7 Appendix B: Full ABNF Grammar

Article
06/24/2021

The following section list the complete grammar rules of the policy setting that are encoded using ABNF syntax for implementers of Group Policy: Firewall and Advanced Security Group Policy Extension Encoding.

PROFILE-VAL = "Domain" / "Private" / "Public"

PORT-RANGE-VAL = BEGINPORT "-" ENDPORT

PORT-VAL = SINGLEPORT

BEGINPORT = PORT

ENDPORT = PORT

SINGLEPORT = PORT

PORT = 1*5DIGIT

LPORT-KEYWORD-VAL = "RPC" / "RPC-EPMap" / "Teredo"

LPORT-KEYWORD-VAL-2-10 = "IPTLSIn" / "IPHTTPSIn"

RPORT-KEYWORD-VAL-2-10 = "IPTLSOut" / "IPHTTPSOut"

LPORT-KEYWORD-VAL-2-20 = "Ply2Disc" / "DHCP"

LPORT-KEYWORD-VAL-2-25 = "mDNS"

RPORT-KEYWORD-VAL-2-28 = "CortanaOut"

LPORT-KEYWORD-VAL-2-29 = "TcpCDPSvc"

DIR-VAL = "In" / "Out"

ACTION-VAL = "Allow" / "Block" / "ByPass"

IFSECURE-VAL = "Authenticate" / "AuthenticateEncrypt"

IFSECURE2-9-VAL = "An-NoEncap"

IFSECURE2-10-VAL = "AnE-Nego"

IF-VAL = GUID

IFTYPE-VAL = "Lan" / "Wireless" / "RemoteAccess"

ADDRESSV4-RANGE-VAL = ( BEGINADDRV4 "-" ENDADDRV4 / SINGLEADDRV4 )

BEGINADDRV4 = ADDRV4

ENDADDRV4 = ADDRV4

SINGLEADDRV4 = ADDRV4

ADDRV4 = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT

ADDRESSV4-SUBNET-VAL = ( SUBNET-ADDRV4 "/" V4PREFIX-LENGTH ) / ( SUBNET-ADDRV4 "/" MASK-ADDRV4 )

V4PREFIX-LENGTH = 1*2DIGIT

SUBNET-ADDRV4 = ADDRV4

MASK-ADDRV4 = ADDRV4

ADDRESSV6-RANGE-VAL = ( BEGINADDRV6 "-" ENDADDRV6 / SINGLEADDRV6)

BEGINADDRV6 = ADDRV6

ENDADDRV6 = ADDRV6

SINGLEADDRV6 = ADDRV6

ADDRESSV6-SUBNET-VAL = SUBNET-ADDRV6 "/" V6PREFIX-LENGTH

V6PREFIX-LENGTH = 1*3DIGIT

SUBNET-ADDRV6 = ADDRV6

ADDRESS-KEYWORD-VAL = "LocalSubnet" / "DNS" / "DHCP" / "WINS" / "DefaultGateway"

BOOL-VAL = "TRUE" / "FALSE"

DEFER-VAL = "App" / "User"

ICMP-TYPE-CODE-VAL = TYPE ":" CODE

TYPE = 1*3DIGIT

CODE = 1*3DIGIT / "*"

PLATFORM-VAL = PLATFORM ":" OS-MAJOR-VER ":" OS-MINOR-VER

PLATFORM = 1*DIGIT

OS-MAJOR-VER = 1*3DIGIT

OS-MINOR-VER = 1*3DIGIT

PLATFORM-OP-VAL = "GTEQ"

RULE = "v" VERSION "|" 1*FIELD

FIELD = TYPE-VALUE "|"

TYPE-VALUE = "Action=" ACTION-VAL

TYPE-VALUE =/ "Dir=" DIR-VAL

TYPE-VALUE =/ "Profile=" PROFILE-VAL

TYPE-VALUE =/ "Protocol=" 1*3DIGIT ; protocol is maximum 3 digits (255)

TYPE-VALUE =/ "LPort=" ( PORT-VAL / LPORT-KEYWORD-VAL )

TYPE-VALUE =/ "RPort=" PORT-VAL

TYPE-VALUE =/ "LPort2_10=" ( PORT-RANGE-VAL / LPORT-KEYWORD-VAL-2-10 )

TYPE-VALUE =/ "RPort2_10=" ( PORT-RANGE-VAL / RPORT-KEYWORD-VAL-2-10 )

TYPE-VALUE =/ "Security=" IFSECURE-VAL

TYPE-VALUE =/ "Security2_9=" IFSECURE2-9-VAL

TYPE-VALUE =/ "Security2=" IFSECURE2-10-VAL

TYPE-VALUE =/ "IF=" IF-VAL

TYPE-VALUE =/ "IFType=" IFTYPE-VAL

TYPE-VALUE =/ "App=" APP-VAL

TYPE-VALUE =/ "Svc=" SVC-VAL

TYPE-VALUE =/ "LA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL )

TYPE-VALUE =/ "RA4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "LA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL )

TYPE-VALUE =/ "RA6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "Name=" STR-VAL

TYPE-VALUE =/ "Desc=" STR-VAL

TYPE-VALUE =/ "EmbedCtxt=" STR-VAL

TYPE-VALUE =/ "Edge=" BOOL-VAL

TYPE-VALUE =/ "Defer=" DEFER-VAL

TYPE-VALUE =/ "LSM=" BOOL-VAL

TYPE-VALUE =/ "Active=" BOOL-VAL

TYPE-VALUE =/ "ICMP4=" ICMP-TYPE-CODE-VAL

TYPE-VALUE =/ "ICMP6=" ICMP-TYPE-CODE-VAL

TYPE-VALUE =/ "Platform=" PLATFORM-VAL

TYPE-VALUE =/ "RMauth=" STR-VAL

TYPE-VALUE =/ "RUAuth=" STR-VAL

TYPE-VALUE =/ "AuthByPassOut=" BOOL-VAL

TYPE-VALUE =/ "SkipVer=" VERSION

VERSION = MAJOR-VER "." MINOR-VER

MAJOR-VER = 1*3DIGIT

MINOR-VER = 1*3DIGIT

APP-VAL = 1*ALPHANUM

SVC-VAL = "*" / 1*ALPHANUM

STR-VAL = 1*ALPHANUM

INTERFACES-VAL = [ *1INTF-FIELD / INTF-FIELD 1*INTF-FIELD-SEQ ]

INTF-FIELD = "{" GUID "}"

INTF-FIELD-SEQ = "," INTF-FIELD

PHASE1-AUTH-METHOD-VAL = "Anonymous" / "MachineKerb" / "MachineCert"

PHASE1-AUTH-METHOD-VAL =/ "MachineSHKey" / "MachineNtlm"

PHASE2-AUTH-METHOD-VAL = "Anonymous" / "MachineCert" / "UserKerb"

PHASE2-AUTH-METHOD-VAL =/ "UserCert" / "UserNtlm"

TIMEOUT-MIN-VAL = 1*8DIGIT

TIMEOUT-SESS-VAL = 1*10DIGIT

PFS-VAL = "Disable" / "EnableDHFromPhase1" / "ReKeyDH1" / "ReKeyDH2" / "ReKeyDH2048"

PFS-VAL =/ "ReKeyECDH256" / "ReKeyECDH384"

KEY-EXCHANGE-VAL = "DH1" / "DH2" / "DH2048" / "ECDH-256" / "ECDH-384"

ENCRYPTION-VAL = "DES" / "3DES" / "AES-128" / "AES-192" / "AES-256"

HASH-VAL = "MD5" / "SHA1"

HASH2-1-VAL = "SHA256" / "SHA384"

PROTOCOL-VAL = "AH" / "ESP" / "AH&ESP"

ENCRYPTION2-1-VAL = "AES-GCM128" / "AES-GCM192" / "AES-GCM256"

AH-ESP-HASH2-1-VAL = "SHA256" / "AES-GCM128" / "AES-GCM192" / "AES-GCM256"

PROTOCOL2-9-VAL = "AUTH_NO_ENCAP"

CS-ACTION-VAL = "SecureServer" / "Boundary" / "Secure" / "DoNotSecure"

CSRULE = "v" VERSION "|" 1*FIELD

TYPE-VALUE =/ "Action=" CS-ACTION-VAL

TYPE-VALUE =/ "Profile=" PROFILE-VAL

TYPE-VALUE =/ "Protocol=" 1*3DIGIT ; protocol is maximum 3 digits (255)

TYPE-VALUE =/ "EP1Port=" PORT-VAL

TYPE-VALUE =/ "EP2Port=" PORT-VAL

TYPE-VALUE =/ "EP1Port2_10=" PORT-RANGE-VAL

TYPE-VALUE =/ "EP2Port2_10=" PORT-RANGE-VAL

TYPE-VALUE =/ "IF=" IF-VAL

TYPE-VALUE =/ "IFType=" IFTYPE-VAL

TYPE-VALUE =/ "Auth1Set=" STR-VAL

TYPE-VALUE =/ "Auth2Set=" STR-VAL

TYPE-VALUE =/ "Crypto2Set=" STR-VAL

TYPE-VALUE =/ "EP1_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "EP2_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "EP1_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "EP2_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "Name=" STR-VAL

TYPE-VALUE =/ "Desc=" STR-VAL

TYPE-VALUE =/ "EmbedCtxt=" STR-VAL

TYPE-VALUE =/ "Active=" BOOL-VAL

TYPE-VALUE =/ "Platform=" PLATFORM-VAL

TYPE-VALUE =/ "SkipVer=" VERSION

TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL

TYPE-VALUE =/ "SecureInClearOut=" BOOL-VAL

TYPE-VALUE =/ "ByPassTunnel=" BOOL-VAL

TYPE-VALUE =/ "Authz=" BOOL-VAL

TYPE-VALUE =/ "RTunnel4=" ADDRV4

TYPE-VALUE =/ "RTunnel6=" ADDRV6

TYPE-VALUE =/ "LTunnel4=" ADDRV4

TYPE-VALUE =/ "LTunnel6=" ADDRV6

TYPE-VALUE =/ "RTunnel4_2=" ADDRV4

TYPE-VALUE =/ "RTunnel6_2=" ADDRV6

TYPE-VALUE =/ "LTunnel4_2=" ADDRV4

TYPE-VALUE =/ "LTunnel6_2=" ADDRV6

MMRULE = "v" VERSION "|" 1*FIELD

TYPE-VALUE =/ "Profile=" PROFILE-VAL

TYPE-VALUE =/ "Auth1Set=" STR-VAL

TYPE-VALUE =/ "Crypto1Set=" STR-VAL

TYPE-VALUE =/ "EP1_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "EP2_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "EP1_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "EP2_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL )

TYPE-VALUE =/ "Name=" STR-VAL

TYPE-VALUE =/ "Desc=" STR-VAL

TYPE-VALUE =/ "EmbedCtxt=" STR-VAL

TYPE-VALUE =/ "Active=" BOOL-VAL

TYPE-VALUE =/ "Platform=" PLATFORM-VAL

TYPE-VALUE =/ "SkipVer=" VERSION

7 Appendix B: Full ABNF Grammar

Additional resources