This is a guide to allow ping in windows firewall. But first, a few things to know.
By design, ICMP Echo Requests otherwise known as Pings are blocked by the Windows Firewall with Advanced Security. This article will be demonstrating how to use the Windows Firewall with Advanced Security UI or the Command Prompt to allow ICMP Echo requests via your Windows Firewall.
Network managers often regard the Internet Control Message Protocol to be a security issue, and as a result, believe that ICMP should always be disabled at the firewall as a precaution.
This may be the right way to go, but even while ICMP is widely acknowledged to have significant security vulnerabilities, there’s no need to restrict every single ICMP traffic!
Apart from Type 3 and Type 4 ICMP traffic, which are the only types you do not have to block on Windows 10/11 firewall, every other traffic is optional or must be restricted. Note that you must allow type 0 IN and type 8 OUT to make ping requests.
How to Allow Ping in Windows Firewall With Advanced Security
Before going into this, you must note that the easier way to allow ping in Windows is using the command prompt. I will discuss this later in the article, but you can skip this method if all you need is the fastest fix.
To allow ping in Windows firewall with advanced security, go to Start and type in “Firewall With Advanced”, then select the option for Windows Defender Firewall with Advanced Security.
Here, you will have to create two new rules. The first will be to allow ICMPv4 requests and the second will be to allow ICMPv6 requests. To do this, click on “Inbound Rules” in the left pane, then select “New Rule” from the right pane.
From the “New Inbound Rule Wizard” that appears, select the “Custom” option and click “Next.”
From the next page, ensure that the “All programs” option is selected, then click on “Next.”
On the protocol and ports page, select the “ICMPv4” option from the “Protocol type” dropdown list, then select the option to “customize”.
This pops up the “Customize ICMP Settings” window, where you should select from the list of “Specific ICMP types”. Here, check “Echo Request” and click the “OK” button. This will return you to the “New Inbound Rule Wizard” interface. Click “Next.”
I will recommend that on the next page you select the option for “Any IP address” for remote and local IP addresses. This is the easier way to go about it.
At this stage, it is possible to use the customize button to customize the specific IP addresses you want your computer to ping. If you select this option, you should note that other ping requests will be rejected.
There is also the option of configuring separate ping lists for remote and local IPs. Once you are done setting this up, click next.
On this page, make sure the option for “Allow the connection” is enabled, then click “Next.”
On this next page, you will have some flexibility with configurations for when the rule is active. My tip will be to leave all default options and click “Next” if you need rules to apply regardless of the network.
However in cases where your computer doesn’t connect to a domain or is not part of a business, or if you prefer not to respond to any ping request when on a public network, you can disable these options and click next.
At this point, your rule must be named and given an optional description. My tip is to include “ICMPv4” in the naming because you would have a different rule for “ICMPv6” requests, and it will be nice to differentiate the two. Once you are done naming, click the finish button.
Sadly it is not yet over. It is the best practice to create a second rule for ICMPv6 requests. This may not be the most used rule, but it is better to have it and not need it than to need it and not have it. Especially since some networking applications use IPV6 pings by default.
Here is the good news – The process is almost the same as with the ICMPv4 rule. The only difference will be when you are at the ports and protocols page, select the “ICMPv6” option rather than ICMPv4.
And also make sure on the naming page you use a name containing ICMPv6 just to differentiate it from the first rule created.
Now you have your two rules set up, close the Windows firewall app. At this point, your PC should immediately be able to respond to pings.
In case you need to disable this process, you may have to return to delete the two rules just created, or rather you right-click on the rules and select “disable.” The second option makes it easier to re-enable them when needed quicker without a need to recreate them.
How to Allow Ping Requests in Command Prompt
You can skip the first process if you are looking for the quickest way to create ping request exceptions. For this, all you need is to open your command prompt with administrative privileges.
To enable requests for pings, just like we did in the previous step, you will need to create two exceptions allowing traffic via the firewall. You will need one for ICMPv4 and another for ICMPv6.
We will start with the exception for ICMPv4 exception. You just need to type or copy the command below and paste in your command prompt then hit the enter key:
netsh advfirewall firewall add rule name="ICMPv4 echo request" protocol=icmpv4:8,any dir=in action=allow
Note that the name part of this code should be any name you want to associate with your request.
For ICMPv6 exceptions, here is the command you will need:
netsh advfirewall firewall add rule name="ICMPv6 echo request" protocol=icmpv6:8,any dir=in action=allow
Once this is done, there is no need for a computer reboot, the changes should take effect instantly. Pinging from your computer to any remote device should yield a result now.
Note that the name part of this code should be any name you want to associate with your request.
Disable Ping Requests with Command Prompt
After creating the ping request, the process to disable it is very simple. You will need different codes for ICMPv4 and ICMPv6 requests.
For ICMPV4 type or copy and paste the code below:
netsh advfirewall firewall add rule name="ICMPv4 echo request" protocol=icmpv4:8,any dir=in action=block
Remember that this will only work if the name part of this code matches the name of an existing rule on your computer.
For ICMPV6 type or copy and paste the code below:
netsh advfirewall firewall add rule name="ICMPv6 echo request" protocol=icmpv6:8,any dir=in action=block
Remember that this will only work if the name part of this code matches the name of an existing rule on your computer.
Once the rules are blocked, you can expect that every ping request will be met with a timeout message.
When attempting to disable a rule, there are chances you may not remember the rule name. In these cases here is a script to display the names of existing rules on your computer.
netsh advfirewall firewall show rule name=all
Using this script will show a lot of rules. the most recent ones should be located at the top of the list.
Of course, using the command prompt is the more straightforward method but then you can always go back to allow ping in Windows Firewall.
FAQ
Why is ping blocked by default in Windows Firewall?
By default, Windows Firewall blocks incoming ICMP Echo Requests (Type 8) to enhance security, as ICMP can be exploited for reconnaissance attacks like DDoS or network mapping.
This prevents unauthorized devices from discovering your PC on a network. However, outgoing pings (from your PC to others) are typically allowed, along with related replies, due to the firewall’s stateful inspection.
What’s the difference between enabling ping via custom rules vs. using built-in Windows rules?
Custom rules, as detailed in the guide, give you full control over settings like specific IP restrictions or profiles (Domain, Private, Public).
Alternatively, Windows has pre-defined rules like “File and Printer Sharing (Echo Request – ICMPv4-In)” and its IPv6 counterpart, which you can enable directly in the Inbound Rules list without creating new ones. Search for “Echo Request” in the rules pane, right-click, and select Enable Rule for a quicker setup.
How do I allow ping only from specific IP addresses in Windows Firewall?
In the GUI method, during the “Scope” step of the New Inbound Rule Wizard, select “These IP addresses” under Remote IP addresses and add the desired IPs or ranges (e.g., 192.168.1.0/24 for a local subnet).
For command-line, modify the netsh command with remoteip=192.168.1.0/24 like: netsh advfirewall firewall add rule name="ICMPv4 echo request" protocol=icmpv4:8,any dir=in action=allow remoteip=192.168.1.0/24.
This restricts responses to trusted sources, reducing exposure.
Is it safe to allow ICMP Echo Requests through Windows Firewall?
Allowing ping isn’t inherently dangerous if limited to trusted networks or IPs, as it aids troubleshooting like checking connectivity or latency. However, on public networks, it can reveal your device’s presence to attackers.
Best practices include enabling it only on Private profiles, blocking it on Public ones, and avoiding unnecessary ICMP types beyond Echo Request/Reply. If security is a concern, use tools like VPNs or monitor logs for unusual activity.
How can I test if ping is allowed after configuring Windows Firewall?
From another device on the network, run ping your-PC-IP-address (find your IP via ipconfig on the target PC). If successful, you’ll see replies with round-trip times; otherwise, expect “Request timed out.”
On the same PC, test locally with ping localhost or ping 127.0.0.1 (which bypasses the firewall). For external tests, ensure no router firewalls or ISP blocks are interfering—tools like online ping testers can help verify.
What should I do if ping still times out even after enabling it in Windows Firewall?
First, confirm the rules are enabled and apply to the correct network profile (check via Settings > Network & Internet > Properties). Disable third-party firewalls or antivirus temporarily to isolate issues.
Verify IPv4/IPv6 settings match your network, and run ipconfig /flushdns to clear DNS cache. If the firewall is off entirely and pings fail, check hardware like cables, router settings, or group policies enforcing blocks. Event Viewer (under Windows Logs > Security) may log denied packets for clues.
How do I enable ping on Windows Server editions compared to Windows 10/11?
The process is similar, but Server often runs in Core mode without GUI, so use PowerShell: New-NetFirewallRule -DisplayName "ICMPv4 Echo" -Protocol ICMPv4 -IcmpType 8 -Direction Inbound -Action Allow.
For GUI on Server with Desktop Experience, follow the same Advanced Security steps. Note that Servers may have stricter defaults due to roles like Domain Controller—enable only for specific interfaces and monitor with tools like Windows Admin Center.
Can I allow outgoing pings if they’re blocked in Windows Firewall?
Outgoing pings (ICMP Type 8 out and Type 0 in for replies) are allowed by default in Windows Firewall, as it permits most outbound traffic. If blocked (e.g., by custom policies), create an Outbound Rule in Advanced Security, selecting ICMPv4/ICMPv6 and Echo Request.
Use command-line: netsh advfirewall firewall add rule name="ICMPv4 Out" protocol=icmpv4:8,any dir=out action=allow. This is rare, as issues are usually with inbound responses.
How do I use PowerShell to allow ICMP ping in Windows Firewall?
PowerShell offers a modern alternative to netsh: New-NetFirewallRule -DisplayName "Allow ICMPv4 Ping" -Protocol ICMPv4 -IcmpType 8 -Direction Inbound -Action Allow -Profile Any.
For IPv6: Replace ICMPv4 with ICMPv6 and IcmpType 128 (Echo Request for v6). To disable: Disable-NetFirewallRule -DisplayName "Allow ICMPv4 Ping". This is ideal for scripting or automation in environments like Azure or enterprise deployments.
What are the risks of blocking all ICMP traffic in Windows Firewall?
While blocking ICMP enhances security, it can disrupt diagnostics—e.g., no “Destination Unreachable” messages (Type 3) lead to silent failures in connectivity.
Path MTU Discovery relies on ICMP Type 3 Code 4, so blocking it may cause fragmentation issues and slower transfers. Allow essential types like 0, 3, 4, 8, and 11 for balanced functionality, especially in troubleshooting-heavy setups like remote work or gaming.
How do I enable ICMP ping using Group Policy in enterprise environments?
For domain-joined machines, use Group Policy Management Console: Create a GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall > Inbound Rules.
Right-click to create a new rule for ICMPv4/ICMPv6 Echo Requests, then link the GPO to your OU. This ensures consistent enforcement across multiple devices; test with gpupdate /force and verify in Event Viewer for application.
What should I do if predefined ICMP rules are missing in a fresh Windows Server 2025 install?
In some Windows Server 2025 installations, core firewall rules like ICMP inbound may be absent due to minimal setups or bugs in fresh deploys.
Manually recreate them via PowerShell (New-NetFirewallRule as above) or import from a backup using netsh advfirewall export/import. Check for updates via Windows Update, and if persistent, review installation media or roles added—Server Core often requires explicit rule creation.
How has ICMP handling changed in Windows 11 updates as of 2025?
As of 2025, Windows 11 updates have refined IPv6 ICMP behaviors, with stricter defaults for “Block all connections” impacting Echo Requests more aggressively on public profiles.
Newer builds emphasize stateful rules for better MTU discovery, but issues like overridden rules by Microsoft Defender enhancements may require explicit enabling of “Core Networking Diagnostics – ICMP Echo Request” rules. Always check for KB updates affecting firewall parity between IPv4 and IPv6.
Why might my Windows Firewall still respond to pings even with ICMP rules disabled?
This could stem from third-party antivirus (e.g., Norton or McAfee) overriding Windows Firewall with their own permissive ICMP settings—disable them temporarily to test.
Group Policies or legacy rules from upgrades might persist; use netsh advfirewall firewall show rule name=all | findstr ICMP to list and delete hidden ones.
In 2025 Windows versions, check for automatic “File and Printer Sharing” enablement during network discovery.
How to allow ping for File and Printer Sharing without creating custom rules?
Enable the built-in “File and Printer Sharing (Echo Request – ICMPv4-In)” rule directly: In Advanced Security, filter Inbound Rules for “Echo Request,” right-click the relevant one, and select Enable.
This ties ping to sharing features, activating only when needed, and applies per profile—ideal for home networks where you want ping alongside printer access without broad exposure.
Can I enable ping temporarily for troubleshooting in Windows Firewall?
Yes, use the GUI to enable rules, perform tests, then disable via right-click > Disable Rule for quick toggling.
For scripting, create a batch file with netsh commands: netsh advfirewall firewall set rule name="ICMPv4 echo request" new action=allow to enable, and action=block to disable. Schedule via Task Scheduler for timed sessions, ensuring it reverts automatically after diagnostics.
How to handle ICMP rules in Windows Firewall when using third-party antivirus software?
Third-party tools like Avast or Bitdefender often integrate with or override Windows Firewall, potentially blocking ICMP despite your rules—access their settings to allow Echo Requests separately.
If conflicts arise, set Windows Firewall as primary via Control Panel > System and Security, or uninstall the third-party firewall component. Monitor with wf.msc to ensure rules aren’t duplicated or negated.
What are the differences in ICMP ping rules for Windows Home vs. Pro/Enterprise editions?
Windows Home lacks Group Policy Editor, so you can’t enforce ICMP rules via GPO—rely on GUI or command-line methods. Pro/Enterprise editions support advanced features like exporting rules (netsh advfirewall export) for backups and domain-wide deployment.
All editions handle basic ICMP similarly, but Enterprise adds Intune integration for cloud-managed rules in 2025 updates.
How to export and import ICMP firewall rules in Windows for backups or migration?
Use command-line: Export all rules with netsh advfirewall export "C:\firewall.wfw", then import on another machine via netsh advfirewall import "C:\firewall.wfw".
For ICMP-specific, first list them (netsh advfirewall firewall show rule name=all | findstr ICMP), delete if needed, and re-import. This is useful for migrating settings between Windows 10/11/Server without recreating rules manually.
What are common mistakes when setting up ICMP rules in Windows Firewall?
Common pitfalls include forgetting to enable rules for the correct network profile (e.g., Public vs. Private), not restarting the Firewall service after changes (Restart-Service MpsSvc), or mismatched IPv4/IPv6 settings causing partial failures.
Avoid broad “Any IP” scopes without restrictions, and always test both inbound/outbound directions—misconfiguring Type 8 vs. Type 0 can lead to one-way ping issues.
How do I enable ping on Azure VMs through Windows Firewall?
For Azure VMs, enable ICMP in the local Windows Firewall as usual, but also configure Network Security Group (NSG) rules in the Azure portal: Add an inbound rule for ICMP (Protocol: Any, Port: Any, Action: Allow) with priority higher than denies.
Test with Test-NetConnection from PowerShell; note that Azure load balancers may require additional probes for public IPs.
What causes “General Failure” errors when pinging despite enabled rules?
“General Failure” often indicates outbound ICMP blocks or DNS resolution issues—enable outbound Echo Requests if custom policies restrict them. Check for corrupted ARP caches (arp -d) or VPN interference; in domain environments, Group Policy may override local rules, so verify with rsop.msc for effective settings.
How to allow other ICMP types like for traceroute in Windows Firewall?
Traceroute uses ICMP Types 11 (Time Exceeded) and 3 (Destination Unreachable). Create custom inbound rules: Select ICMPv4, customize to include these types, and set action to Allow.
Use: netsh advfirewall firewall add rule name="Traceroute ICMP" protocol=icmpv4:3,any dir=in action=allow for Type 3; repeat for Type 11 to enable full path diagnostics.
Why does ping work locally but fail remotely after firewall changes?
Local pings (ping localhost) bypass the firewall, but remote failures suggest external blocks like router NAT, ISP filters, or modem firewalls. Verify port forwarding if behind NAT, and use tools like tracert to identify hops; for IPv6, ensure dual-stack compatibility as some networks prioritize it differently.
How to log ICMP traffic in Windows Firewall for auditing?
Enable logging via Windows Defender Firewall Properties > Domain/Private/Public tab > Logging Settings. Set “Log dropped packets” to Yes and specify a log path (e.g., %systemroot%\system32\logfiles\firewall\pfirewall.log).
Filter Event Viewer for ICMP events or use Get-NetFirewallLog in PowerShell to review denied/allowed pings.
Can I enable ping over VPN or mobile hotspot in Windows Firewall?
VPNs/hotspots may classify as Public profiles, blocking ICMP by default—switch to Private via Settings > Network > Properties if trusted. For hotspots, enable rules specifically for the adapter; test with Test-Connection and adjust scope to include VPN IP ranges to avoid leaks.
How to reset Windows Firewall to default and re-enable ping?
Reset via Control Panel > System and Security > Windows Defender Firewall > Restore defaults, or command: netsh advfirewall reset. This removes custom rules, so re-enable built-in Echo Request rules afterward. Backup first with netsh advfirewall export to preserve other configurations.
What alternatives to ping exist if ICMP remains blocked in Windows Firewall?
Use PowerShell’s Test-NetConnection for TCP/UDP probes (e.g., -Port 80), or tracert for path info without full ICMP. Tools like mtr (via WSL) combine ping/traceroute; for latency, browser-based speed tests or Wireshark captures provide insights without altering firewall rules.
How to enable ping in Windows Firewall via Intune for managed devices?
In Microsoft Intune, create a Device Configuration Profile > Windows 10/11 > Endpoint Protection > Firewall. Add a rule for ICMPv4 Echo Request (Inbound, Allow), assign to groups, and deploy. Monitor compliance in Intune reports; this overrides local settings for MDM-enrolled devices in 2025 environments.
Why might ping requests fail with “Destination Host Unreachable” after enabling?
This ICMP Type 3 message indicates routing issues, not firewall blocks—check ARP tables (arp -a), default gateways, or subnet masks. If on Wi-Fi, signal interference could cause it; flush routes with route -f and retest, ensuring no duplicate IPs via ipconfig /renew.
Final Thoughts on How to Allow Ping in Windows Firewall
The process to allow ping in windows firewall is a complicated long one and not everyone will have a need for it. But if you are interested in networking, then I advise you do not skip it, as pinging will become one of your most valuable tools.
As soon as you have it set up, it becomes really easy to turn it on or off. Most people would however prefer the second method using the command prompt. It really does not matter what your poison is as long as it gets the job done.
If you loved this article, you may enjoy learning all about Windows Firewall
