Windows Defender Firewall is a stateful host-based firewall that filters inbound and outbound network traffic based on rules you define. It is enabled by default on all modern Windows installations, and for most workstations, the default configuration is appropriate — but there are many scenarios where IT professionals need to create custom rules, troubleshoot blocked connections, or manage firewall policy at scale via Group Policy.
Understanding the Three Network Profiles
Windows Firewall applies different rule sets depending on the network profile assigned to each network adapter:
- Domain — Automatically applied when the computer is connected to a network where its domain controller is reachable. This is the most permissive profile in most enterprise environments.
- Private — Applied to networks the user manually marks as private (trusted home or office networks).
- Public — Applied to all other networks: coffee shops, hotels, airport Wi-Fi. This is the most restrictive profile and should remain so.
A single machine can have multiple active profiles simultaneously if it has multiple network adapters connected to different network types.
Opening Windows Defender Firewall with Advanced Security
The basic firewall control panel (Control Panel > System and Security > Windows Defender Firewall) shows status and allows turning the firewall on or off per profile. For creating and managing rules, you need the advanced console:
- Run
wf.mscfrom the Run dialog - Or search for "Windows Defender Firewall with Advanced Security" in the Start menu
The console is split into three panes: navigation (Inbound Rules, Outbound Rules, Connection Security Rules, Monitoring), rule list, and Actions.
Creating an Inbound Rule via the GUI
- Open
wf.msc - Click Inbound Rules in the left pane
- Click New Rule... in the right Actions pane
- Select rule type: Port, Program, Predefined, or Custom
- For a port rule: select TCP or UDP, enter specific ports (e.g.,
8080) or a range (8000-8100) - Choose action: Allow the connection, Allow if secure (IPsec), or Block
- Select which profiles the rule applies to (Domain, Private, Public)
- Name the rule descriptively (e.g., "Allow TCP 8080 - Web App DEV")
Managing Firewall Rules with PowerShell
PowerShell's NetSecurity module provides cmdlets to create and manage firewall rules programmatically. This is essential for scripted deployments and automation:
# List all enabled inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Select-Object DisplayName, Action, Profile
# Create an inbound rule to allow TCP port 443
New-NetFirewallRule `
-DisplayName "Allow HTTPS Inbound" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-Action Allow `
-Profile Domain,Private `
-Enabled True
# Block outbound traffic to a specific IP address
New-NetFirewallRule `
-DisplayName "Block Outbound to 203.0.113.50" `
-Direction Outbound `
-RemoteAddress 203.0.113.50 `
-Action Block `
-Profile Any `
-Enabled True
# Allow a specific application through the firewall
New-NetFirewallRule `
-DisplayName "Allow MyApp.exe" `
-Direction Inbound `
-Program "C:Program FilesMyAppMyApp.exe" `
-Action Allow `
-Profile Domain `
-Enabled True
# Disable a rule by display name
Set-NetFirewallRule -DisplayName "Allow HTTPS Inbound" -Enabled False
# Delete a rule
Remove-NetFirewallRule -DisplayName "Allow HTTPS Inbound"Checking What Is Being Blocked
When an application cannot connect and you suspect the firewall, enable logging:
- Open
wf.msc - Click Windows Defender Firewall with Advanced Security (the root node)
- Click Properties in the right pane
- On the Domain Profile tab (or whichever profile applies), click Customize under Logging
- Set Log dropped packets to Yes and note the log file path (default:
%SystemRoot%System32LogFilesFirewallpfirewall.log)
# View the last 50 lines of the firewall log
Get-Content "$env:SystemRootSystem32LogFilesFirewallpfirewall.log" -Tail 50
# Filter for dropped packets only
Get-Content "$env:SystemRootSystem32LogFilesFirewallpfirewall.log" |
Where-Object { $_ -match "DROP" }Managing Firewall Rules via Group Policy
In a domain environment, deploying firewall rules via Group Policy ensures consistency across all machines without manual configuration. Open the Group Policy Management Console (gpmc.msc), create or edit a GPO, and navigate to:
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security
Rules created here are deployed to all computers in the GPO's scope at the next Group Policy refresh (or run gpupdate /force to apply immediately). GPO-deployed rules appear in wf.msc but cannot be deleted by local administrators.
Common Troubleshooting Scenarios
- Application cannot receive connections — Check for a matching inbound allow rule. Verify the rule applies to the correct profile. Confirm the application is listening on the expected port (
netstat -an | findstr LISTENING). - Rule exists but connection still fails — Check whether the connection is being blocked by a network-level firewall upstream. Use
Test-NetConnection -ComputerName target -Port 80to test connectivity from the endpoint. - Firewall turned off — If users or malware have disabled the firewall, enforce it via Group Policy: Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile > Protect all network connections.