Monday 4 January 2010

Enable ICMP echo (ping) in Windows Server 2008 R2

Windows Server 2008 won’t respond to ping requests out of the box—they’re blocked by default in the Windows Firewall ruleset. In the pre-R2 days, I used a simple command to enable ping in my development environments but apparently netsh firewall has been deprecated:

netsh firewall set icmpsetting 8

The replacement is—wait for it—netsh advfirewall firewall, like so:

netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

Richard Siddaway has a PowerShell equivalent (presumably, I haven’t tried it myself but should have, I know… tsk, tsk).



  1. I tried this and got this message:

    An invalid value was specified.

    Usage: add rule name=
    [enable=yes|no (default=yes)]
    [localport=0-65535|RPC|RPC-EPMap|any[,...] (default=any)]
    [remoteport=0-65535|any[,...] (default=any)]
    tcp|udp|any (default=any)]
    [edge=yes|no (default=no)]
    [security=authenticate|authenc|notrequired (default=notrequired)]


    - Add a new inbound or outbound rule to the firewall policy.
    - Rule name should be unique and cannot be "all".
    - If a remote computer or user group is specified, security must be
    authenticate or authenc.
    - If action=bypass, the remote computer group must be specified.
    - Action=bypass is only valid for rules with dir=in.
    - If service=any, the rule applies only to services.
    - ICMP type or code can be "any".
    - Edge can only be specified for inbound rules.


    Add an inbound rule for messenger.exe:
    netsh advfirewall firewall add rule name="allow messenger"
    dir=in program="c:\programfiles\messenger\msmsgs.exe"

    Add an outbound rule for port 80:
    netsh advfirewall firewall add rule name="allow80"
    protocol=TCP dir=out localport=80 action=block

    Add an inbound rule for messenger.exe and require security
    netsh advfirewall firewall add rule name="allow messenger"
    dir=in program="c:\program files\messenger\msmsgs.exe"
    security=authenticate action=allow

    Add an authenticated firewall bypass rule for group
    acmedomain\scanners identified by a SDDL string:
    netsh advfirewall firewall add rule name="allow scanners"
    dir=in rmtcomputergrp= action=bypass

  2. Is it just me or has Windows become exceptionally verbose as of late?!?

    @Rich - are you definitely running R2? Recheck the syntax? Make sure the quotes are copied correctly and not stupid smart quotes?

  3. I got the same problem until I re-typed the quotes myself and then it worked. Thanks

  4. Thanks, just found this and it is helpful. I just copied to notepad and deleted/re-entered the quotes manually can pasted to cmd prompt. Works fine this way and rule shows up in Firewall with Advanced Secuity. After several other google links, I found this one and it is just what I needed.

    1. Yep... perfect and saved me a bunch of time. Those pesky quotes!

  5. Hi,
    I liked your post about allow a icmp echo is helpful to us like new commers..
    I want to achieve as much as i can in my life...need some guidance from you, how to memorize things and remember them when you need it....

  6. @Anonymous: study lots and practice often ;-)

    Good luck and have fun!

  7. This comment has been removed by the author.

  8. Tried the netsh command above and it didn't work on 2008 R2 64bit. Had to modify it to:

    netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4 dir=in action=allow

    Basically changed the "icmpv4:8,any" to be just "icmpv4".

  9. Thanks to Ethan for that last comment, that modification worked for me on 2008 R2 64-bit where the original command had not.

  10. Thanks Ethan, worked like a charm

  11. Superb blog , it’s a really informative blog for all user who can facing windows 7 problem, Our services provide complete solution of your windows 7 realted problem.please go through this link .
    windows firewall error 1068 windows 7
    Thank you
    Aalia lyon

  12. Doing the above commands allows ping from anyone on Internet. This may not be what you want because you are visible to anyone (to hackers).
    So you may want to do the following command instead, that allows ping only from your network. Note this command *updates* an existing rule:
    netsh advfirewall firewall set rule name="ICMP Allow incoming V4 echo request" new dir=in protocol=icmpv4 action=allow



Spam comments will be deleted

Note: only a member of this blog may post a comment.