authfwcfg.dll.mui 高级安全 Windows 防火墙配置帮助程序 bd22eedf8502c1056dc408bfe47957dd

File name:	authfwcfg.dll.mui
Size:	139264 byte
MD5:	bd22eedf8502c1056dc408bfe47957dd
SHA1:	d2e41877d4acdedf622a6519a550ec95adec2dd8
SHA256:	c7ca549bde1f985e3c5310d3e1c0995ca2a6d88c607be897aa90bb76bc0c58a8
Operating systems:	Windows 10
Extension:	MUI

If an error occurred or the following message in Chinese (Simplified) language and you cannot find a solution, than check answer in English. Table below helps to know how correctly this phrase sounds in English.

id	Chinese (Simplified)	English
11000	%1!s! 设置: ----------------------------------------------------------------------	%1!s! Settings: ----------------------------------------------------------------------
11001	状态 %1!s!	State %1!s!
11002	防火墙策略 %1!s!	Firewall Policy %1!s!
11003	LocalFirewallRules %1!s! LocalConSecRules %2!s! InboundUserNotification %3!s! RemoteManagement %4!s! UnicastResponseToMulticast %5!s!	LocalFirewallRules %1!s! LocalConSecRules %2!s! InboundUserNotification %3!s! RemoteManagement %4!s! UnicastResponseToMulticast %5!s!
11004	日志:	Logging:
11005	LogAllowedConnections %1!s! LogDroppedConnections %2!s! FileName %3!s! MaxFileSize %4!s!	LogAllowedConnections %1!s! LogDroppedConnections %2!s! FileName %3!s! MaxFileSize %4!s!
11006	主模式:	Main Mode:
11007	KeyLifetime %1!u!min,%2!u!sess SecMethods %3!s! ForceDH %4!s!	KeyLifetime %1!u!min,%2!u!sess SecMethods %3!s! ForceDH %4!s!
11008	IPsec:	IPsec:
11009	StrongCRLCheck %1!s! SAIdleTimeMin %2!s! DefaultExemptions %3!s! IPsecThroughNAT %4!s! AuthzUserGrp %5!s! AuthzComputerGrp %6!s! AuthzUserGrpTransport %7!s! AuthzComputerGrpTransport %8!s!	StrongCRLCheck %1!s! SAIdleTimeMin %2!s! DefaultExemptions %3!s! IPsecThroughNAT %4!s! AuthzUserGrp %5!s! AuthzComputerGrp %6!s! AuthzUserGrpTransport %7!s! AuthzComputerGrpTransport %8!s!
11010	StatefulFTP %1!s!	StatefulFTP %1!s!
11011	StatefulPPTP %1!s!	StatefulPPTP %1!s!
11012	策略存储 %1!s!	Policy Store %1!s!
11013	域配置文件	Domain Profile
11014	专用配置文件	Private Profile
11015	已禁用	Disabled
11016	检查	Check
11017	强制	Enforce
11018	规则名称: %1!s! ----------------------------------------------------------------------	Rule Name: %1!s! ----------------------------------------------------------------------
11019	描述: %1!s!	Description: %1!s!
11020	已启用: %1!s!	Enabled: %1!s!
11021	配置文件: %1!s!	Profiles: %1!s!
11022	类型: %1!s!	Type: %1!s!
11023	本地隧道终结点: %1!s!	LocalTunnelEndpoint: %1!s!
11024	远程隧道终结点: %1!s!	RemoteTunnelEndpoint: %1!s!
11025	接口类型: %1!s!	InterfaceTypes: %1!s!
11026	终结点1: %1!s!	Endpoint1: %1!s!
11027	终结点2: %1!s!	Endpoint2: %1!s!
11028	端口1: %1!s!	Port1: %1!s!
11029	端口2: %1!s!	Port2: %1!s!
11030	协议: %1!s!	Protocol: %1!s!
11031	操作: %1!s!	Action: %1!s!
11032	Auth1: %1!s!	Auth1: %1!s!
11033	Auth1PSK: %1!s!	Auth1PSK: %1!s!
11034	Auth1CAName: %1!s!	Auth1CAName: %1!s!
11035	Auth1CertMapping: %1!s!	Auth1CertMapping: %1!s!
11036	Auth1ExcludeCAName: %1!s!	Auth1ExcludeCAName: %1!s!
11037	Auth1HealthCert: %1!s!	Auth1HealthCert: %1!s!
11038	Auth2: %1!s!	Auth2: %1!s!
11039	Auth2CAName: %1!s!	Auth2CAName: %1!s!
11040	Auth2CertMapping: %1!s!	Auth2CertMapping: %1!s!
11041	Auth2HealthCert: %1!s!	Auth2HealthCert: %1!s!
11042	MainModeSecMethods: %1!s!	MainModeSecMethods: %1!s!
11043	MainModeKeyLifetime: %1!u!min,%2!u!sess	MainModeKeyLifetime: %1!u!min,%2!u!sess
11044	QuickModeSecMethods: %1!s!	QuickModeSecMethods: %1!s!
11045	QuickModePFS: %1!s!	QuickModePFS: %1!s!
11046	当前配置文件	Current Profile
11047	N/A (仅 GPO 存储)	N/A (GPO-store only)
11048	已删除 %1!u! 规则。	Deleted %1!u! rule(s).
11049	已更新 %1!u! 规则。	Updated %1!u! rule(s).
11050	模式: %1!s!	Mode: %1!s!
11053	分组: %1!s!	Grouping: %1!s!
11056	本地 IP: %1!s!	LocalIP: %1!s!
11057	远程 IP: %1!s!	RemoteIP: %1!s!
11058	本地端口: 　 %1!s!	LocalPort: %1!s!
11059	远程端口: 　 　 %1!s!	RemotePort: %1!s!
11061	程序: %1!s!	Program: %1!s!
11062	服务: %1!s!	Service: %1!s!
11064	RemoteComputerGroup: %1!s!	RemoteComputerGroup: %1!s!
11065	远程用户组: %1!s!	RemoteUserGroup: %1!s!
11066	安全: %1!s!	Security: %1!s!
11068	主模式 SA (位于 %1!s!) ----------------------------------------------------------------------	Main Mode SA at %1!s! ----------------------------------------------------------------------
11069	本地 IP 地址: %1!s!	Local IP Address: %1!s!
11070	远程 IP 地址: %1!s!	Remote IP Address: %1!s!
11073	MM 提供: %1!s!	MM Offer: %1!s!
11074	Cookie 对:	Cookie Pair:
11075	健康证书: %1!s!	Health Cert: %1!s!
11076	快速模式 SA (位于 %1!s!) ----------------------------------------------------------------------	Quick Mode SA at %1!s! ----------------------------------------------------------------------
11079	本地端口: %1!s!	Local Port: %1!s!
11080	远程端口: %1!s!	Remote Port: %1!s!
11082	方向: %1!s!	Direction: %1!s!
11083	QM 提供: %1!s!	QM Offer: %1!s!
11084	已删除 %1!u! 个 SA。	Deleted %1!u! SA(s).
11085	动态存储	Dynamic Store
11086	已跳过删除 %1!u! 个动态规则，因为它们不源于动态存储。	Skipped deleting %1!u! dynamic rule(s) because they did not originate from the dynamic store.
11087	未配置	Not Configured
11088	无法显示指定 GPO 存储中的 %1!s! MainMode 设置，因为它们尚未配置。	The %1!s! MainMode settings in the specified GPO store cannot be shown because they have not been configured.
11089	下列 GPO 具有名称“%1!s!”:	The following GPOs were found with the name "%1!s!":
11090	使用这些 GPO ID 之一来识别所需 GPO。	Use one of these GPO IDs to identify the desired GPO.
11091	PFS: %1!s!	PFS: %1!s!
11092	KeyLifetime %1!s! SecMethods %2!s! ForceDH %3!s!	KeyLifetime %1!s! SecMethods %2!s! ForceDH %3!s!
11093	拒绝访问	Access Denied
11094	已跳过更新 %1!u! 个动态规则，因为它们不源于动态存储。	Skipped updating %1!u! dynamic rule(s) because they did not originate from the dynamic store.
11095	公用配置文件	Public Profile
11096	生成 Consec 规则: %1!s!	Generate Consec Rules: %1!s!
11097	类型 代码	Type Code
11098	%1!-4s! %2!-4s!	%1!-4s! %2!-4s!
11099	边缘遍历: %1!s!	Edge traversal: %1!s!
11101	Auth1 本地 ID: %1!s!	Auth1 Local ID: %1!s!
11102	Auth1 远程 ID: %1!s!	Auth1 Remote ID: %1!s!
11103	未知	UNKNOWN
11104	无	None
11105	从未	Never
11106	NAT 后面的服务器	Server behind NAT
11107	NAT 后面的服务器和客户端	Server and client behind NAT
11108	关闭	OFF
11109	启用	ON
11110	允许	Allow
11111	阻止	Block
11112	跳过	Bypass
11113	入	In
11114	出	Out
11115	是	Yes
11116	否	No
11117	任何	Any
11118	全局	Global
11119	GPO	GPO
11120	本地	Local
11121	存储	Store
11123	禁用	Disable
11124	分钟	min
11125	RequireInRequestOut	RequireInRequestOut
11126	RequestInRequestOut	RequestInRequestOut
11127	RequireInRequireOut	RequireInRequireOut
11128	NoAuthentication	NoAuthentication
11129	DHGroup1	DHGroup1
11130	DHGroup2	DHGroup2
11131	DHGroup14	DHGroup14
11132	ECDHP256	ECDHP256
11133	ECDHP384	ECDHP384
11134	MainMode	MainMode
11135	动态	Dynamic
11136	静态	Static
11137	隧道	Tunnel
11138	传输	Transport
11139	两者	Both
11140	ComputerKerb	ComputerKerb
11141	ComputerCert	ComputerCert
11142	ComputerPSK	ComputerPSK
11143	ComputerNTLM	ComputerNTLM
11144	匿名	Anonymous
11145	UserCert	UserCert
11146	UserKerb	UserKerb
11147	UserNTLM	UserNTLM
11148	3DES	3DES
11149	DES	DES
11150	AES128	AES128
11151	AES192	AES192
11152	AES256	AES256
11153	MD5	MD5
11154	SHA1	SHA1
11155	TCP	TCP
11156	UDP	UDP
11157	ICMPv4	ICMPv4
11158	ICMPv6	ICMPv6
11159	AH	AH
11160	ESP	ESP
11161	NeighborDiscovery	NeighborDiscovery
11162	ICMP	ICMP
11163	身份验证	Authenticate
11164	AuthEnc	AuthEnc
11165	NotRequired	NotRequired
11166	无线	Wireless
11167	LAN	LAN
11168	RAS	RAS
11169	域	Domain
11170	专用	Private
11171	公用	Public
11172	BlockInbound	BlockInbound
11173	BlockInboundAlways	BlockInboundAlways
11174	AllowInbound	AllowInbound
11175	BlockOutbound	BlockOutbound
11176	AllowOutbound	AllowOutbound
11177	:	:
11178	,	,
11179	-	-
11180	+	+
11181	%umin	%umin
11182	%ukb	%ukb
11183	Auth2 本地 ID: %1!s!	Auth2 Local ID: %1!s!
11184	Auth2 远程 ID: %1!s!	Auth2 Remote ID: %1!s!
11185	%1!02x!	%1!02x!
11186	ComputerCertECDSAP256	ComputerCertECDSAP256
11187	ComputerCertECDSAP384	ComputerCertECDSAP384
11188	UserCertECDSAP256	UserCertECDSAP256
11189	UserCertECDSAP384	UserCertECDSAP384
11190	AESGCM128	AESGCM128
11191	AESGCM192	AESGCM192
11192	AESGCM256	AESGCM256
11193	SHA256	SHA256
11194	SHA384	SHA384
11198	AESGMAC128	AESGMAC128
11199	AESGMAC192	AESGMAC192
11200	AESGMAC256	AESGMAC256
11201	Auth1ECDSAP256CAName: %1!s! Auth1ECDSAP256CertMapping: %2!s! Auth1ECDSAP256ExcludeCAName: %3!s! Auth1ECDSAP256CertType: %4!s! Auth1ECDSAP256HealthCert: %5!s!	Auth1ECDSAP256CAName: %1!s! Auth1ECDSAP256CertMapping: %2!s! Auth1ECDSAP256ExcludeCAName: %3!s! Auth1ECDSAP256CertType: %4!s! Auth1ECDSAP256HealthCert: %5!s!
11202	Auth1ECDSAP384CAName: %1!s! Auth1ECDSAP384CertMapping: %2!s! Auth1ECDSAP384ExcludeCAName: %3!s! Auth1ECDSAP384CertType: %4!s! Auth1ECDSAP384HealthCert: %5!s!	Auth1ECDSAP384CAName: %1!s! Auth1ECDSAP384CertMapping: %2!s! Auth1ECDSAP384ExcludeCAName: %3!s! Auth1ECDSAP384CertType: %4!s! Auth1ECDSAP384HealthCert: %5!s!
11203	Auth2ECDSAP256CAName: %1!s! Auth2ECDSAP256CertMapping: %2!s! Auth2ECDSAP256CertType: %3!s! Auth2ECDSAP256HealthCert: %4!s!	Auth2ECDSAP256CAName: %1!s! Auth2ECDSAP256CertMapping: %2!s! Auth2ECDSAP256CertType: %3!s! Auth2ECDSAP256HealthCert: %4!s!
11204	Auth2ECDSAP384CAName: %1!s! Auth2ECDSAP384CertMapping: %2!s! Auth2ECDSAP384CertType: %3!s! Auth2ECDSAP384HealthCert: %4!s!	Auth2ECDSAP384CAName: %1!s! Auth2ECDSAP384CertMapping: %2!s! Auth2ECDSAP384CertType: %3!s! Auth2ECDSAP384HealthCert: %4!s!
11205	Auth2ECDSAP256CAName: %1!s! Auth2ECDSAP256CertMapping: %2!s! Auth2ECDSAP256CertType: %3!s!	Auth2ECDSAP256CAName: %1!s! Auth2ECDSAP256CertMapping: %2!s! Auth2ECDSAP256CertType: %3!s!
11206	Auth2ECDSAP384CAName: %1!s! Auth2ECDSAP384CertMapping: %2!s! Auth2ECDSAP384CertType: %3!s!	Auth2ECDSAP384CAName: %1!s! Auth2ECDSAP384CertMapping: %2!s! Auth2ECDSAP384CertType: %3!s!
11207	%1!s!: ----------------------------------------------------------------------	%1!s!: ----------------------------------------------------------------------
11208	%1!s!	%1!s!
11209	AuthDynEnc	AuthDynEnc
11210	BootTimeRuleCategory %1!s! FirewallRuleCategory %2!s! StealthRuleCategory %3!s! ConSecRuleRuleCategory %4!s!	BootTimeRuleCategory %1!s! FirewallRuleCategory %2!s! StealthRuleCategory %3!s! ConSecRuleCategory %4!s!
11211	Windows 防火墙	Windows Firewall
11212	类别:	Categories:
11216	KeyLifetime: %1!u!min,%2!u!sess	KeyLifetime: %1!u!min,%2!u!sess
11225	SecMethods: %1!s!	SecMethods: %1!s!
11227	接收失败 : %1!S!	Receive fail : %1!S!
11228	发送失败 : %1!S!	Send fail : %1!S!
11229	捕获堆大小 : %1!S!	Acquire Heap size : %1!S!
11230	接收堆大小 : %1!S!	Receive Heap size : %1!S!
11231	协商失败 : %1!S!	Negotiation Failures : %1!S!
11232	接收到无效的 Cookie : %1!S!	Invalid Cookies Rcvd : %1!S!
11233	总共捕获 : %1!S!	Total Acquire : %1!S!
11234	TotalGetSpi : %1!S!	TotalGetSpi : %1!S!
11235	TotalKeyAdd : %1!S!	TotalKeyAdd : %1!S!
11236	TotalKeyUpdate : %1!S!	TotalKeyUpdate : %1!S!
11237	GetSpiFail : %1!S!	GetSpiFail : %1!S!
11238	KeyAddFail : %1!S!	KeyAddFail : %1!S!
11239	KeyUpdateFail : %1!S!	KeyUpdateFail : %1!S!
11240	IsadbListSize : %1!S!	IsadbListSize : %1!S!
11241	ConnListSize : %1!S!	ConnListSize : %1!S!
11242	接收到无效数据包 : %1!S!	Invalid Packets Rcvd : %1!S!
11243	IPsec 统计	IPsec Statistics
11244	----------------	----------------
11245	IPsecStatistics 不可用。	IPsecStatistics not available.
11246	活动关联 : %1!S!	Active Assoc : %1!S!
11247	卸载 SA : %1!S!	Offload SAs : %1!S!
11248	挂起的密钥 : %1!S!	Pending Key : %1!S!
11249	密钥添加 : %1!S!	Key Adds : %1!S!
11250	密钥删除 : %1!S!	Key Deletes : %1!S!
11251	重新生成密钥 : %1!S!	ReKeys : %1!S!
11252	活动隧道 : %1!S!	Active Tunnels : %1!S!
11253	错误的 SPI 数据包 : %1!S!	Bad SPI Pkts : %1!S!
11254	没有解密的数据包 : %1!S!	Pkts not Decrypted : %1!S!
11255	未验证的数据包 : %1!S!	Pkts not Authenticated : %1!S!
11256	有重放检测的数据包 : %1!S!	Pkts with Replay Detection : %1!S!
11257	发送的机密字节 : %1!S!	Confidential Bytes Sent : %1!S!
11258	接收的机密字节 : %1!S!	Confidential Bytes Received : %1!S!
11259	发送的经过验证的字节 : %1!S!	Authenticated Bytes Sent : %1!S!
11260	接收的经过验证的字节 : %1!S!	Authenticated Bytes Received: %1!S!
11261	发送的传输字节 : %1!S!	Transport Bytes Sent : %1!S!
11262	接收的传输字节 : %1!S!	Transport Bytes Received : %1!S!
11263	发送的卸载字节 : %1!S!	Offloaded Bytes Sent : %1!S!
11264	接收的卸载字节 : %1!S!	Offloaded Bytes Received : %1!S!
11265	在隧道中发送的字节 : %1!S!	Bytes Sent In Tunnels : %1!S!
11266	在隧道中接收的字节 : %1!S!	Bytes Received In Tunnels : %1!S!
11267	IKE 统计	IKE Statistics
11268	--------	--------------
11269	IKEStatistics 不可用。	IKEStatistics not available.
11270	主模式 : %1!S!	Main Modes : %1!S!
11271	快速模式 : %1!S!	Quick Modes : %1!S!
11272	软 SA : %1!S!	Soft SAs : %1!S!
11273	身份验证失败 : %1!S!	Authentication Failures : %1!S!
11274	活动捕获 : %1!S!	Active Acquire : %1!S!
11275	活动接收 : %1!S!	Active Receive : %1!S!
11276	捕获失败 : %1!S!	Acquire fail : %1!S!
11277	规则源: %1!s!	Rule source: %1!s!
11278	快速模式:	Quick Mode:
11279	QuickModeSecMethods %1!s! QuickModePFS %2!s!	QuickModeSecMethods %1!s! QuickModePFS %2!s!
11280	安全关联:	Security Associations:
11281	GPO 名称 %1!s!	GPO Name %1!s!
11282	全局策略状态: ----------------------------------------------------------------------	Global Policy State: ----------------------------------------------------------------------
11283	Windows 防火墙规则: ----------------------------------------------------------------------	Windows Firewall Rules: ----------------------------------------------------------------------
11284	连接安全规则:	Connection Security Rules:
11285	Auth1CertType: %1!s!	Auth1CertType: %1!s!
11286	Auth2CertType: %1!s!	Auth2CertType: %1!s!
11287	AuthNoEncap	AuthNoEncap
11288	ExemptIPsecProtectedConnections: %1!s!	ExemptIPsecProtectedConnections: %1!s!
11289	RequireInClearOut	RequireInClearOut
11290	ApplyAuthorization: %1!s!	ApplyAuthorization: %1!s!
11291	遵从应用程序	Defer to application
11292	遵从用户	Defer to user
11293	拒绝	Deny
11294	本地组策略设置	Local Group Policy Setting
11295	本地设置	Local Setting
11296	动态设置	Dynamic Setting
11297	ForceDH: %1!s!	ForceDH: %1!s!
11298	主模式规则:	Mainmode Rules:
11299	DHCP	DHCP
11300	组策略设置	Group Policy Setting
11301	在此版本的 Windows 中未实现 "netsh advfirewall dump" 命令。请改用 "netsh advfirewall export" 命令将当前 具有高级安全配置的 Windows 防火墙从当前策略存储写入到 磁盘上的文件。然后，你可以使用"netsh advfirewall import" 读取该文件并将其加载到其他策略 存储，如组策略对象或另一台计算机上的当前 策略存储。若要设置当前策略存储，请使用 "netsh advfirewall set store" 命令。 有关 netsh advfirewall 上下文中的命令的详细信息， 请参阅 https://go.microsoft.com/fwlink/?linkid=111237 上的“用于高级 安全 Windows 防火墙的 Netsh 命令”。	The 'netsh advfirewall dump' command is not implemented in this version of Windows. Instead, use the 'netsh advfirewall export' command to write the current Windows Firewall with Advanced Security configuration from the current policy store to a file on disk. You can then use 'netsh advfirewall import' to read the file and load it into another policy store, such as a Group Policy object or the current policy store on another computer. To set the current policy store, use the 'netsh advfirewall set store' command. For more information about the commands in the netsh advfirewall context, see Netsh Commands for Windows Firewall with Advanced Security at https://go.microsoft.com/fwlink/?linkid=111237.
11302	DHGroup24	DHGroup24
11303	ComputerNegoEx	ComputerNegoEx
11304	UserNegoEx	UserNegoEx
11305	Auth1CriteriaType: %1!s!	Auth1CriteriaType: %1!s!
11306	Auth1CertNameType: %1!s!	Auth1CertNameType: %1!s!
11307	Auth1CertName: %1!s!	Auth1CertName: %1!s!
11308	Auth1CertEku: %1!s!	Auth1CertEku: %1!s!
11309	Auth1CertHash: %1!s!	Auth1CertHash: %1!s!
11310	Auth1FollowCertRenewal: %1!s!	Auth1FollowCertRenewal: %1!s!
11311	Auth1ECDSAP256CriteriaType: %1!s!	Auth1ECDSAP256CriteriaType: %1!s!
11312	Auth1ECDSAP256CertNameType: %1!s!	Auth1ECDSAP256CertNameType: %1!s!
11313	Auth1ECDSAP256CertName: %1!s!	Auth1ECDSAP256CertName: %1!s!
11314	Auth1ECDSAP256CertEku: %1!s!	Auth1ECDSAP256CertEku: %1!s!
11315	Auth1ECDSAP256CertHash: %1!s!	Auth1ECDSAP256CertHash: %1!s!
11316	Auth1ECDSAP256FollowCertRenewal: %1!s!	Auth1ECDSAP256FollowCertRenewal: %1!s!
11317	Auth1ECDSAP384CriteriaType: %1!s!	Auth1ECDSAP384CriteriaType: %1!s!
11318	Auth1ECDSAP384CertNameType: %1!s!	Auth1ECDSAP384CertNameType: %1!s!
11319	Auth1ECDSAP384CertName: %1!s!	Auth1ECDSAP384CertName: %1!s!
11320	Auth1ECDSAP384CertEku: %1!s!	Auth1ECDSAP384CertEku: %1!s!
11321	Auth1ECDSAP384CertHash: %1!s!	Auth1ECDSAP384CertHash: %1!s!
11322	Auth1ECDSAP384FollowCertRenewal: %1!s!	Auth1ECDSAP384FollowCertRenewal: %1!s!
11323	Auth2CriteriaType: %1!s!	Auth2CriteriaType: %1!s!
11324	Auth2CertNameType: %1!s!	Auth2CertNameType: %1!s!
11325	Auth2CertName: %1!s!	Auth2CertName: %1!s!
11326	Auth2CertEku: %1!s!	Auth2CertEku: %1!s!
11327	Auth2CertHash: %1!s!	Auth2CertHash: %1!s!
11328	Auth2FollowCertRenewal: %1!s!	Auth2FollowCertRenewal: %1!s!
11329	Auth2ECDSAP256CriteriaType: %1!s!	Auth2ECDSAP256CriteriaType: %1!s!
11330	Auth2ECDSAP256CertNameType: %1!s!	Auth2ECDSAP256CertNameType: %1!s!
11331	Auth2ECDSAP256CertName: %1!s!	Auth2ECDSAP256CertName: %1!s!
11332	Auth2ECDSAP256CertEku: %1!s!	Auth2ECDSAP256CertEku: %1!s!
11333	Auth2ECDSAP256CertHash: %1!s!	Auth2ECDSAP256CertHash: %1!s!
11334	Auth2ECDSAP256FollowCertRenewal: %1!s!	Auth2ECDSAP256FollowCertRenewal: %1!s!
11335	Auth2ECDSAP384CriteriaType: %1!s!	Auth2ECDSAP384CriteriaType: %1!s!
11336	Auth2ECDSAP384CertNameType: %1!s!	Auth2ECDSAP384CertNameType: %1!s!
11337	Auth2ECDSAP384CertName: %1!s!	Auth2ECDSAP384CertName: %1!s!
11338	Auth2ECDSAP384CertEku: %1!s!	Auth2ECDSAP384CertEku: %1!s!
11339	Auth2ECDSAP384CertHash: %1!s!	Auth2ECDSAP384CertHash: %1!s!
11340	Auth2ECDSAP384FollowCertRenewal: %1!s!	Auth2ECDSAP384FollowCertRenewal: %1!s!
11341	Auth1KerbProxyFQDN: %1!s!	Auth1KerbProxyFQDN: %1!s!
11342	Auth1ProxyServerFQDN: %1!s!	Auth1ProxyServerFQDN: %1!s!
11343	Auth2ProxyServerFQDN: %1!s!	Auth2ProxyServerFQDN: %1!s!
11344	计算机授权 SDDL %1!s!	Machine authorization SDDL %1!s!
11345	用户授权 SDDL %1!s!	User authorization SDDL %1!s!
12000	将策略重置为默认全新策略。	Resets the policy to the default out-of-box policy.
12001	用法: reset [export ] 注释: - 将高级安全 Windows 防火墙策略还原为默认策略。 也可以将当前活动策略导出到指定文件中。 - 在组策略对象中，该命令将所有设置返回到未配置状态并且 删除所有连接安全规则和防火墙规则。 示例: 备份当前策略，并将其还原为全新策略: netsh advfirewall reset export "c:\backuppolicy.wfw"	Usage: reset [export ] Remarks: - Restores the Windows Firewall with Advanced Security policy to the default policy. The current active policy can be optionally exported to a specified file. - In a Group Policy object, this command returns all settings to notconfigured and deletes all connection security and firewall rules. Examples: Backup the current policy and restore out-of-box policy: netsh advfirewall reset export "c:\backuppolicy.wfw"
12002	设置每个配置文件或全局设置。	Sets the per-profile or global settings.
12003	在域配置文件中设置属性。	Sets properties in the domain profile.
12004	用法: set domainprofile (parameter) (value) 参数: state - 配置防火墙状态。 用法: state on|off|notconfigured firewallpolicy - 配置默认入站和出站行为。 用法: firewallpolicy (入站行为),(出站行为) 入站行为: blockinbound - 阻止与入站规则不匹配的入站连接。 blockinboundalways - 阻止所有入站连接，即使连接与规则匹配。 allowinbound - 允许与规则不匹配的入站连接。 notconfigured - 将值返回到未配置的状态。 出站行为: allowoutbound - 允许与规则不匹配的出站连接。 blockoutbound - 阻止与规则不匹配的出站连接。 notconfigured - 将值返回到未配置的状态。 settings - 配置防火墙设置。 用法: settings (参数) enable|disable|notconfigured 参数: localfirewallrules - 将本地防火墙规则与组策略规则合并。 配置组策略存储时有效。 localconsecrules - 将本地连接安全规则与组策略规则合并。 配置组策略存储时有效。 inboundusernotification - 在程序侦听入站连接时通知用户。 remotemanagement - 允许远程管理 Windows 防火墙。 unicastresponsetomulticast - 控制对多播的状态单播响应。 logging - 配置日志记录设置。 用法: logging (参数) (值) 参数: allowedconnections - 记录允许连接的日志。 值: enable|disable|notconfigured droppedconnections - 记录放弃连接的日志。 值: enable|disable|notconfigured filename - 防火墙日志的名称和位置。 值: |notconfigured maxfilesize - 最大日志文件大小(以 KB 计)。 值: 1 - 32767|notconfigured 注释: - 配置域配置文件设置。 - "notconfigured" 值仅对于组策略存储有效。 示例: 在域配置文件活动时关闭防火墙: netsh advfirewall set domainprofile state off 设置默认行为，以在域配置文件活动时阻止入站连接和允许出站连接: netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound 在域配置文件活动时启用远程管理: netsh advfirewall set domainprofile settings remotemanagement enable 在域配置文件活动时，记录放弃连接的日志: netsh advfirewall set domainprofile logging droppedconnections enable	Usage: set domainprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: |notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures domain profile settings. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off when the domain profile is active: netsh advfirewall set domainprofile state off Set the default behavior to block inbound and allow outbound connections when the domain profile is active: netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound Turn on remote management when the domain profile is active: netsh advfirewall set domainprofile settings remotemanagement enable Log dropped connections when the domain profile is active: netsh advfirewall set domainprofile logging droppedconnections enable
12005	在专用配置文件中设置属性。	Sets properties in the private profile.
12006	用法: set privateprofile (parameter) (value) 参数: state - 配置防火墙状态。 用法: state on|off|notconfigured firewallpolicy - 配置默认入站行为和出站行为。 用法: firewallpolicy (入站行为),(出站行为) 入站行为: blockinbound - 阻止与入站规则不匹配的入站连接。 blockinboundalways - 阻止所有入站连接，即使连接与规则匹配。 allowinbound - 允许与规则不匹配的入站连接。 notconfigured - 将值返回到未配置的状态。 出站行为: allowoutbound - 允许与规则不匹配的出站连接。 blockoutbound - 阻止与规则不匹配的出站连接。 notconfigured - 将值返回到未配置的状态。 settings - 配置防火墙设置。 用法: settings (参数) enable|disable|notconfigured 参数: localfirewallrules - 将本地防火墙规则与组策略规则合并。 配置组策略存储时有效。 localconsecrules - 将本地连接安全规则与组策略规则合并。 配置组策略存储时有效。 inboundusernotification - 在程序侦听入站连接时通知用户。 remotemanagement - 允许远程管理 Windows 防火墙。 unicastresponsetomulticast - 控制对多播的状态单播响应。 logging - 配置日志记录设置。 用法: logging (参数) (值) 参数: allowedconnections - 记录允许连接的日志。 值: enable|disable|notconfigured droppedconnections - 记录放弃连接的日志。 值: enable|disable|notconfigured filename - 防火墙日志的名称和位置。 值: |notconfigured maxfilesize - 最大日志文件大小(KB)。 值: 1 - 32767|notconfigured 注释: - 配置专用配置文件设置。 - "notconfigured" 值仅对于组策略存储有效。 示例: 在专用配置文件活动时关闭防火墙: netsh advfirewall set privateprofile state off 设置默认行为，以在专用配置文件活动时 阻止入站连接和允许出站连接: netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound 在专用配置文件活动时启用远程管理: netsh advfirewall set privateprofile settings remotemanagement enable 在专用配置文件活动时，记录放弃连接的日志: netsh advfirewall set privateprofile logging droppedconnections enable	Usage: set privateprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: |notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures private profile settings. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off when the private profile is active: netsh advfirewall set privateprofile state off Set the default behavior to block inbound and allow outbound connections when the private profile is active: netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound Turn on remote management when the private profile is active: netsh advfirewall set privateprofile settings remotemanagement enable Log dropped connections when the private profile is active: netsh advfirewall set privateprofile logging droppedconnections enable
12007	在活动配置文件中设置属性。	Sets properties in the active profile.
12008	用法: set currentprofile (parameter) (value) 参数: state - 配置防火墙状态。 用法: state on|off|notconfigured firewallpolicy - 配置默认入站行为和出站行为。 用法: firewallpolicy (入站行为),(出站行为) 入站行为: blockinbound - 阻止与入站规则不匹配的入站连接。 blockinboundalways - 阻止所有入站连接，即使连接与规则匹配。 allowinbound - 允许与规则不匹配的入站连接。 notconfigured - 将值返回到未配置状态。 出站行为: allowoutbound - 允许与规则不匹配的出站连接。 blockoutbound - 阻止与规则不匹配的出站连接。 notconfigured - 将值返回到未配置状态。 settings - 配置防火墙设置。 用法: settings (parameter) enable|disable|notconfigured 参数: localfirewallrules - 将本地防火墙规则与组策略规则合并。 配置组策略存储时有效。 localconsecrules - 将本地连接安全规则与组策略规则合并。 配置组策略存储时有效。 inboundusernotification - 在程序侦听入站连接时通知用户。 remotemanagement - 允许远程管理 Windows 防火墙。 unicastresponsetomulticast - 控制对多播的状态单播响应。 logging - 配置日志记录设置。 用法: logging (参数) (值) 参数: allowedconnections - 记录允许连接的日志。 值: enable|disable|notconfigured droppedconnections - 记录放弃连接的日志。 值: enable|disable|notconfigured filename - 防火墙日志的名称和位置。 值: |notconfigured maxfilesize - 最大日志文件大小(KB)。 值: 1 - 32767|notconfigured 注释: - 配置当前活动的配置文件的配置文件设置。 - "notconfigured" 值仅对于组策略存储有效。 示例: 在当前活动的配置文件上关闭防火墙: netsh advfirewall set currentprofile state off 设置默认行为，以在当前活动的配置文件上 阻止入站连接和允许出站连接: netsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound 在当前活动的配置文件上启用远程管理: netsh advfirewall set currentprofile settings remotemanagement enable 在当前活动的配置文件上，记录放弃连接的日志: netsh advfirewall set currentprofile logging droppedconnections enable	Usage: set currentprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: |notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures profile settings for the currently active profile. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off on the currently active profile: netsh advfirewall set currentprofile state off Set the default behavior to block inbound and allow outbound connections on the currently active profile: netsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound Turn on remote management on the currently active profile: netsh advfirewall set currentprofile settings remotemanagement enable Log dropped connections on the currently active profile: netsh advfirewall set currentprofile logging droppedconnections enable
12009	在所有配置文件中设置属性。	Sets properties in all profiles.
12010	用法: set allprofiles (parameter) (value) 参数: state - 配置防火墙状态。 用法: state on|off|notconfigured firewallpolicy - 配置默认入站行为和出站行为。 用法: firewallpolicy (入站行为),(出站行为) 入站行为: blockinbound - 阻止与入站规则不匹配的入站连接。 blockinboundalways - 阻止所有入站连接，即使连接与规则匹配。 allowinbound - 允许与规则不匹配的入站连接。 notconfigured - 将值返回到未配置状态。 出站行为: allowoutbound - 允许与规则不匹配的出站连接。 blockoutbound - 阻止与规则不匹配的出站连接。 notconfigured - 将值返回到未配置状态。 settings - 配置防火墙设置。 用法: settings (参数) enable|disable|notconfigured 参数: localfirewallrules - 将本地防火墙规则与组策略规则合并。 配置组策略存储时有效。 localconsecrules - 将本地连接安全规则与组策略规则合并。 配置组策略存储时有效。 inboundusernotification - 在程序侦听入站连接时通知用户。 remotemanagement - 允许远程管理 Windows 防火墙。 unicastresponsetomulticast - 控制对多播的状态单播响应。 logging - 配置日志记录设置。 用法: logging (参数) (值) 参数: allowedconnections - 记录允许连接的日志。 值: enable|disable|notconfigured droppedconnections - 记录放弃连接的日志。 值: enable|disable|notconfigured filename - 防火墙日志的名称和位置。 值: |notconfigured maxfilesize - 最大日志文件大小(KB)。 值: 1 - 32767|notconfigured 注释: - 配置所有配置文件的配置文件设置。 - "notconfigured" 值仅对于组策略存储有效。 示例: 所有配置文件关闭防火墙: netsh advfirewall set allprofiles state off 设置默认行为，以在所有配置文件上 阻止入站连接和允许出站连接: netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound 在所有配置文件上启用远程管理: netsh advfirewall set allprofiles settings remotemanagement enable 在所有配置文件上，记录放弃连接的日志: netsh advfirewall set allprofiles logging droppedconnections enable	Usage: set allprofiles (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: |notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures profile settings for all profiles. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off for all profiles: netsh advfirewall set allprofiles state off Set the default behavior to block inbound and allow outbound connections on all profiles: netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound Turn on remote management on all profiles: netsh advfirewall set allprofiles settings remotemanagement enable Log dropped connections on all profiles: netsh advfirewall set allprofiles logging droppedconnections enable
12011	设置全局属性。	Sets the global properties.
12012	用法: set global statefulftp|statefulpptp enable|disable|notconfigured set global ipsec (parameter) (value) set global mainmode (parameter) (value) | notconfigured IPsec 参数: strongcrlcheck - 配置如何强制 CRL 检查。 0: 禁用 CRL 检查(默认值) 1: 如果证书被吊销，则失败 2: 出现任何错误，都失败 notconfigured: 将该值返回到未 配置状态。 saidletimemin - 配置安全关联空闲时间(以分钟为单位)。 - 用法: 5-60|notconfigured (default=5) defaultexemptions - 配置默认的 IPSec 免除。默认值为 将 IPv6 neighbordiscovery 协议和 DHCP 从 IPSec 免除。 - 用法: none|neighbordiscovery|icmp|dhcp|notconfigured ipsecthroughnat - 可以与网络地址转换器后面的 计算机建立安全关联时配置。 - 用法: never|serverbehindnat| serverandclientbehindnat| notconfigured(default=never) authzcomputergrp - 配置授权建立隧道模式连接的计算机。 - 用法: none||notconfigured authzusergrp - 配置授权建立隧道模式连接的用户。 tunnel mode connections. - 用法: none||notconfigured 主模式参数: mmkeylifetime - 设置主模式密钥生存时间(以分钟为单位) 或会话，或两者。 - 用法: min,sess minlifetime: 分钟， maxlifetime: 分钟， minsessions: 个会话, maxsessions: 个会话 mmsecmethods - 配置主模式建议列表 - 用法: keyexch:enc-integrity,keyexch: enc-integrity[,...]|default - keyexch=dhgroup1|dhgroup2|dhgroup14|dhgroup24| ecdhp256|ecdhp384 - enc=3des|des|aes128|aes192|aes256 - integrity=md5|sha1|sha256|sha384 mmforcedh - 配置使用 DH 确保密钥交换安全的选项。 - 用法: yes|no (default=no) 注释: - 配置全局设置，包括高级 IPsec 选项。 - 不建议使用 DES、MD5 和 DHGroup1。提供这些 加密算法只用于向下兼容。 - mmsecmethods 关键字 default 将策略设置为: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 示例: 禁用 CRL 检查: netsh advfirewall set global ipsec strongcrlcheck 0 启用防火墙对状态 FTP 的支持: netsh advfirewall set global statefulftp enable 将全局主模式建议设置为默认值: netsh advfirewall set global mainmode mmsecmethods default 将全局主模式建议设置为客户列表: netsh advfirewall set global mainmode mmsecmethods dhgroup1:des-md5,3des-sha1	Usage: set global statefulftp|statefulpptp enable|disable|notconfigured set global ipsec (parameter) (value) set global mainmode (parameter) (value) | notconfigured IPsec Parameters: strongcrlcheck - Configures how CRL checking is enforced. 0: Disable CRL checking (default) 1: Fail if cert is revoked 2: Fail on any error notconfigured: Returns the value to its not configured state. saidletimemin - Configures the security association idle time in minutes. - Usage: 5-60|notconfigured (default=5) defaultexemptions - Configures the default IPsec exemptions. Default is to exempt IPv6 neighbordiscovery protocol and DHCP from IPsec. - Usage: none|neighbordiscovery|icmp|dhcp|notconfigured ipsecthroughnat - Configures when security associations can be established with a computer behind a network address translator. - Usage: never|serverbehindnat| serverandclientbehindnat| notconfigured(default=never) authzcomputergrp - Configures the computers that are authorized to establish tunnel mode connections. - Usage: none||notconfigured authzusergrp - Configures the users that are authorized to establish tunnel mode connections. - Usage: none||notconfigured Main Mode Parameters: mmkeylifetime - Sets main mode key lifetime in minutes or sessions, or both. - Usage: min,sess minlifetime: min, maxlifetime: min minsessions: sessions, maxsessions: sessions mmsecmethods - configures the main mode list of proposals - Usage: keyexch:enc-integrity,keyexch:enc-integrity[,...]|default - keyexch=dhgroup1|dhgroup2|dhgroup14|dhgroup24| ecdhp256|ecdhp384 - enc=3des|des|aes128|aes192|aes256 - integrity=md5|sha1|sha256|sha384 mmforcedh - configures the option to use DH to secure key exchange. - Usage: yes|no (default=no) Remarks: - Configures global settings, including advanced IPsec options. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The mmsecmethods keyword default sets the policy to: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 Examples: Disable CRL checking: netsh advfirewall set global ipsec strongcrlcheck 0 Turn on the Firewall support for stateful FTP: netsh advfirewall set global statefulftp enable Set global main mode proposals to the default value: netsh advfirewall set global mainmode mmsecmethods default Set global main mode proposals to a customer list: netsh advfirewall set global mainmode mmsecmethods dhgroup1:des-md5,dhgroup1:3des-sha1
12013	为当前交互式会话设置策略存储。	Sets the policy store for the current interactive session.
12014	用法: set store local|gpo=|gpo=| gpo= 注释: - 将策略存储设置为组策略对象(GPO)，该组策略对象是通过计算机名、 域和 GPO 名称、GPO 唯一标识符或本地策略存储识别的。 - 默认值为本地策略存储。 - 必须保留在同一交互式会话中，否则该存储设置会丢失。 - 指定域名时，必须输入完全限定的域名(FQDN)。 示例: 将 computer1 上的策略存储设置为 GPO: netsh advfirewall set store gpo=computer1 将策略存储设置为办公室域中 GPO 调用的笔记本电脑: netsh advfirewall set store gpo=office.acme.com\laptops 将策略存储设置为在办公室域中带有唯一标识符 {842082DD-7501-40D9-9103-FE3A31AFDC9B} 的 GPO: netsh advfirewall set store gpo=office.acme.com\{842082DD-7501-40D9-9103-FE3A31AFDC9B}	Usage: set store local|gpo=|gpo=| gpo= Remarks: - Sets the policy store to a Group Policy object (GPO) identified by a computer name, domain and GPO name or GPO unique identifier, or the local policy store. - The default value is local. - You must stay in the same interactive session, otherwise the store setting is lost. - When specifying a domain name, you must enter a fully qualified domain name (FQDN). Examples: Set the policy store to the GPO on computer1: netsh advfirewall set store gpo=computer1 Set the policy store to the GPO called laptops in the office domain: netsh advfirewall set store gpo=office.acme.com\laptops Set the policy store to the GPO with unique identifier {842082DD-7501-40D9-9103-FE3A31AFDC9B} in the office domain: netsh advfirewall set store gpo=office.acme.com\{842082DD-7501-40D9-9103-FE3A31AFDC9B}
12015	显示配置文件或全局属性。	Displays profile or global properties.
12016	显示域配置文件的属性。	Displays properties for the domain properties.
12017	用法: show privateprofile [parameter] 参数: state - 显示具有高级安全性的 Windows 防火墙是否已启用。 firewallpolicy - 显示默认的入站和出站防火墙行为。 settings - 显示防火墙属性。 logging - 显示日志记录设置。 注释: - 显示私有配置文件的属性。如果没有指定参数，则显示所有属性。 示例: 显示私有配置文件的防火墙状态: netsh advfirewall show privateprofile state	Usage: show domainprofile [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for the domain profile. If a parameter is not specified, all properties are displayed. Examples: Display the domain profile firewall state: netsh advfirewall show domainprofile state
12018	显示专用配置文件的属性。	Displays properties for the private profile.
12020	显示活动配置文件的属性。	Displays properties for the active profile.
12021	用法: show currentprofile [parameter] 参数: state - 显示具有高级安全性的 Windows 防火墙是否已启用。 firewallpolicy - 显示默认的入站和出站防火墙行为。 settings - 显示防火墙属性。 logging - 显示日志记录设置。 注释: - 显示活动配置文件的属性。如果没有指定参数，则显示所有属性。 示例: 显示活动配置文件的防火墙状态: netsh advfirewall show currentprofile state	Usage: show currentprofile [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for the active profile. If a parameter is not specified, all properties are displayed. Examples: Display the active profile firewall state: netsh advfirewall show currentprofile state
12022	显示所有配置文件的属性。	Displays properties for all profiles.
12023	用法: show allprofiles [parameter] 参数: state - 显示具有高级安全性的 Windows 防火墙是否已启用。 firewallpolicy - 显示默认的入站和出站防火墙行为。 settings - 显示防火墙属性。 logging - 显示日志记录设置。 注释: - 显示所有配置文件的属性。如果没有指定参数， 则显示所有属性。 示例: 显示所有配置文件的防火墙状态: netsh advfirewall show allprofiles state	Usage: show allprofiles [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for all profiles. If a parameter is not specified, all properties are displayed. Examples: Display the firewall state for all propfiles: netsh advfirewall show allprofiles state
12024	显示全局属性。	Displays the global properties.
12025	用法: show global [property] 参数: ipsec - 显示 IPSec 特定设置。 statefulftp - 显示 状态 ftp 支持。 statefulpptp - 显示 状态 pptp 支持。 此值在 Windows 7 中被忽略，并且只能用于管理下层高级 安全 Windows 防火墙。 mainmode - 显示主模式设置。 categories - 显示防火墙类别。 注释: - 显示全局属性设置。如果没有指定参数，则显示所有属性。 示例: 显示 IPsec 设置: netsh advfirewall show global ipsec 显示主模式设置: netsh advfirewall show global mainmode	Usage: show global [property] Parameters: ipsec - Shows IPsec specific settings. statefulftp - Shows stateful ftp support. statefulpptp - Shows stateful pptp support. This value is Ignored in Windows 7 and is available only to manage downlevel Windows Firewall with Advanced Security systems. mainmode - Shows Main Mode settings. categories - Shows Firewall Categories. Remarks: - Displays the global property settings. If a parameter is not specified, all properties are displayed. Examples: Display IPsec settings: netsh advfirewall show global ipsec Display main mode settings: netsh advfirewall show global mainmode
12026	显示当前交互式会话的策略存储。	Displays the policy store for the current interactive session.
12027	用法: show store 注释: - 此命令显示当前策略存储。 示例: netsh advfirewall show store	Usage: show store Remarks: - This command displays the current policy store. Example: netsh advfirewall show store
12028	将策略文件导入当前策略存储。	Imports a policy file into the current policy store.
12029	用法: import 注释: - 从指定文件导入策略。 示例: netsh advfirewall import "c: ewpolicy.pol"	Usage: import Remarks: - Imports policy from the specified file. Example: netsh advfirewall import "c: ewpolicy.wfw"
12030	将当前策略导出到文件。	Exports the current policy to a file.
12031	用法: export 注释: - 将当前策略导出到指定文件。 示例: netsh advfirewall export "c:\advfirewallpolicy.pol"	Usage: export Remarks: - Exports the current policy to the specified file. Example: netsh advfirewall export "c:\advfirewallpolicy.wfw"
12032	添加新连接安全规则。	Adds a new connection security rule.
12034	为现有规则的属性设置新值。	Sets new values for properties of an existing rule.
12036	删除所有匹配的连接安全规则。	Deletes all matching connection security rules.
12037	用法: delete rule name= [type=dynamic|static] [profile=public|private|domain|any[,...] (default=any)] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [port1=0-65535|[,...]|any (default=any)] [port2=0-65535|[,...]|any (default=any)] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] 注释: - 删除按名称识别的规则，也可按配置文件、 终结点、端口、协议和类型识别。 - 如果找到多个匹配项，则删除所有匹配规则。 示例: 从所有配置文件中删除名称为 "rule1" 的规则: netsh advfirewall consec delete rule name="rule1" 从所有配置文件中删除所有动态规则: netsh advfirewall consec delete rule name=all type=dynamic	Usage: delete rule name= [type=dynamic|static] [profile=public|private|domain|any[,...] (default=any)] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [port1=0-65535|[,...]|any (default=any)] [port2=0-65535|[,...]|any (default=any)] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] Remarks: - Deletes a rule identified by name and optionally by profiles, endpoints, ports, protocol, and type. - If multiple matches are found, all matching rules are deleted. Examples: Delete a rule called "rule1" from all profiles: netsh advfirewall consec delete rule name="rule1" Delete all dynamic rules from all profiles: netsh advfirewall consec delete rule name=all type=dynamic
12038	显示指定的连接安全规则。	Displays a specified connection security rule.
12039	用法: show rule name= [profile=public|private|domain|any[,...]] [type=dynamic|static (default=static)] [verbose] 注释: - 显示按名称识别的所有规则实例， 也可按配置文件和类型识别。 示例: 显示所有规则: netsh advfirewall consec show rule name=all 显示所有动态规则: netsh advfirewall consec show rule name=all type=dynamic	Usage: show rule name= [profile=public|private|domain|any[,...]] [type=dynamic|static (default=static)] [verbose] Remarks: - Displays all instances of the rule identified by name, and optionally profiles and type. Examples: Display all rules: netsh advfirewall consec show rule name=all Display all dynamic rules: netsh advfirewall consec show rule name=all type=dynamic
12040	添加新入站或出站防火墙规则。	Adds a new inbound or outbound firewall rule.
12041	用法: add rule name= dir=in|out action=allow|block|bypass [program=] [service=|any] [description=] [enable=yes|no (default=yes)] [profile=public|private|domain|any[,...]] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)] [remoteport=0-65535|[,...]|any (default=any)] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any (default=any)] [interfacetype=wireless|lan|ras|any] [rmtcomputergrp=] [rmtusrgrp=] [edge=yes|deferapp|deferuser|no (default=no)] [security=authenticate|authenc|authdynenc|authnoencap|notrequired (default=notrequired)] 备注: - 将新的入站或出站规则添加到防火墙策略。 - 规则名称应该是唯一的，且不能为 "all"。 - 如果已指定远程计算机或用户组，则 security 必须为 authenticate、authenc、authdynenc 或 authnoencap。 - 为 authdynenc 设置安全性可允许系统动态协商为匹配 给定 Windows 防火墙规则的通信使用加密。 根据现有连接安全规则属性协商加密。 选择此选项后，只要入站 IPSec 连接已设置安全保护， 但未使用 IPSec 进行加密，计算机就能够接收该入站连接的第一个 TCP 或 UDP 包。 一旦处理了第一个数据包，服务器将重新协商连接并对其进行升级，以便所 有后续通信都完全加密。 - 如果 action=bypass，则 dir=in 时必须指定远程计算机组。 - 如果 service=any，则规则仅应用到服务。 - ICMP 类型或代码可以为 "any"。 - Edge 只能为入站规则指定。 - AuthEnc 和 authnoencap 不能同时使用。 - Authdynenc 仅当 dir=in 时有效。 - 设置 authnoencap 后，security=authenticate 选项就变成可选参数。 示例: 为不具有封装的 messenger.exe 添加入站规则: netsh advfirewall firewall add rule name="allow messenger" dir=in program="c:\programfiles\messenger\msmsgs.exe" security=authnoencap action=allow 为端口 80 添加出站规则: netsh advfirewall firewall add rule name="allow80" protocol=TCP dir=out localport=80 action=block 为 TCP 端口 80 通信添加需要安全和加密的入站规则: netsh advfirewall firewall add rule name="Require Encryption for Inbound TCP/80" protocol=TCP dir=in localport=80 security=authdynenc action=allow 为 messenger.exe 添加需要安全的入站规则: netsh advfirewall firewall add rule name="allow messenger" dir=in program="c:\program files\messenger\msmsgs.exe" security=authenticate action=allow 为 SDDL 字符串标识的组 acmedomain\scanners 添加 经过身份验证的防火墙跳过规则: netsh advfirewall firewall add rule name="allow scanners" dir=in rmtcomputergrp= action=bypass security=authenticate 为 udp- 的本地端口 5000-5010 添加出站允许规则 Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010 action=allow	Usage: add rule name= dir=in|out action=allow|block|bypass [program=] [service=|any] [description=] [enable=yes|no (default=yes)] [profile=public|private|domain|any[,...]] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)] [remoteport=0-65535|[,...]|any (default=any)] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any (default=any)] [interfacetype=wireless|lan|ras|any] [rmtcomputergrp=] [rmtusrgrp=] [edge=yes|deferapp|deferuser|no (default=no)] [security=authenticate|authenc|authdynenc|authnoencap|notrequired (default=notrequired)] Remarks: - Add a new inbound or outbound rule to the firewall policy. - Rule name should be unique and cannot be "all". - If a remote computer or user group is specified, security must be authenticate, authenc, authdynenc, or authnoencap. - Setting security to authdynenc allows systems to dynamically negotiate the use of encryption for traffic that matches a given Windows Firewall rule. Encryption is negotiated based on existing connection security rule properties. This option enables the ability of a machine to accept the first TCP or UDP packet of an inbound IPsec connection as long as it is secured, but not encrypted, using IPsec. Once the first packet is processed, the server will re-negotiate the connection and upgrade it so that all subsequent communications are fully encrypted. - If action=bypass, the remote computer group must be specified when dir=in. - If service=any, the rule applies only to services. - ICMP type or code can be "any". - Edge can only be specified for inbound rules. - AuthEnc and authnoencap cannot be used together. - Authdynenc is valid only when dir=in. - When authnoencap is set, the security=authenticate option becomes an optional parameter. Examples: Add an inbound rule with no encapsulation security for browser.exe: netsh advfirewall firewall add rule name="allow browser" dir=in program="c:\programfiles\browser\browser.exe" security=authnoencap action=allow Add an outbound rule for port 80: netsh advfirewall firewall add rule name="allow80" protocol=TCP dir=out localport=80 action=block Add an inbound rule requiring security and encryption for TCP port 80 traffic: netsh advfirewall firewall add rule name="Require Encryption for Inbound TCP/80" protocol=TCP dir=in localport=80 security=authdynenc action=allow Add an inbound rule for browser.exe and require security netsh advfirewall firewall add rule name="allow browser" dir=in program="c:\program files\browser\browser.exe" security=authenticate action=allow Add an authenticated firewall bypass rule for group acmedomain\scanners identified by a SDDL string: netsh advfirewall firewall add rule name="allow scanners" dir=in rmtcomputergrp= action=bypass security=authenticate Add an outbound allow rule for local ports 5000-5010 for udp- Add rule name="Allow port range" dir=out protocol=udp localport=5000-5010 action=allow
12043	用法: set rule group= | name= [dir=in|out] [profile=public|private|domain|any[,...]] [program=] [service=service short name|any] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|[,...]|RPC|RPC-EPMap|IPHTTPS|any] [remoteport=0-65535|[,...]|any] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] new [name=] [dir=in|out] [program= [service=|any] [action=allow|block|bypass] [description=] [enable=yes|no] [profile=public|private|domain|any[,...]] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|RPC|RPC-EPMap|any[,...]] [remoteport=0-65535|any[,...]] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] [interfacetype=wireless|lan|ras|any] [rmtcomputergrp=] [rmtusrgrp=] [edge=yes|deferapp|deferuser|no (default=no)] [security=authenticate|authenc|authdynenc|notrequired] 备注: - 为已识别的规则设置新的参数值。如果规则不存在， 则该命令失败。若要创建规则，请使用添加命令。 - 会更新规则中 new 关键字后的值。如果 没有值，或缺少关键字 new，则没有任何更改。 - 一组规则只能被启用或禁用。 - 如果多个规则与条件匹配，则会 更新所有匹配规则。 - 规则名称应该是唯一的，并且不能是 "all"。 - 如果指定远程计算机或用户组，security 必须 为 authenticate、authenc 或 authdynenc。 - 为 authdynenc 设置安全性可允许系统动态协商为匹配 给定 Windows 防火墙规则的通信使用加密。 根据现有连接安全规则属性协商加密。 选择此选项后，只要入站 IPSec 连接已设置安全保护， 但未使用 IPSec 进行加密，计算机就能够接收该入站连接的第一个 TCP 或 UDP 包。 一旦处理了第一个数据包，服务器将重新协商连接并对其进行升级，以便 所有后续通信都完全加密。 - Authdynenc 仅当 dir=in 时有效。 - 如果 action=bypass，则当 dir=in 时必须指定远程计算机组。 - 如果 service=any，则规则只适用于服务。 - ICMP 类型或代码可以是 "any"。 - 只能为入站规则指定边缘。 示例: 根据名称为 "allow80" 的规则更改远程 IP 地址: netsh advfirewall firewall set rule name="allow80" new remoteip=192.168.0.2 启用带有分组字符串 "Remote Desktop" 的组: netsh advfirewall firewall set rule group="remote desktop" new enable=yes 为 udp- 更改规则 "Allow port range" 上的本地端口 Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow	Usage: set rule group= | name= [dir=in|out] [profile=public|private|domain|any[,...]] [program=] [service=service short name|any] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|[,...]|RPC|RPC-EPMap|IPHTTPS|any] [remoteport=0-65535|[,...]|any] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] new [name=] [dir=in|out] [program= [service=|any] [action=allow|block|bypass] [description=] [enable=yes|no] [profile=public|private|domain|any[,...]] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|RPC|RPC-EPMap|any[,...]] [remoteport=0-65535|any[,...]] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] [interfacetype=wireless|lan|ras|any] [rmtcomputergrp=] [rmtusrgrp=] [edge=yes|deferapp|deferuser|no (default=no)] [security=authenticate|authenc|authdynenc|notrequired] Remarks: - Sets a new parameter value on an identified rule. The command fails if the rule does not exist. To create a rule, use the add command. - Values after the new keyword are updated in the rule. If there are no values, or keyword new is missing, no changes are made. - A group of rules can only be enabled or disabled. - If multiple rules match the criteria, all matching rules will be updated. - Rule name should be unique and cannot be "all". - If a remote computer or user group is specified, security must be authenticate, authenc or authdynenc. - Setting security to authdynenc allows systems to dynamically negotiate the use of encryption for traffic that matches a given Windows Firewall rule. Encryption is negotiated based on existing connection security rule properties. This option enables the ability of a machine to accept the first TCP or UDP packet of an inbound IPsec connection as long as it is secured, but not encrypted, using IPsec. Once the first packet is processed, the server will re-negotiate the connection and upgrade it so that all subsequent communications are fully encrypted. - Authdynenc is valid only when dir=in. - If action=bypass, the remote computer group must be specified when dir=in. - If service=any, the rule applies only to services. - ICMP type or code can be "any". - Edge can only be specified for inbound rules. Examples: Change the remote IP address on a rule called "allow80": netsh advfirewall firewall set rule name="allow80" new remoteip=192.168.0.2 Enable a group with grouping string "Remote Desktop": netsh advfirewall firewall set rule group="remote desktop" new enable=yes Change the localports on the rule "Allow port range" for udp- Set rule name="Allow port range" dir=out protocol=udp localport=5000-5020 action=allow
12044	删除所有匹配的防火墙规则。	Deletes all matching firewall rules.
12045	用法: delete rule name= [dir=in|out] [profile=public|private|domain|any[,...]] [program=] [service=|any] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|[,...]|RPC|RPC-EPMap|any] [remoteport=0-65535|[,...]|any] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] 注释: - 删除按名称识别的规则，也可按终结点、端口、 协议和类型识别规则 - 如果找到多个匹配项，则删除所有匹配规则。 - 如果指定 name=all，则从指定的 类型和配置文件中删除所有规则。 示例: 删除本地端口 80 的所有入则: netsh advfirewall firewall delete rule name=all protocol=tcp localport=80 删除名为 "allow80" 的规则: netsh advfirewall firewall delete rule name="allow80"	Usage: delete rule name= [dir=in|out] [profile=public|private|domain|any[,...]] [program=] [service=|any] [localip=any|||||] [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [localport=0-65535|[,...]|RPC|RPC-EPMap|any] [remoteport=0-65535|[,...]|any] [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code| tcp|udp|any] Remarks: - Deletes a rule identified by name and optionally by endpoints, ports, protocol, and type. - If multiple matches are found, all matching rules are deleted. - If name=all is specified all rules are deleted from the specified type and profile. Examples: Delete all rules for local port 80: netsh advfirewall firewall delete rule name=all protocol=tcp localport=80 Delete a rule called "allow80": netsh advfirewall firewall delete rule name="allow80"
12046	显示指定的防火墙规则。	Displays a specified firewall rule.
12047	用法: show rule name= [profile=public|private|domain|any[,...]] [type=static|dynamic] [verbose] 备注: - 显示所有按名称指定的匹配规则， 也可按配置文件和类型指定规则。如果指定 verbose，则显示所有 匹配规则。 示例: 显示所有动态入站规则: netsh advfirewall firewall show rule name=all dir=in type=dynamic 显示名为 "allow browser" 的所有入站规则的 所有设置: netsh advfirewall firewall show rule name="allow browser" verbose	Usage: show rule name= [profile=public|private|domain|any[,...]] [type=static|dynamic] [verbose] Remarks: - Displays all matching rules as specified by name and optionally, profiles and type. If verbose is specified all matching rules are displayed. Examples: Display all dynamic inbound rules: netsh advfirewall firewall show rule name=all dir=in type=dynamic Display all the settings for all inbound rules called "allow browser": netsh advfirewall firewall show rule name="allow browser" verbose
12064	删除所有匹配的安全关联。	Deletes all matching security associations.
12065	用法: delete mmsa|qmsa [(source destination)|all] 注释: - 该命令会删除(source destination)对指定的匹配的安全关联。 - Source 和 destination 是单独的 single IPv4 或 IPv6 地址。 示例: 删除所有快速模式安全关联: netsh advfirewall monitor delete qmsa all 删除在两个指定地址间的所有主模式安全关联: netsh advfirewall monitor delete mmsa 192.168.03 192.168.0.6	Usage: delete mmsa|qmsa [(source destination)|all] Remarks: - This command deletes the matching security association as specified by (source destination) pair. - Source and destination are each a single IPv4 or IPv6 address. Examples: Delete all quick mode security associations: netsh advfirewall monitor delete qmsa all Delete all main mode security associations between the two specified addresses: netsh advfirewall monitor delete mmsa 192.168.03 192.168.0.6
12066	显示运行时防火墙策略设置。	Shows the runtime Firewall policy settings.
12068	在公用配置文件中设置属性。	Sets properties in the public profile.
12069	用法: set publicprofile (参数) (值) 参数: state - 配置防火墙状态。 用法: state on|off|notconfigured firewallpolicy - 配置默认入站行为和出站行为。 用法: firewallpolicy (入站行为),(出站行为) 入站行为: blockinbound - 阻止与入站规则不匹配的入站连接。 blockinboundalways - 阻止所有入站连接，即使连接与规则匹配。 allowinbound - 允许与规则不匹配的入站连接。 notconfigured - 将值返回到未配置状态。 出站行为: allowoutbound - 允许与规则不匹配的出站连接。 blockoutbound - 阻止与规则不匹配的出站连接。 notconfigured - 将值返回到未配置状态。 settings - 配置防火墙设置。 用法: settings (参数) enable|disable|notconfigured 参数: localfirewallrules - 将本地防火墙规则与组策略规则合并。 配置组策略存储时有效。 localconsecrules - 将本地连接安全规则与组策略规则合并。 配置组策略存储时有效。 inboundusernotification - 在程序侦听入站连接时通知用户。 remotemanagement - 允许远程管理 Windows 防火墙。 unicastresponsetomulticast - 控制对多播的状态单播响应。 logging - 配置日志文件设置。 用法: logging (参数) (值) 参数: allowedconnections - 记录允许连接的日志。 值: enable|disable|notconfigured droppedconnections - 记录放弃连接的日志。 值: enable|disable|notconfigured filename - 防火墙日志的名称和位置。 值: |notconfigured maxfilesize - 最大日志文件大小(KB)。 用法: 1 - 32767|notconfigured 注释: - 配置公用配置文件设置。 - "notconfigured" 值仅对于组策略存储有效。 示例: 在公用配置文件活动时关闭防火墙: netsh advfirewall set publicprofile state off 设置默认行为，以在公用配置文件活动时 阻止入站连接和允许出站连接: netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound 在公用配置文件活动时打开远程管理: netsh advfirewall set publicprofile settings remotemanagement enable 在公用配置文件活动时，记录放弃连接的日志: netsh advfirewall set publicprofile logging droppedconnections enable	Usage: set publicprofile (parameter) (value) Parameters: state - Configure the firewall state. Usage: state on|off|notconfigured firewallpolicy - Configures default inbound and outbound behavior. Usage: firewallpolicy (inbound behavior),(outbound behavior) Inbound behavior: blockinbound - Block inbound connections that do not match an inbound rule. blockinboundalways - Block all inbound connections even if the connection matches a rule. allowinbound - Allow inbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. Outbound behavior: allowoutbound - Allow outbound connections that do not match a rule. blockoutbound - Block outbound connections that do not match a rule. notconfigured - Return the value to its unconfigured state. settings - Configures firewall settings. Usage: settings (parameter) enable|disable|notconfigured Parameters: localfirewallrules - Merge local firewall rules with Group Policy rules. Valid when configuring a Group Policy store. localconsecrules - Merge local connection security rules with Group Policy rules. Valid when configuring a Group Policy store. inboundusernotification - Notify user when a program listens for inbound connections. remotemanagement - Allow remote management of Windows Firewall. unicastresponsetomulticast - Control stateful unicast response to multicast. logging - Configures logging settings. Usage: logging (parameter) (value) Parameters: allowedconnections - Log allowed connections. Values: enable|disable|notconfigured droppedconnections - Log dropped connections. Values: enable|disable|notconfigured filename - Name and location of the firewall log. Values: |notconfigured maxfilesize - Maximum log file size in kilobytes. Values: 1 - 32767|notconfigured Remarks: - Configures public profile settings. - The "notconfigured" value is valid only for a Group Policy store. Examples: Turn the firewall off when the public profile is active: netsh advfirewall set publicprofile state off Set the default behavior to block inbound and allow outbound connections when the public profile is active: netsh advfirewall set publicprofile firewallpolicy blockinbound,allowoutbound Turn on remote management when the public profile is active: netsh advfirewall set publicprofile settings remotemanagement enable Log dropped connections when the public profile is active: netsh advfirewall set publicprofile logging droppedconnections enable
12070	显示公用配置文件的属性。	Displays properties for the public profile.
12071	用法: show publicprofile [parameter] 参数: state - 显示具有高级安全性的 Windows 防火墙是否已启用。 firewallpolicy - 显示默认的入站和出站防火墙行为。 settings - 显示防火墙设置。 logging - 显示日志记录设置。 注释: - 显示公用配置文件的属性。如果没有指定参数，则显示搜有属性。 示例: 显示公用配置文件防火墙状态: netsh advfirewall show publicprofile state	Usage: show publicprofile [parameter] Parameters: state - Displays whether Windows Firewall with Advanced Security is on or off. firewallpolicy - Displays default inbound and outbound firewall behavior. settings - Displays firewall properties. logging - Displays logging settings. Remarks: - Displays the properties for the public profile. If a parameter is not specified, all properties are displayed. Examples: Display the public profile firewall state: netsh advfirewall show publicprofile state
12072	用法: add rule name= endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| |||| endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| |||| action=requireinrequestout|requestinrequestout| requireinrequireout|requireinclearout|noauthentication [description=] [mode=transport|tunnel (default=transport)] [enable=yes|no (default=yes)] [profile=public|private|domain|any[,...] (default=any)] [type=dynamic|static (default=static)] [localtunnelendpoint=any||] [remotetunnelendpoint=any||] [port1=0-65535|[,...]|any (default=any)] [port2=0-65535|[,...]|any (default=any)] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any (default=any)] [interfacetype=wiresless|lan|ras|any (default=any)] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] |..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [auth2=computercert|computercertecdsap256|computercertecdsap384| userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm| anonymous[,...]] [auth2kerbproxyfqdn=] [auth2ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."]	Usage: add rule name= endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| |||| endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| |||| action=requireinrequestout|requestinrequestout| requireinrequireout|requireinclearout|noauthentication [description=] [mode=transport|tunnel (default=transport)] [enable=yes|no (default=yes)] [profile=public|private|domain|any[,...] (default=any)] [type=dynamic|static (default=static)] [localtunnelendpoint=any||] [remotetunnelendpoint=any||] [port1=0-65535|[,...]|any (default=any)] [port2=0-65535|[,...]|any (default=any)] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any (default=any)] [interfacetype=wiresless|lan|ras|any (default=any)] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] |..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [auth2=computercert|computercertecdsap256|computercertecdsap384| userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm| anonymous[,...]] [auth2kerbproxyfqdn=] [auth2ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."]
12073	备注: - 规则名称应该唯一且不能为 "all"。 - 当 mode=tunnel 时，必须指定隧道终结点，操作为 noauthentication 时除外。 当输入特定 IP 地址时，这些地址必须是相同的 IP 版本。 此外，当配置动态隧道时: 可以将隧道终结点设置为 any。不需要为 客户端策略指定本地隧道终结点(即 any)。 不需要为网关策略指定远程隧道终结点(即 any)。 此外，操作必须为 requireinrequireout、requireinclearout 或 noauthentication。 - 当 mode=Transport 时 requireinclearout 无效。 - 必须至少指定一个身份验证。 - Auth1 和 auth2 可以是用逗号分隔的选项列表。 - 不可以为 auth1 同时指定 Computerpsk 和 computerntlm 方法。 - 不可以将 Computercert 与 auth2 的用户凭据一起指定。 - 仅在 Windows Vista SP1 及更高版本上 支持 Certsigning 选项 ecdsap256 和 ecdsap384。 - Qmsecmethods 可以是由 "," 分隔的建议列表。 - 对于 qmsecmethods，integrity=md5|sha1|sha256|aesgmac128|aesgmac192| aesgmac256|aesgcm128|aesgcm192|aesgcm256 和 encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256 - 如果指定 aesgcm128、aesgcm192 或 aesgcm256，则它必须 用于 ESP 完整性和加密。 - 仅在 Windows Vista SP1 及更高版本上支持 Aesgmac128、aesgmac192、 aesgmac256、aesgcm128、aesgcm192、aesgcm256、sha256。 - Qmpfs=mainmode 使用 PFS 的主模式密钥交换设置。 - 不建议使用 DES、MD5 和 DHGroup1。提供这些加密算法仅用于向下兼容。 - certmapping 和 excludecaname 的默认值为 "no"。 - 必须将 CA 名称中的 " 字符替换为 \' - 对于 auth1ca 和 auth2ca，CA 名称必须以 "CN=" 为前缀。 - 可以使用 catype 来指定证书颁发机构类型 - catype=root/intermediate - 在 Windows 7 及更高版本上支持 authnoencap。 - authnoencap 表示计算机将仅使用身份验证， 将不使用任何每个数据包封装或加密算法 来保护随后作为此连接的一部分交换的网络数据包。 - 不能在同一规则上同时使用 QMPFS 和 authnoencap。 - AuthNoEncap 必须至少和一个 AH 或 ESP 完整性套件一起使用。 - 只能为隧道模式规则指定 applyauthz。 - 只能为隧道模式规则指定 exemptipsecprotectedconnections。 通过将此标志设置为“是”，将从隧道中免除 ESP 流量。 仅 AH 流量将不会从隧道中免除。 - qmsecmethod 的 Valuemin(指定时)应介于 5-2880 分钟之间。 qmsecmethod 的 Valuekb(指定时)应介于 20480-2147483647 KB 之间。 - Certhash 指定证书的指纹或证书的哈希。 - Followrenewal 指定是否自动跟随证书中的可续订链接。仅适用于 证书部分(需要 certhash)。 - Certeku 指定要在证书中匹配的用逗号分隔的 EKU OID 列表。 - Certname 指定要匹配证书名称的字符串(需要 certnametype)。 - Certnametype 指定要匹配的 certname 的证书字段(需要 certname)。	Remarks: - Rule name should be unique and cannot be "all". - When mode=tunnel,tunnel endpoints must be specified, except when the action is noauthentication. When specific IP addresses are entered, they must be the same IP version. In addition, When configuring dynamic tunnels: Tunnel endpoints can be set to any. Local tunnel endpoint need not be specified for Client policy (i.e any). Remote tunnel endpoints need not be specified for Gateway Policy (i.e any). Also, action must be requireinrequireout, requireinclearout, or noauthentication. - requireinclearout is not valid when mode=Transport. - At least one authentication must be specified. - Auth1 and auth2 can be comma-separated lists of options. - Computerpsk and computerntlm methods cannot be specified together for auth1. - Computercert cannot be specified with user credentials for auth2. - Certsigning options ecdsap256 and ecdsap384 are only supported on Windows Vista SP1 and later. - Qmsecmethods can be a list of proposals separated by a ",". - For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192| aesgmac256|aesgcm128|aesgcm192|aesgcm256 and encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256. - If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for both ESP integrity and encryption. - Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256, sha256 are only supported on Windows Vista SP1 and later. - Qmpfs=mainmode uses the main mode key exchange setting for PFS. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The default value for certmapping and excludecaname is 'no'. - The " characters within CA name must be replaced with \' - For auth1ca and auth2ca, the CA name must be prefixed by 'CN='. - catype can be used to specify the Certification authority type - catype=root/intermediate - authnoencap is supported on Windows 7 and later. - authnoencap means that the computers will only use authentication, and will not use any per packet encapsulation or encryption algorithms to protect subsequent network packets exchanged as part of this connection. - QMPFS and authnoencap cannot be used together on the same rule. - AuthNoEncap must be accompanied by at least one AH or ESP integrity suite. - applyauthz can only be specified for tunnel mode rules. - exemptipsecprotectedconnections can only be specified for tunnel mode rules. By setting this flag to "Yes", ESP traffic will be exempted from the tunnel. AH only traffic will NOT be exempted from the tunnel. - Valuemin(when specified) for a qmsecmethod should be between 5-2880 minutes. Valuekb(when specified) for a qmsecmethod should be between 20480-2147483647 kilobytes. - Certhash specifies the thumbprint, or hash of the certificate. - Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). - Certeku specifies the comma separated list of EKU OIDs to match in the certificate. - Certname specifies the string to match for certificate name (requires certnametype). - Certnametype specifies the certificate field for the certname to be matched against (requires certname).
12074	示例: 使用默认值为域隔离添加规则: netsh advfirewall consec add rule name="isolation" endpoint1=any endpoint2=any action=requireinrequestout 使用自定义快速模式建议添加规则: netsh advfirewall consec add rule name="custom" endpoint1=any endpoint2=any qmsecmethods=ah:sha1+esp:sha1-aes256+60min+20480kb,ah:sha1 action=requireinrequestout 使用自定义快速模式建议添加规则: netsh advfirewall consec add rule name="custom" endpoint1=any endpoint2=any qmsecmethods=authnoencap:sha1,ah:aesgmac256+esp:aesgmac256-none action=requireinrequestout 创建从 子网 A (192.168.0.0, external ip=1.1.1.1)到 子网 B (192.157.0.0, external ip=2.2.2.2)的隧道模式规则: netsh advfirewall consec add rule name="my tunnel" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 remotetunnelendpoint=2.2.2.2 localtunnelendpoint=1.1.1.1 action=requireinrequireout 创建从子网 A (192.168.0.0/16)到 子网 B (192.157.0.0, remoteGW=2.2.2.2)的动态隧道模式规则 客户端策略: netsh advfirewall consec add rule name="dynamic tunnel" mode=tunnel endpoint1=any endpoint2=192.157.0.0/16 remotetunnelendpoint=2.2.2.2 action=requireinrequireout 网关策略(仅适用于网关设备): netsh advfirewall consec add rule name="dynamic tunnel" mode=tunnel endpoint1=192.157.0.0/16 endpoint2=any localtunnelendpoint=2.2.2.2 action=requireinrequireout 使用 CA 名称添加规则: netsh advfirewall consec add rule name="cert rule" endpoint1=any endpoint2=any action=requireinrequestout auth1=computercert auth1ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" 使用各种证书条件以及多种身份验证方法 添加规则: netsh advfirewall consec add rule name="cert rule" endpoint1=any endpoint2=any action=requireinrequireout auth1=computercert auth1ca="CN=\'CN1\' certcriteriatype:Selection certname:MyGroup certnametype:SubjectOU certeku:1.2.3.4.5|CN=\'CN2\' certcriteriatype:Validation certeku:2.3.4.5.6,9.10.11.12|CN=\'CN3\' certhash:0123456789abcdef01234567890ABCDEF0123456"	Examples: Add a rule for domain isolation using defaults: netsh advfirewall consec add rule name="isolation" endpoint1=any endpoint2=any action=requireinrequestout Add a rule with custom quick mode proposals: netsh advfirewall consec add rule name="custom" endpoint1=any endpoint2=any qmsecmethods=ah:sha1+esp:sha1-aes256+60min+20480kb,ah:sha1 action=requireinrequestout Add a rule with custom quick mode proposals: netsh advfirewall consec add rule name="custom" endpoint1=any endpoint2=any qmsecmethods=authnoencap:sha1,ah:aesgmac256+esp:aesgmac256-none action=requireinrequestout Create a tunnel mode rule from subnet A (192.168.0.0, external ip=1.1.1.1) to subnet B (192.157.0.0, external ip=2.2.2.2): netsh advfirewall consec add rule name="my tunnel" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 remotetunnelendpoint=2.2.2.2 localtunnelendpoint=1.1.1.1 action=requireinrequireout Create a dynamic tunnel mode rule from subnet A (192.168.0.0/16) to subnet B (192.157.0.0, remoteGW=2.2.2.2) Client Policy: netsh advfirewall consec add rule name="dynamic tunnel" mode=tunnel endpoint1=any endpoint2=192.157.0.0/16 remotetunnelendpoint=2.2.2.2 action=requireinrequireout Gateway Policy (Applied only to the Gateway device): netsh advfirewall consec add rule name="dynamic tunnel" mode=tunnel endpoint1=192.157.0.0/16 endpoint2=any localtunnelendpoint=2.2.2.2 action=requireinrequireout Add a rule with CA name: netsh advfirewall consec add rule name="cert rule" endpoint1=any endpoint2=any action=requireinrequestout auth1=computercert auth1ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" Add a rule, with multiple authentication methods, using a variety of cert criteria: netsh advfirewall consec add rule name="cert rule" endpoint1=any endpoint2=any action=requireinrequireout auth1=computercert auth1ca="CN=\'CN1\' certcriteriatype:Selection certname:MyGroup certnametype:SubjectOU certeku:1.2.3.4.5|CN=\'CN2\' certcriteriatype:Validation certeku:2.3.4.5.6,9.10.11.12|CN=\'CN3\' certhash:0123456789abcdef01234567890ABCDEF0123456"
12075	用法: set rule group= | name= [type=dynamic|static] [profile=public|private|domain|any[,...] (default=any)] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [port1=0-65535|[,...]|any] [port2=0-65535|[,...]|any] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] new [name=] [profile=public|private|domain|any[,...]] [description=] [mode=transport|tunnel] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [action=requireinrequestout|requestinrequestout| requireinrequireout|requireinclearout|noauthentication] [enable=yes|no] [type=dynamic|static] [localtunnelendpoint=any||] [remotetunnelendpoint=any||] [port1=0-65535|[,...]|any] [port2=0-65535|[,...]|any] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] [interfacetype=wiresless|lan|ras|any] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1healthcert=yes|no] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."]	Usage: set rule group= | name= [type=dynamic|static] [profile=public|private|domain|any[,...] (default=any)] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [port1=0-65535|[,...]|any] [port2=0-65535|[,...]|any] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] new [name=] [profile=public|private|domain|any[,...]] [description=] [mode=transport|tunnel] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [action=requireinrequestout|requestinrequestout| requireinrequireout|requireinclearout|noauthentication] [enable=yes|no] [type=dynamic|static] [localtunnelendpoint=any||] [remotetunnelendpoint=any||] [port1=0-65535|[,...]|any] [port2=0-65535|[,...]|any] [protocol=0-255|tcp|udp|icmpv4|icmpv6|any] [interfacetype=wiresless|lan|ras|any] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1healthcert=yes|no] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."]
12076	备注: - 为已标识的规则设置新的参数值。如果规则不存在， 则该命令失败。若要创建规则，请使用添加命令。 - 会更新规则中 new 关键字后的值。如果没有值， 或缺少关键字 new，则不进行任何更改。 - 只能启用或禁用一组规则。 - 如果多个规则与条件匹配，将更新所有 匹配的规则。 - 规则名称应该唯一且不能为 "all"。 - Auth1 和 auth2 可以是用逗号分隔的选项列表。 - 无法为 auth1 同时指定 Computerpsk 和 computerntlm 方法。 - 无法将 Computercert 与 auth2 的用户凭据一起指定。 - 仅在 Windows Vista SP1 及更高版本上 支持 Certsigning 选项 ecdsap256 和 ecdsap384。 - Qmsecmethods 可以是由 "," 分隔的建议列表。 - 对于 qmsecmethods，integrity=md5|sha1|sha256|aesgmac128|aesgmac192| aesgmac256|aesgcm128|aesgcm192|aesgcm256 和 encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192| aesgcm256。 - 如果指定 aesgcm128、aesgcm192 或 aesgcm256，则它必须 用于 ESP 完整性和加密。 - 仅 Windows Vista SP1 及更高版本上支持 Aesgmac128、aesgmac192、 aesgmac256、aesgcm128、aesgcm192、aesgcm256、sha256。 - 如果 qmsemethods 设置为默认值，则 qmpfs 也将设置为默认值。 - Qmpfs=mainmode 使用 PFS 的主模式密钥交换设置。 - 不建议使用 DES、MD5 和 DHGroup1。提供 这些加密算法仅用于向下兼容。 - 必须将 CA 名称中的 " 字符替换为 \' - 对于 auth1ca 和 auth2ca，CA 名称必须以 "CN=" 为前缀。 - 可以使用 catype 来指定证书颁发机构类型 - catype=root/intermediate - 在 Windows 7 及更高版本上支持 authnoencap。 - authnoencap 表示计算机将仅使用身份验证， 将不会使用任何每个数据包封装或加密算法 来保护随后作为此连接的一部分交换的网络数据包。 - 无法在同一规则上同时使用 QMPFS 和 authnoencap。 - AuthNoEncap 必须至少和一个 AH 或 ESP 完整性套件一起使用。 - 当 mode=tunnel 时，操作必须是 requireinrequireout、 requireinclearout 或 noauthentication。 - 当 mode=Transport 时，requireinclearout 无效。 - 只能为隧道模式规则指定 applyauthz。 - 只能为隧道模式规则指定 exemptipsecprotectedconnections。 通过将此标志设置为“是”，将从隧道中免除 ESP 流量。 仅 AH 流量将不会从隧道中免除。 - 当 mode=transport 时，只能指定 Port1、Port2 和 Protocol。 - qmsecmethod 的 Valuemin(指定时)应介于 5-2880 分钟之间。 qmsecmethod 的 Valuekb(指定时)应介于 20480-2147483647 KB 之间。 - Certhash 指定证书的指纹或哈希。 - Followrenewal 指定是否自动跟随证书中的可续订链接。仅适用于 证书部分(需要 certhash)。 - Certeku 指定要在证书中匹配的用逗号分隔的 EKU OID 列表。 - Certname 指定要匹配证书名称的字符串(需要 certnametype)。 - Certnametype 指定要匹配的 certname 的证书字段(需要 certname)。	Remarks: - Sets a new parameter value on an identified rule. The command fails if the rule does not exist. To create a rule, use the add command. - Values after the new keyword are updated in the rule. If there are no values, or keyword new is missing, no changes are made. - A group of rules can only be enabled or disabled. - If multiple rules match the criteria, all matching rules will be updated. - Rule name should be unique and cannot be "all". - Auth1 and auth2 can be comma-separated lists of options. - Computerpsk and computerntlm methods cannot be specified together for auth1. - Computercert cannot be specified with user credentials for auth2. - Certsigning options ecdsap256 and ecdsap384 are only supported on Windows Vista SP1 and later. - Qmsecmethods can be a list of proposals separated by a ",". - For qmsecmethods, integrity=md5|sha1|sha256|aesgmac128|aesgmac192| aesgmac256|aesgcm128|aesgcm192|aesgcm256 and encryption=3des|des|aes128|aes192|aes256|aesgcm128|aesgcm192|aesgcm256. - If aesgcm128, aesgcm192, or aesgcm256 is specified, it must be used for both ESP integrity and encryption. - Aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256, sha256 are only supported on Windows Vista SP1 and later. - If qmsemethods are set to default, qmpfs will be set to default as well. - Qmpfs=mainmode uses the main mode key exchange setting for PFS. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The " characters within CA name must be replaced with \' - For auth1ca and auth2ca, the CA name must be prefixed by 'CN='. - catype can be used to specify the Certification authority type - catype=root/intermediate - authnoencap is supported on Windows 7 and later. - authnoencap means that the computers will only use authentication, and will not use any per packet encapsulation or encryption algorithms to protect subsequent network packets exchanged as part of this connection. - QMPFS and authnoencap cannot be used together on the same rule. - AuthNoEncap must be accompanied by at least one AH or ESP integrity suite. - When mode=tunnel action must be requireinrequireout, requireinclearout or noauthentication. - requireinclearout is not valid when mode=Transport. - applyauthz can only be specified for tunnel mode rules. - exemptipsecprotectedconnections can only be specified for tunnel mode rules. By setting this flag to "Yes", ESP traffic will be exempted from the tunnel. AH only traffic will NOT be exempted from the tunnel. - Port1, Port2 and Protocol can only be specified when mode=transport. - Valuemin(when specified) for a qmsecmethod should be between 5-2880 minutes. Valuekb(when specified) for a qmsecmethod should be between 20480-2147483647 kilobytes. - Certhash specifies the thumbprint, or hash of the certificate. - Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). - Certeku specifies the comma separated list of EKU OIDs to match in the certificate. - Certname specifies the string to match for certificate name (requires certnametype). - Certnametype specifies the certificate field for the certname to be matched against (requires certname).
12077	示例: 将 rule1 重命名为 rule2: netsh advfirewall consec set rule name="rule1" new name="rule2" 更改规则的操作: netsh advfirewall consec set rule name="rule1" endpoint1=1.2.3.4 endpoint2=4.3.2.1 new action=requestinrequestout 使用自定义快速模式建议添加规则: netsh advfirewall consec set rule name="Custom QM" new endpoint1=any endpoint2=any qmsecmethods=authnoencap:aesgmac256,ah:aesgmac256+esp:aesgmac256-none	Examples: Rename rule1 to rule 2: netsh advfirewall consec set rule name="rule1" new name="rule2" Change the action on a rule: netsh advfirewall consec set rule name="rule1" endpoint1=1.2.3.4 endpoint2=4.3.2.1 new action=requestinrequestout Add a rule with custom quick mode proposals: netsh advfirewall consec set rule name="Custom QM" new endpoint1=any endpoint2=any qmsecmethods=authnoencap:aesgmac256,ah:aesgmac256+esp:aesgmac256-none
12078	显示主模式 SA	Displays the main mode SAs
12079	用法: show mmsa [(source destination)|all] 备注: - 该命令显示安全关联或 (source destination)对筛选的安全关联。 - 源和目标都是一个 IPv4 或 IPv6 地址。 示例: 显示所有主模式 SA: netsh advfirewall monitor show mmsa 显示两个地址之间的主模式 SA: netsh advfirewall monitor show mmsa 192.168.0.3 192.168.0.4	Usage: show mmsa [(source destination)|all] Remarks: - This command shows the security association, or as filtered by (source destination) pair. - Source and destination are each a single IPv4 or IPv6 address. Examples: Show all main mode SAs: netsh advfirewall monitor show mmsa Show the main mode SAs between the two addresses: netsh advfirewall monitor show mmsa 192.168.0.3 192.168.0.4
12080	显示快速模式 SA。	Displays the quick mode SAs.
12081	用法: show qmsa [(source destination)|all] 备注: - 该命令显示安全关联或 (source destination)对筛选的安全关联。 - 源和目标都是一个 IPv4 或 IPv6 地址。 示例: 显示所有快速模式 SA: netsh advfirewall monitor show qmsa 显示两个地址之间的快速模式 SA: netsh advfirewall monitor show qmsa 192.168.0.3 192.168.0.4	Usage: show qmsa [(source destination)|all] Remarks: - This command shows the security association, or as filtered by (source destination) pair. - Source and destination are each a single IPv4 or IPv6 address. Examples: Show all quick mode SAs: netsh advfirewall monitor show qmsa Show the quick mode SAs between the two addresses: netsh advfirewall monitor show qmsa 192.168.0.3 192.168.0.4
12082	添加新的主模式规则。	Adds a new mainmode rule.
12086	删除所有匹配的主模式规则。	Deletes all matching mainmode rules.
12087	用法: delete rule name=|all [profile=any|current|public|private|domain[,...]] [type=dynamic|static (default=static)] 备注: - 删除与指定的名称匹配的 现有主模式设置。可以选择指定配置文件。 如果具有指定名称的设置不存在，则该命令失败。 - 如果指定 name=all，则从指定类型和配置文件中 删除所有规则。 如果未指定配置文件，则对所有配置文件应用删除。 示例: 删除名称为 test 的主模式规则: Netsh advfirewall mainmode delete rule name="test"	Usage: delete rule name=|all [profile=any|current|public|private|domain[,...]] [type=dynamic|static (default=static)] Remarks: - Deletes an existing main mode setting that matches the name specified. Optionally, profile can be specified. Command fails if setting with the specified name does not exist. - If name=all is specified all rules are deleted from the specified type and profile. If profile is not specified, the delete applies to all profiles. Examples: Delete a main mode rule with name test: Netsh advfirewall mainmode delete rule name="test"
12088	显示指定的主模式规则。	Displays a specified mainmode rule.
12089	用法: show rule name=|all [profile=all|current|public|private|domain[,...]] [type=dynamic|static (default=static)] [verbose] 备注: - 显示与指定名称匹配的现有主模式设置。 显示由名称指定的所有匹配的规则，可以选择指定 配置文件。 如果名称中指定了“all”，则将显示指定配置文件 的所有主模式设置。 示例: 显示名为 test 的主模式规则: Netsh advfirewall mainmode show rule name="test"	Usage: show rule name=|all [profile=all|current|public|private|domain[,...]] [type=dynamic|static (default=static)] [verbose] Remarks: - Display existing main mode settings that match the name specified. Displays all matching rules as specified by name and optionally, profile can be specified. If "all" is specified in the name, all mainmode settings will be shown for the profiles specified. Examples: Display a main mode rule by name test: Netsh advfirewall mainmode show rule name="test"
12090	显示当前防火墙状态信息。	Displays current firewall state information.
12091	用法: show firewall [rule name= [dir=in|out] [profile=public|private|domain|active|any[,...]] ] [verbose] 备注: - 显示所有可用的网络配置文件的 Windows 防火墙属性。 - profile= 参数使管理员能够将输出筛选到系统上的 特定配置文件。 - Verbose 参数添加对显示详细安全和高级 规则“源名称”信息的支持。 示例: 显示当前防火墙状态: netsh advfirewall monitor show firewall 显示公用配置文件的当前出站防火墙规则: netsh advfirewall monitor show firewall rule name=all dir=out profile=public	Usage: show firewall [rule name= [dir=in|out] [profile=public|private|domain|active|any[,...]] ] [verbose] Remarks: - Displays the Windows Firewall properties for all available network profiles. - The profile= argument enables the administrator to filter the output to specific profiles on the system. - The Verbose argument adds support for displaying detailed security and advanced rule 'source name' information. Examples: Display the current Firewall state: netsh advfirewall monitor show firewall Display the current outbound firewall rule for public profie: netsh advfirewall monitor show firewall rule name=all dir=out profile=public
12092	显示当前 consec 状态信息。	Displays current consec state information.
12093	用法: show consec [rule name= [profile=public|private|domain|active|any[,...]] ] [verbose] 备注: - 显示所有可用网络配置文件的连接安全配置 - [profile=] 命令使管理员能够将输出筛选到 系统上的特定配置文件或仅返回活动或 非活动配置文件的结果 - [rule] 命令允许管理员将规则输出范围限制于某些规则 名称和状态以限制输出的范围 - Verbose 命令添加对显示详细安全和 高级规则“源名称”信息 示例: 显示当前连接安全状态: netsh advfirewall monitor show consec 显示公用配置文件的当前连接安全信息: netsh advfirewall monitor show consec rule name=all profile=public	Usage: show consec [rule name= [profile=public|private|domain|active|any[,...]] ] [verbose] Remarks: - Displays the Connection Security configuration for all available network profiles - The [profile=] command enables the administrator to filter the output to specific profiles on the system or to only return results from Active or Inactive profiles - The [rule] command allows the administrator to scope the rule output to certain rule names and status to scope the output - The Verbose command adds support for displaying detailed security and advanced rule 'source name' information Examples: Display the current connection security state: netsh advfirewall monitor show consec Display the current connection security information for public profie: netsh advfirewall monitor show consec rule name=all profile=public
12094	显示当前活动的配置文件。	Displays the currently active profiles.
12095	用法: show currentprofile 备注: - 该命令显示与当前活动的配置文件关联的网络连接。 示例: 显示与当前活动的配置文件关联的所有网络: netsh advfirewall monitor show currentprofile	Usage: show currentprofile Remarks: - This command shows the network connections associated with currently active profiles. Examples: Shows all networks associated with the currently active profiles: netsh advfirewall monitor show currentprofile
12096	显示当前主模式状态信息。	Displays current mainmode state information.
12097	用法: 显示主模式 [rule name= [profile=public|private|domain|active|any[,...]] ] [verbose] 备注: - 显示所有可用网络配置文件的主模式安全配置 - [profile=] 命令使管理员能够将输出筛选到系统上的特定配置文件 或仅返回活动或非活动配置文件的结果 - [rule] 命令允许管理员将规则输出范围限制于某些规则名称和状态 以限制输出的范围 - Verbose 命令添加对显示详细安全和高级规则“源名称”信息的支持 示例: 显示公用配置文件的当前主模式信息: netsh advfirewall monitor show mainmode rule name=all profile=public	Usage: show mainmode [rule name= [profile=public|private|domain|active|any[,...]] ] [verbose] Remarks: - Displays the Main mode Security configuration for all available network profiles - The [profile=] command enables the administrator to filter the output to specific profiles on the system or to only return results from Active or Inactive profiles - The [rule] command allows the administrator to scope the rule output to certain rule names and status to scope the output - The Verbose command adds support for displaying detailed security and advanced rule 'source name' information Examples: Display the current main mode information for public profie: netsh advfirewall monitor show mainmode rule name=all profile=public
12098	[auth2ecdsap256ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth2ecdsap384ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384| mainmode|none (default=none)] [qmsecmethods=authnoencap:+[valuemin]+[valuekb]| ah:+esp:-+[valuemin]+[valuekb] |default] [exemptipsecprotectedconnections=yes|no (default=no)] [applyauthz=yes|no (default=no)]	[auth2ecdsap256ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth2ecdsap384ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384| mainmode|none (default=none)] [qmsecmethods=authnoencap:+[valuemin]+[valuekb]| ah:+esp:-+[valuemin]+[valuekb] |default] [exemptipsecprotectedconnections=yes|no (default=no)] [applyauthz=yes|no (default=no)]
12099	- Certcriteriatype 指定当选择本地证书、验证对等证书或两者都执行 时是否对证书采取操作。 - 在 computercert 身份验证映射内，可以通过用 "|" 字符分隔每个 条目来引用多个证书。	- Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both. - Within a computercert authentication mapping, multiple certificates can be referenced by separating each entry by using the '|' character.
12100	[auth1ecdsap384healthcert=yes|no (default=no)] [auth2=computercert|computercertecdsap256|computercertecdsap384| userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm| anonymous[,...]] [auth2kerbproxyfqdn=] [auth2ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth2ecdsap256ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth2ecdsap384ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384| mainmode|none] [qmsecmethods=authnoencap:+[valuemin]+[valuekb]| ah:+esp:-+[valuemin]+[valuekb] |default] [exemptipsecprotectedconnections=yes|no (default=no)] [applyauthz=yes|no (default=no)]	[auth1ecdsap384healthcert=yes|no (default=no)] [auth2=computercert|computercertecdsap256|computercertecdsap384| userkerb|usercert|usercertecdsap256|usercertecdsap384|userntlm| anonymous[,...]] [auth2kerbproxyfqdn=] [auth2ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth2ecdsap256ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth2ecdsap384ca=" [certmapping:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [qmpfs=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256|ecdhp384| mainmode|none] [qmsecmethods=authnoencap:+[valuemin]+[valuekb]| ah:+esp:-+[valuemin]+[valuekb] |default] [exemptipsecprotectedconnections=yes|no (default=no)] [applyauthz=yes|no (default=no)]
12101	- Certcriteriatype 指定当选择本地证书、验证对等证书或两者都执行 时是否对证书采取操作。	- Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both.
12102	备注: - 向防火墙策略中添加新的主模式规则。 - 规则名称应该唯一且不能为 "all"。 - 无法为 auth1 同时指定 Computerpsk 和 computerntlm 方法。 - 不建议使用 DES、MD5 和 DHGroup1。 提供这些加密算法只是为了向后兼容。 - 最小主模式 keylifetime 为 mmkeylifetime=1min。 最大主模式 mmkeylifetime= 2880min。 会话的最小数量 = 0 个会话。 最大数量 = 2,147,483,647 个会话。 - mmsecmethods 关键字默认值将策略设置为: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 - Certhash 指定证书的指纹或哈希。 - Followrenewal 指定是否自动跟随证书中的可续订链接。仅适用于 证书部分(需要 certhash)。 - Certeku 指定要在证书中匹配的用逗号分隔的 EKU OID 列表。 - Certname 指定要匹配证书名称的字符串(需要 certnametype)。 - Certnametype 指定要匹配的 certname 的证书字段(需要 certname)。 - Certcriteriatype 指定当选择本地证书、验证对等证书或两者都执行 时是否对证书采取操作。 示例: -添加主模式规则 Netsh advfirewall mainmode add rule name="test" description="Mainmode for RATH" Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384 auth1=computercert,computercertecdsap256 auth1ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" auth1healthcert=no auth1ecdsap256ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" auth1ecdsap256healthcert=yes mmkeylifetime=2min profile=domain	Remarks: - Add a new mainmode rule to the firewall policy. - Rule name should be unique and cannot be "all". - Computerpsk and computerntlm methods cannot be specified together for auth1. - The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. - The minimum main mode keylifetime is mmkeylifetime=1min. The maximum main mode mmkeylifetime= 2880min. The minimum number of sessions= 0 sessions. The maximum = 2,147,483,647 sessions. - The mmsecmethods keyword default sets the policy to: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 - Certhash specifies the thumbprint, or hash of the certificate. - Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). - Certeku specifies the comma separated list of EKU OIDs to match in the certificate. - Certname specifies the string to match for certificate name (requires certnametype). - Certnametype specifies the certificate field for the certname to be matched against (requires certname). - Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both. Examples: -Add a main mode rule Netsh advfirewall mainmode add rule name="test" description="Mainmode for RATH" Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384 auth1=computercert,computercertecdsap256 auth1ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" auth1healthcert=no auth1ecdsap256ca="C=US, O=MSFT, CN=\'Microsoft North, South, East, and West Root Authority\'" auth1ecdsap256healthcert=yes mmkeylifetime=2min profile=domain
12103	备注: -为已标识的规则设置新的参数值。如果规则不存在， 则该命令失败。若要创建规则，请使用添加命令。 -会更新规则中 new 关键字后的值。如果没有值， 或缺少关键字 new，则不进行任何更改。 -如果多个规则与条件匹配，将更新所有 匹配的规则。 -规则名称应该唯一且不能为 "all"。 -Auth1 可以是用逗号分隔的选项列表。 无法为 auth1 同时指定 Computerpsk 和 computerntlm 方法。 -不建议使用 DES、MD5 和 DHGroup1。 提供这些加密算法只是为了向后兼容。 --最小主模式 keylifetime 为 mmkeylifetime=1min。 最大主模式 mmkeylifetime= 2880min. 会话的最小数量 = 0 个会话。 最大数量 = 2,147,483,647 个会话。 -mmsecmethods 关键字默认值将策略设置为: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 -Certhash 指定证书的指纹或哈希。 -Followrenewal 指定是否自动跟随证书中的可续订链接。仅适用于 证书部分(需要 certhash)。 -Certeku 指定要在证书中匹配的用逗号分隔的 EKU OID 列表。 -Certname 指定要匹配证书名称的字符串(需要 certnametype)。 -Certnametype 指定要匹配的 certname 的证书字段(需要 certname)。 -Certcriteriatype 指定当选择本地证书、验证对等证书或两者都执行 时是否对证书采取操作。 示例: 更改名为 test 的规则的 mmescmethods、description 和 keylifetime Netsh advfirewall mainmode set rule name="test" new description="Mainmode for RATH2" Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384 auth1=computerntlm mmkeylifetime=2min profile=domain	Remarks: -Sets a new parameter value on an identified rule. The command fails if the rule does not exist. To create a rule, use the add command. -Values after the new keyword are updated in the rule. If there are no values, or keyword new is missing, no changes are made. -If multiple rules match the criteria, all matching rules will be updated. -Rule name should be unique and cannot be "all". -Auth1 can be comma-separated lists of options. Computerpsk and computerntlm methods cannot be specified together for auth1. -The use of DES, MD5 and DHGroup1 is not recommended. These cryptographic algorithms are provided for backward compatibility only. -The minimum main mode keylifetime is mmkeylifetime=1min. The maximum main mode mmkeylifetime= 2880min. The minimum number of sessions= 0 sessions. The maximum = 2,147,483,647 sessions. -The mmsecmethods keyword default sets the policy to: dhgroup2-aes128-sha1,dhgroup2-3des-sha1 -Certhash specifies the thumbprint, or hash of the certificate. -Followrenewal specifies whether to automatically follow renewal links in certificates. Only applicable for certificate section (requires certhash). -Certeku specifies the comma separated list of EKU OIDs to match in the certificate. -Certname specifies the string to match for certificate name (requires certnametype). -Certnametype specifies the certificate field for the certname to be matched against (requires certname). -Certcriteriatype specifies whether to take the action with the certificate when selecting the local certificate, validating the peer certificate, or both. Examples: Change the mmescmethods, description and keylifetime of a rule named test Netsh advfirewall mainmode set rule name="test" new description="Mainmode for RATH2" Mmsecmethods=dhgroup2:3des-sha256,ecdhp384:3des-sha384 auth1=computerntlm mmkeylifetime=2min profile=domain
12104	用法: add rule name= mmsecmethods=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256| ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256 |sha384[,...]|default [mmforcedh=yes|no (default=no)] [mmkeylifetime=min,sess] [description=] [enable=yes|no (default=yes)] [profile=any|current|public|private|domain[,...]] [endpoint1=any||| ||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [type=dynamic|static (default=static)]	Usage: add rule name= mmsecmethods=dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256| ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256 |sha384[,...]|default [mmforcedh=yes|no (default=no)] [mmkeylifetime=min,sess] [description=] [enable=yes|no (default=yes)] [profile=any|current|public|private|domain[,...]] [endpoint1=any||| ||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [type=dynamic|static (default=static)]
12105	用法: set rule name= [profile=public|private|domain|any[,...]] [type=dynamic|static (default=static)] new [name=] [mmsecmethods= dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256| ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256| sha384[,...]|default] [mmforcedh=yes|no (default=no)] [mmkeylifetime=min,sess] [description=] [enable=yes|no] [profile=public|private|domain|any[,...]] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [profile= any|current|domain|private|public[,...]]	Usage: set rule name= [profile=public|private|domain|any[,...]] [type=dynamic|static (default=static)] new [name=] [mmsecmethods= dhgroup1|dhgroup2|dhgroup14|dhgroup24|ecdhp256| ecdhp384:3des|des|aes128|aes192|aes256-md5|sha1|sha256| sha384[,...]|default] [mmforcedh=yes|no (default=no)] [mmkeylifetime=min,sess] [description=] [enable=yes|no] [profile=public|private|domain|any[,...]] [endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway ||||] [endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway| ||||] [auth1=computerkerb|computercert|computercertecdsap256| computercertecdsap384|computerpsk|computerntlm|anonymous[,...]] [auth1psk=] [auth1kerbproxyfqdn=] [auth1ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1healthcert=yes|no (default=no)] [auth1ecdsap256ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap256healthcert=yes|no (default=no)] [auth1ecdsap384ca=" [certmapping:yes|no] [excludecaname:yes|no] [catype:root|intermediate (default=root)] [certhash:] [followrenewal:yes|no (default=no)] [certeku:] [certname:] [certnametype:] [certcriteriatype:] | ..."] [auth1ecdsap384healthcert=yes|no (default=no)] [profile= any|current|domain|private|public[,...]]
13000	指定远程计算机时，存储不能是组策略对象。请将存储设置为“本地”或将计算机设置为本地计算机。	The store cannot be a Group Policy object when a remote machine is specified. Set the store to 'Local' or set the machine to be the local computer.
13001	发生不可恢复的 Windows 防火墙错误(0x%1!x!)。	An unrecoverable Windows Firewall error (0x%1!x!) occurred.
13002	尝试检索 Windows 防火墙设置时发生错误。	An error occurred while attempting to retrieve a Windows Firewall setting.
13003	尝试联系 Windows 防火墙服务时发生错误。请确保该服务正在运行，然后重试你的请求。	An error occurred while attempting to contact the Windows Firewall service. Make sure that the service is running and try your request again.
13004	字符串 "all" 不能用作规则的名称。	The string 'all' cannot be used as the name of a rule.
13005	发生不可恢复的 netsh advfirewall 错误(0x%1!x!)。	An unrecoverable netsh advfirewall error (0x%1!x!) occurred.
13006	没有与指定标准相匹配的规则。	No rules match the specified criteria.
13007	找不到指定的加密集。	The specified cryptographic set was not found.
13008	"CurrentProfile" 无法用于配置组策略对象(GPO)存储。请使用 "DomainProfile"、"PrivateProfile"、"PublicProfile" 或 "AllProfiles"。	'CurrentProfile' cannot be used to configure a Group Policy Object (GPO) store. Use 'DomainProfile', 'PrivateProfile', 'PublicProfile', or 'AllProfiles' instead.
13009	仅当配置组策略对象(GPO)存储时可以更改该设置。	This setting can only be changed when configuring a Group Policy object (GPO) store.
13010	仅当配置本地存储时可以更改该设置。	This setting can only be changed when configuring a local store.
13011	仅当协议是 TCP 或 UDP 时可以指定端口。	Ports can only be specified if the protocol is TCP or UDP.
13012	配置组策略对象(GPO)存储时，无法使用动态规则类型。	The dynamic rule type cannot be used when configuring a Group Policy object (GPO) store.
13013	指定 auth1 选项时，需要 auth1 参数。	The auth1 parameter is required when specifying auth1 options.
13014	指定 auth2 选项时，需要 auth2 参数。	The auth2 parameter is required when specifying auth2 options.
13015	找不到指定的身份验证集。	The specified authentication set was not found.
13016	指定的 auth1 集缺少必要的参数。	The specified auth1 set is missing a required parameter.
13017	指定的 auth2 集缺少必要的参数。	The specified auth2 set is missing a required parameter.
13018	无法导出策略，返回错误 0x%1!x!。请确保提供的文件名正确并且文件可以访问。尚未重置防火墙策略。	Unable to export policy with error 0x%1!x!. Make sure that the file name is correct and the file is accessible. The firewall policy has not been reset.
13019	配置组策略对象(GPO)存储时，无法使用监视器上下文。	The monitor context cannot be used when configuring a Group Policy object (GPO) store.
13020	指定的终结点没有相同的 IP 版本。请指定两个 IPv4 终结点或两个 IPv6 终结点。	The specified endpoints do not have the same IP version. Specify two IPv4 or two IPv6 endpoints.
13021	没有与指定标准相匹配的 SA。	No SAs match the specified criteria.
13022	无法导出策略(错误 0x%1!x!)。确保该文件名正确并且文件可以访问。	Unable to export policy (error 0x%1!x!). Make sure that the file name is correct and the file is accessible.
13023	无法导入策略(错误 0x%1!x!)。确保该文件名正确并且文件可以访问，同时是有效的 Windows 防火墙策略文件。	Unable to import policy (error 0x%1!x!). Make sure that the file name is correct, that the file is accessible, and that it is a valid Windows Firewall policy file.
13024	尝试连接到远程计算机时发生错误。请确保远程计算机上的 Windows 防火墙服务正在运行，并已配置为允许远程管理，然后重试你的请求。	An error occurred while attempting to connect to the remote computer. Make sure that the Windows Firewall service on the remote computer is running and configured to allow remote management, and then try your request again.
13025	尝试配置指定的组策略对象(GPO)存储时发生错误。请确保该 GPO 是有效的并且是可以访问的，然后重试你的请求。	An error occurred while attempting to configure the specified Group Policy object (GPO) store. Make sure that the GPO is valid and accessible, and then try your request again.
13026	执行验证时发生了错误(0x%1!x!)。	An unexpected error (0x%1!x!) occurred while performing validation.
13027	提供的许多参数无效。请查看帮助获取正确语法。	The number of arguments provided is not valid. Check help for the correct syntax.
13028	指定的 IP 地址或地址关键字无效。	A specified IP address or address keyword is not valid.
13029	指定的端口值无效。	A specified port value is not valid.
13030	指定的协议值无效。	A specified protocol value is not valid.
13031	指定的 auth1 值无效。	The specified auth1 value is not valid.
13032	指定的 auth2 值无效。	The specified auth2 value is not valid.
13033	对于 "set" 命令，"new" 关键字必须存在并且不能是提供的最后一个参数。	For 'set' commands, the 'new' keyword must be present and must not be the last argument provided.
13034	指定的值无效。	A specified value is not valid.
13035	指定的参数无效。重置的唯一有效参数是 "export"。	The specified argument is not valid. The only valid argument for reset is 'export'.
13036	指定的存储无效。	The specified store is not valid.
13037	指定的防火墙策略设置无效。	A specified firewall policy setting is not valid.
13038	应该是数值。输入的不是数字或者无效。	A numeric value was expected. The input is either non-numeric or not valid.
13039	指定的 mmkeylifetime 值无效。	The specified mmkeylifetime value is not valid.
13040	指定的 strongcrlcheck 值无效。	The specified strongcrlcheck value is not valid.
13041	指定的 saidletimemin 值无效。	The specified saidletimemin value is not valid.
13042	指定的 statefulftp 或 statefulpptp 值无效。	The specified statefulftp or statefulpptp value is not valid.
13043	指定的安全值无效。	The specified security value is not valid.
13044	指定源和目标对或关键字 "all" 以识别安全关联(SA)。	Specify either a source and destination pair or the keyword 'all' to identify security associations (SAs).
13045	指定的 mmsecmethods 值无效。	The specified mmsecmethods value is not valid.
13046	指定的 qmsecmethods 值无效。	The specified qmsecmethods value is not valid.
13047	qmsecmethods 中指定的协议无效。	A protocol specified in qmsecmethods is not valid.
13048	qmsecmethods 中指定的密钥生存时间值无效。	The key lifetime value specified in qmsecmethods is not valid.
13049	如果为 qmsecmethods 中的提议指定的第一个协议是 ESP，则在此提议中不允许使用任何其他协议。	If the first protocol specified for a proposal in qmsecmethods is ESP, then no other protocols are allowed in that proposal.
13050	在 qmsecmethods 提议中同时使用 AH 和 ESP 两个协议时，用于这两个协议的完整性值必须相同。	When using both AH and ESP protocols in a qmsecmethods proposal, the same integrity value must be used for both protocols.
13051	多次在 qmsecmethods 提议中指定同一个协议。	The same protocol was specified more than once in a qmsecmethods proposal.
13052	无法打开指定的组策略对象(GPO)存储，因为该存储不存在。请创建 GPO 存储，然后重试你的请求。	The specified Group Policy object (GPO) store could not be opened because it does not exist. Create the GPO store, and then try your request again.
13053	当 Auth1 包含 ComputerPSK 时，无法指定 Auth2。	Auth2 cannot be specified when auth1 contains computerpsk.
13054	指定的组策略对象(GPO) ID 无效。	The specified Group Policy object (GPO) ID is not valid.
13055	无法在指定的计算机上打开组策略对象(GPO)。确保指定的 GPO 有效并可访问，然后重试你的请求。	Unable to open the Group Policy object (GPO) on the specified computer. Make sure that the specified GPO is valid and accessible, and then try your request again.
13056	无法联系指定的域。确保域有效并可访问，然后重试你的请求。	Unable to contact the specified domain. Make sure that the domain is valid and accessible, and then try your request again.
13057	无法打开指定的组策略对象(GPO)。确保该 GPO 有效并可访问，然后重试你的请求。	Unable to open the specified Group Policy object (GPO). Make sure that the GPO is valid and accessible, and then try your request again.
13058	找到多个具有指定名称的组策略对象(GPO)。请指定要配置的 GPO 的 GUID。	Multiple Group Policy objects (GPOs) with the specified name were found. Specify the GUID of the GPO that you want to configure.
13059	如果规则模式是隧道，则必须同时指定 localtunnelendpoint 和 remotetunnelendpoint。	Localtunnelendpoint and remotetunnelendpoint must both be specified when the rule mode is tunnel.
13060	如果规则模式是传输，则无法指定 localtunnelendpoint 和 remotetunnelendpoint。	Localtunnelendpoint and remotetunnelendpoint cannot be specified when the rule mode is transport.
13061	指定 Auth2HealthCert 时，Auth2 必须为 ComputerCert。	Auth2 must be computercert when auth2healthcert is specified.
13062	指定的接口类型无效。	The specified interface type is not valid.
13063	无法设置日志文件路径(错误 0x%1!x!)。无法对文件路径设置安全属性。	Unable to set log file path (error 0x%1!x!). Failed to set the security attributes on the file path.
13064	日志文件大小必须介于 1 和 32767 之间。	Log file size must be between 1 and 32767.
13065	在一般准则模式下，设置 qmsecmethods=None 时，管理员无法再对规则进行任何其他设置。	In Common Criteria mode, the administrator cannot set anything else on the rule when setting qmsecmethods=None.
13066	将操作设置为 noauthentication 时，不能指定 auth1、auth2、qmpfs 和 qmsecmethods。	Auth1, auth2, qmpfs, and qmsecmethods cannot be specified when the action is set to noauthentication.
13067	不能在同一个规则中指定 Computerntlm 和 computerpsk。	Computerntlm and computerpsk cannot be specifed in the same rule.
13068	指定的一个或多个配置文件无效。如果已指定其他配置文件，则无法指定 "any"。	One or more of the specified profiles is not valid. 'Any' cannot be specified if other profiles are specified.
13069	组不能与其他标识条件一起指定。	Group cannot be specified with other identification conditions.
13070	仅 enable 参数可以用于更新由组指定的规则。	Only the enable parameter can be used to update rules specified by a group.
13071	如果将 qmsecmethods 设置为默认值，则不能指定 QMpfs。	Qmpfs cannot be specified when qmsecmethods is set to default.
13072	仅当配置组策略对象(GPO)存储时，才可使用未配置值。	Notconfigured value can only be used when configuring a Group Policy object (GPO) store.
13073	无法将匿名指定为 auth2 中唯一的提议。	Anonymous cannot be specified as the only proposal in auth2.
13074	当指定 auth2 时，Auth1 是必需的。	Auth1 is required when auth2 is specified.
13075	不能将“None”与 defaultexemptions 的其他值一起指定。	'None' cannot be specified with other values for defaultexemptions.
13076	当已经指定 Auth2 时，无法更新 Auth1 以包含 computerpsk。	Auth1 cannot be updated to contain computerpsk when Auth2 is already specified.
13077	Auth1 不能多次包含同一身份验证方法。	Auth1 cannot contain the same authentication method more than once.
13078	Auth2 不能多次包含同一身份验证方法。	Auth2 cannot contain the same authentication method more than once.
13079	指定的选项无效: %1!ls!。	The specified option is not valid: %1!ls!.
13080	除了 AuthNoEncap 选项之外，必须至少指定一个完整性套件。	You must specify at least one integrity suite in addition to the AuthNoEncap option.
13081	如果为 qmsecmethods 中的某个建议指定的协议为 AuthNoEncap，则该建议中不允许有其他协议。	If AuthNoEncap is specified as a protocol for a proposal in qmsecmethods, then no other protocols are allowed in that proposal.
13082	组策略管理工具不可用。请从 https://go.microsoft.com/fwlink/?LinkID=126644 下载该工具并再次执行命令。	Group policy management tool is not available. Download the tool from - https://go.microsoft.com/fwlink/?LinkID=126644 and execute the command again.
13083	未启用组策略管理功能。通过服务器管理器启用组策略管理并再次执行命令。	Group policy management feature is not enabled. Enable group policy management through server manager and execute the command again.
13084	仅当协议为 TCP 或 UDP 时才能指定端口。仅当操作为 noauthentication 时才支持端口范围。	Ports can only be specified if the protocol is TCP or UDP. Port ranges are only supported when action="noauthentication".
13085	SDDL 字符串无效。	The SDDL string is not valid.
13086	不能为隧道规则指定每个规则的 machineSDDL 和 userSDDL。	Per rule machineSDDL and userSDDL cannot be specified on tunnel rule.

File Name:	authfwcfg.dll.mui
Directory:	%WINDIR%\WinSxS\amd64_networking-mpssvc-netsh.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_572b4f253211eda2\
File Size:	136 kB
File Permissions:	rw-rw-rw-
File Type:	Win32 DLL
File Type Extension:	dll
MIME Type:	application/octet-stream
Machine Type:	Intel 386 or later, and compatibles
Time Stamp:	0000:00:00 00:00:00
PE Type:	PE32
Linker Version:	14.10
Code Size:	0
Initialized Data Size:	138752
Uninitialized Data Size:	0
Entry Point:	0x0000
OS Version:	10.0
Image Version:	10.0
Subsystem Version:	6.0
Subsystem:	Windows GUI
File Version Number:	10.0.15063.0
Product Version Number:	10.0.15063.0
File Flags Mask:	0x003f
File Flags:	(none)
File OS:	Windows NT 32-bit
Object File Type:	Dynamic link library
File Subtype:	0
Language Code:	Chinese (Simplified)
Character Set:	Unicode
Company Name:	Microsoft Corporation
File Description:	高级安全 Windows 防火墙配置帮助程序
File Version:	10.0.15063.0 (WinBuild.160101.0800)
Internal Name:	authfwcfg.dll
Legal Copyright:	© Microsoft Corporation. All rights reserved.
Original File Name:	authfwcfg.dll.mui
Product Name:	Microsoft® Windows® Operating System
Product Version:	10.0.15063.0
Directory:	%WINDIR%\WinSxS\wow64_networking-mpssvc-netsh.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_617ff9776672af9d\

authfwcfg.dll.mui is Multilingual User Interface resource file that contain Chinese (Simplified) language for file authfwcfg.dll (高级安全 Windows 防火墙配置帮助程序).

File Description:	高级安全 Windows 防火墙配置帮助程序
File Version:	10.0.15063.0 (WinBuild.160101.0800)
Company Name:	Microsoft Corporation
Internal Name:	authfwcfg.dll
Legal Copyright:	© Microsoft Corporation. All rights reserved.
Original Filename:	authfwcfg.dll.mui
Product Name:	Microsoft® Windows® Operating System
Product Version:	10.0.15063.0
Translation:	0x804, 1200