Windows Firewall Exceptions Guide

How to Add Exceptions to Windows Firewall in Windows 10 and Windows 11

A practical guide to allowing trusted apps, programs, ports, services, and IP addresses through Windows Defender Firewall without opening more access than necessary.

🖥 Windows 10 🪟 Windows 11 🛡 Windows Defender Firewall ⚙ PowerShell 🔐 Safe Rule Scope
Overview

What Is a Windows Firewall Exception?

A Windows Firewall exception is an allow rule that lets specific network traffic pass through Windows Defender Firewall. The exception can allow a particular app, a desktop program file, a Windows service, a port number, a protocol, or traffic from a trusted IP address.

In Windows 10 and Windows 11, firewall exceptions are usually created in one of two places: the simple Allow an app through firewall screen, or the advanced console called Windows Defender Firewall with Advanced Security. The advanced console gives you more control over direction, program path, protocol, port, profile, and remote address scope.

🧩

App Exception

Allows a specific app or executable file through the firewall. Best for most desktop programs and Microsoft Store apps.

🔌

Port Exception

Allows traffic to a TCP or UDP port, such as 8080, 25565, or 3389. Useful for servers and network tools.

🌐

IP Scope Exception

Allows traffic only from selected local network addresses, subnets, or trusted devices instead of the entire network.

ℹ️
Important A firewall exception is not the same as a Microsoft Defender Antivirus exclusion. A firewall exception controls network traffic. An antivirus exclusion tells Defender not to scan a file, folder, process, or file type.
Use Cases

When Should You Add an Exception to Windows Firewall?

You may need to add an exception when a trusted application must receive inbound connections or when another device cannot connect to a service running on your Windows PC.

⚠️
Security Warning Do not add broad firewall exceptions for unknown programs. Allow only what you need, avoid the Public profile whenever possible, and remove test rules when you no longer need them.
Preparation

Before You Add a Firewall Exception in Windows 10 or Windows 11

Before changing firewall rules, identify exactly what must be allowed. This avoids creating an exception that is too broad or difficult to troubleshoot later.

Question Why It Matters Example
Which program needs access? A program-based rule is usually safer than a port-only rule. C:\Program Files\MyApp\MyApp.exe
Inbound or outbound? Most app-hosting problems require inbound rules. Outbound rules are used when outgoing traffic is restricted. Inbound rule for a local server
Which network profile? Private is usually safer for home or office LANs. Public should be limited. Private only
Which protocol and port? TCP and UDP are separate. Some apps require both. TCP 8080 or UDP 27015
Which devices may connect? Remote address scope can limit the rule to trusted IP addresses. 192.168.1.0/24
🏢 Domain 🏠 Private ☕ Public

Private is normally the correct profile for a trusted home or office network. Public is used for untrusted networks such as hotels, airports, cafés, and shared Wi-Fi. If you are not sure which profile your network uses, open SettingsNetwork & Internet and check the active connection properties.

Method 1

How to Allow an App Through Windows Firewall

This is the easiest method when you want to add a firewall exception for a regular desktop program or a listed Microsoft Store app.

  1. Press Win + R, type control firewall.cpl, and press Enter.
  2. Click Allow an app or feature through Windows Defender Firewall.
  3. Click Change settings. Administrator permission may be required.
  4. Find the app in the list and select the check box next to it.
  5. Choose the allowed profiles: Private, Public, or both.
  6. If the app is not listed, click Allow another app....
  7. Click Browse..., select the program's .exe file, and click Add.
  8. Click OK to save the firewall exception.
Recommended For home and office networks, allow the app on the Private profile first. Add the Public profile only when you clearly understand why the app must accept connections on untrusted networks.
Method 2

How to Add a Program Exception in Windows Defender Firewall with Advanced Security

The advanced firewall console is better when you need a named rule, a precise program path, selected network profiles, or remote IP restrictions.

  1. Press Win + R, type wf.msc, and press Enter.
  2. Click Inbound Rules in the left pane.
  3. Click New Rule... in the right pane.
  4. Select Program and click Next.
  5. Select This program path, click Browse..., and choose the executable file.
  6. Select Allow the connection.
  7. Choose the profiles where the rule should apply: Domain, Private, and/or Public.
  8. Enter a descriptive name, such as Allow MyApp Inbound - Private.
  9. Click Finish.

Good firewall rule names:

Allow Plex Media Server - Private LAN

Allow TCP 8080 - Local Web Test Server

Allow MyApp.exe Inbound - Accounting Network

After creating the rule, double-click it to review the Programs and Services, Protocols and Ports, Scope, and Advanced tabs. These tabs control what the exception allows and where it applies.

Method 3

How to Add a Port Exception to Windows Firewall

A port exception is useful when you know the exact TCP or UDP port required by a server, game, device tool, or development environment. Use a program exception when possible; use a port exception when the app documentation specifically requires a port.

  1. Press Win + R, type wf.msc, and press Enter.
  2. Select Inbound Rules.
  3. Click New Rule....
  4. Select Port and click Next.
  5. Choose TCP or UDP.
  6. Select Specific local ports and enter the port number, for example 8080. You can also enter a range such as 5000-5010.
  7. Select Allow the connection.
  8. Select the correct profiles, preferably Private only for local network use.
  9. Name the rule clearly and click Finish.
Example Rule Protocol Port Recommended Scope
Local web test server TCP 8080 Private profile, local subnet only
Minecraft Java server TCP 25565 Private profile or trusted remote addresses
Remote Desktop TCP/UDP 3389 VPN or trusted IP addresses only
File sharing / SMB TCP 445 Private LAN only; do not expose to internet
Method 4

How to Add Windows Firewall Exceptions with PowerShell

PowerShell is useful for administrators, repeatable setup, scripts, and remote support. Open Terminal (Admin) or Windows PowerShell (Admin) before running the commands below.

Add a Program Exception with PowerShell

PowerShellNew-NetFirewallRule `
  -DisplayName "Allow MyApp Inbound - Private" `
  -Direction Inbound `
  -Program "C:\Program Files\MyApp\MyApp.exe" `
  -Action Allow `
  -Profile Private

Add a TCP Port Exception with PowerShell

PowerShellNew-NetFirewallRule `
  -DisplayName "Allow TCP 8080 - Local Web Server" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 8080 `
  -Action Allow `
  -Profile Private

Add a UDP Port Exception with PowerShell

PowerShellNew-NetFirewallRule `
  -DisplayName "Allow UDP 27015 - Game Server" `
  -Direction Inbound `
  -Protocol UDP `
  -LocalPort 27015 `
  -Action Allow `
  -Profile Private

Allow Only a Trusted Local Subnet

PowerShellNew-NetFirewallRule `
  -DisplayName "Allow TCP 8080 from LAN only" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 8080 `
  -RemoteAddress 192.168.1.0/24 `
  -Action Allow `
  -Profile Private

Replace the program path, display name, port, protocol, profile, and remote address with the values required by your app or network.

Method 5

How to Add Windows Firewall Exceptions with Command Prompt

Command Prompt can create firewall exceptions with netsh advfirewall. This is useful on older scripts or systems where PowerShell is not preferred.

Add a Program Exception with netsh

Command Promptnetsh advfirewall firewall add rule name="Allow MyApp Inbound - Private" dir=in action=allow program="C:\Program Files\MyApp\MyApp.exe" profile=private enable=yes

Add a TCP Port Exception with netsh

Command Promptnetsh advfirewall firewall add rule name="Allow TCP 8080 - Local Web Server" dir=in action=allow protocol=TCP localport=8080 profile=private enable=yes

Add a UDP Port Exception with netsh

Command Promptnetsh advfirewall firewall add rule name="Allow UDP 27015 - Game Server" dir=in action=allow protocol=UDP localport=27015 profile=private enable=yes
💡
Tip Use PowerShell for new automation when possible. It is easier to read, easier to filter, and more consistent with modern Windows administration.
Scope

How to Limit a Firewall Exception to Private Networks or Trusted IP Addresses

The safest firewall exception is the narrowest exception that still allows the app to work. After creating a rule in wf.msc, you can restrict it further.

Limit the Rule to Private Networks

  1. Open wf.msc.
  2. Click Inbound Rules.
  3. Double-click your custom rule.
  4. Open the Advanced tab.
  5. Under Profiles, leave only Private selected unless another profile is required.
  6. Click OK.

Limit the Rule to Trusted IP Addresses

  1. Open the rule properties in wf.msc.
  2. Open the Scope tab.
  3. Under Remote IP address, select These IP addresses.
  4. Click Add....
  5. Enter a trusted IP address or subnet, such as 192.168.1.50 or 192.168.1.0/24.
  6. Click OK to save the change.
🔐
Best Practice If only one device needs access, allow only that device's IP address. If all devices on your home LAN need access, allow the local subnet rather than all remote addresses.
Management

How to Edit, Disable, or Remove Windows Firewall Exceptions

Review custom firewall exceptions periodically. Old test rules, duplicate rules, or rules for removed applications can create unnecessary exposure and make troubleshooting harder.

Task GUI Method PowerShell Command
Disable a rule Open wf.msc, right-click the rule, select Disable Rule. Disable-NetFirewallRule -DisplayName "Rule Name"
Enable a rule Right-click the rule and select Enable Rule. Enable-NetFirewallRule -DisplayName "Rule Name"
Remove a rule Right-click the rule and select Delete. Remove-NetFirewallRule -DisplayName "Rule Name"
View matching rules Use the search/filter options in Inbound Rules. Get-NetFirewallRule -DisplayName "*MyApp*"

Remove a Rule with Command Prompt

Command Promptnetsh advfirewall firewall delete rule name="Allow TCP 8080 - Local Web Server"
Troubleshooting

Why a Windows Firewall Exception Is Not Working

If the app is still blocked after you add an exception, check the rule direction, profile, program path, protocol, port, and whether the application is actually listening for connections.

Problem What to Check Fix
Wrong network profile The rule is allowed for Private, but Windows marks the network as Public. Change the active network to Private if it is trusted, or add the correct profile to the rule.
Wrong rule direction Inbound vs outbound rule. Create an inbound rule when other devices need to connect to this PC.
Program path changed The app was updated or moved to another folder. Edit the rule or create a new rule with the current .exe path.
No service is listening netstat -ano | findstr :PORT Start the app or service that should accept connections.
Wrong protocol The app requires UDP, but only TCP was allowed, or the opposite. Create the correct TCP or UDP rule. Some apps require both.
Router blocks access from internet Port forwarding, WAN IP, CGNAT, and router firewall rules. Configure router port forwarding only when external access is required and safe.
Third-party firewall is active Security suites may replace or add another firewall layer. Add the exception in the third-party firewall or test with it temporarily disabled.

Useful Commands for Checking Connections

Command Promptnetstat -ano | findstr LISTENING
netstat -ano | findstr :8080
PowerShellGet-NetTCPConnection -State Listen
Test-NetConnection 192.168.1.50 -Port 8080
FAQ

Frequently Asked Questions About Windows Firewall Exceptions

Q Is it safe to add an exception to Windows Firewall?
It can be safe when the app is trusted, the rule is limited to the correct network profile, and the remote address scope is not broader than necessary. Avoid adding exceptions for unknown apps or public networks.
Q Should I allow a program or open a port?
Prefer a program exception when possible. A program exception follows the specific executable. A port exception allows traffic to a port regardless of which program is listening on that port.
Q What is the difference between Private and Public firewall profiles?
Private is for trusted home or office networks. Public is for untrusted networks such as hotels, cafés, airports, and shared Wi-Fi. Firewall exceptions should usually be limited to Private unless there is a specific reason to allow Public.
Q Do I need administrator rights to add a firewall exception?
Yes, changing Windows Firewall rules normally requires administrator permission. Standard users may see the settings but cannot save most firewall changes.
Q Does adding a firewall exception make the app accessible from the internet?
Not by itself. A Windows Firewall exception allows traffic on the local PC. Internet access also depends on router port forwarding, public IP availability, NAT, ISP restrictions, and the service configuration.
Q How do I undo a firewall exception?
Open wf.msc, find the rule under Inbound Rules or Outbound Rules, then disable or delete it. In PowerShell, use Disable-NetFirewallRule or Remove-NetFirewallRule.
Summary

Best Way to Add Exceptions to Windows Firewall

For most users, the safest method is to allow a specific app through Windows Firewall and enable it only on the Private profile. For more control, use wf.msc to create a named inbound rule, select the exact program or port, and limit the scope to trusted IP addresses.

🔐 Bottom Line

Add only the firewall exceptions you truly need, use descriptive rule names, avoid the Public profile unless required, and remove old rules after testing. A narrow rule for a trusted app or trusted IP range is much safer than a broad rule that allows every device to connect.