Creating Firewall Rules using WFAS

Windows Firewall and WFAS work together on Windows 7 computers.  WFAS allows you to configure inbound and outbound firewall rules based on ports, programs, and services. In addition, it allows you to set a rule scope and authentication. In this article we will see the main configuration elements you need to know when creating firewall rules using the WFAS.

In the WFAS console you have four main elements which when selected provides you with a list of existing rules with the exception of the Monitoring node. The process for configuring inbound and outbound rules is quite similar and you can start the creation of a new rule by clicking the New Rule… item after selecting the Inbound Rules or Outbound Rules node. This opens the New Inbound or Outbound Rule Wizard as shown below:

On this page you can define a rule based on a program, a port, a predefined service or feature, or on various parameters (custom rule). While the program and predefined options are the same as we find in the basic Windows Firewall, the custom rule allows you to configure a rule based on more than one element for example, a rule that involves a specific program and a set of ports! Another instance might be where you want to allow communications to a specific program on one port only.

When choosing a port rule, you need to specify the protocol such as, TCP or UDP, the port number and the action to take when the firewall encounters traffic that meets the rule conditions. The available actions are as follows:

  • Allow the connection – WFAS allows the connection if the traffic meets the rule conditions
  • Block the connection – WFAS blocks the connection if the traffic meets the rule conditions
  • Allow the connection if it is secure – WFAS allows the connection if the traffic meets the rule conditions and is authenticated using one of the methods specified in the connection security rules.

The security options are shown below:

You can force the connection to be encrypted apart from the authentication and integrity protection which is the default setting. Encrypting data is recommended for sensitive data which is exposed to external threats. The Override block rules option allows you to specify a computer account or user accounts that can bypass existing block rules.

A rule scope allows you to specify a source and destination IP addresses to a firewall rule. You can create a scope while creating a custom rule or by editing the rule’s properties after it has been created. Apart, from a single IP Address you can define a range of addresses or use one of the predefined sets of computers such as, the local subnet. Both IPv4 and IPv6 addresses can be specified in a scope.

The Local IP address section allows you to add local IP addresses in case your computer has more than one address configured with your network adapter or you have multiple network adapters. The Remote IP address section allows you to limit access from individual IP addresses or a range of IP addresses. On the Advanced tab you can specify which network interfaces the rule applies to, which is a better approach than the Local IP address option mentioned earlier on, although the resultant behavior is the same! Additionally, from the Advanced tab you can configure how a rule responds to traffic that has passed through an edge device where you can block unwanted traffic from the Internet that traverses a NAT device!

Connection Security Rules

You can use these special rules if you need to manage the communication between different hosts on a network. Connection Security rules secures the connection with both authentication and encryption as we find with IPSec Policies. However, they do not allow connections and therefore, you need to create an inbound or outbound rule. Authentication can be based on Kerberos (where an AD environment is present), certificates or pre-shared keys. The following are the different security rules available:

  • Isolation – allows you to limit communication to hosts that are able to authenticate using specific credentials. For example, allowing communications only to domain computers which as are part of an Active Directory environment.
  • Authentication exemption – allows you to configure exemptions to isolation rules. For example, adding an exemption to the above example, where you can allow connections to a DNS server without having to authenticate.
  • Server-to server – allows to protect connections between specific computers. For example, secure a connection between a database and an application server.
  • Tunnel – similar to server-to-server rules with the exception that they are implemented through tunnels such as, site-to-site links.
  • Custom – allows you to create a rule that requires special settings. This option enables all of the wizard pages except those that are used only to create tunnel rules.


The Monitoring node in the WFAS allows you to monitor the active firewall rules and connection security rules on the computer. Policies created using the IP Security Policy snap-in cannot be viewed using WFAS. The overview page shows which profiles are active (domain, private, public) and the current settings for each of the active profiles.  Only rules that apply to the currently active profiles are displayed. A rule for another profile might be enabled, but if the profile to which it is assigned is not active, then neither is the rule.