Access denied" - Requires Administrator rights; run as Administrator.
• Rules don't take effect - Check if Group Policy is overriding local rules.
• Can't modify rules - Domain Group Policy may be enforcing settings.
• Connection still blocked - Check all three profiles; multiple rules may apply.
• Too many rules - Use Group field to organize; export and review regularly.
• Rule conflicts - Most restrictive rule wins; check for conflicting Block rules.

Firewall Logging

Enable logging:

1. Right-click root node > Properties
2. Select profile tab
3. Click "Customize" under Logging
4. Set log location and what to log:
   • Dropped packets
   • Successful connections
5. Save settings

View logs:

notepad %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

Related Tools

• netsh advfirewall - Command-line firewall management
• Get-NetFirewallRule (PowerShell) - PowerShell firewall cmdlets
• Control Panel Windows Firewall - Basic firewall settings
• Event Viewer - Firewall event logs
• Resource Monitor - Network activity monitoring
• netstat -ano - View active connections and ports