Tools and Procedures Used to Troubleshoot Windows Firewall – TechNet

 

Tools and Procedures Used to Troubleshoot Windows Firewall

 

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Using Monitoring in Windows Firewall with Advanced Security

Updated: December 6, 2011

Applies To: Windows 7, Windows Server 2008 R2

The first step you typically take in troubleshooting a Windows Firewall or IPsec problem is to view which rules are currently being applied to the computer. Using the Monitoring node in Windows Firewall with Advanced Security enables you to see the rules currently being applied both locally and by Group Policy.

  1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation tree, select and then expand Monitoring.

  2. In the navigation tree, select Firewall to view the currently active inbound and outbound rules. You can double-click a rule to view its details.

  3. In the navigation tree, select Connection Security Rules to view the currently active connection security rules that implement IPsec requirements on network traffic. You can double-click a rule to view its details.

  4. For either Firewall or Connection Security Rules, you can determine where a rule came from. In the Actions pane, clickView, and then click Add/Remove Columns. In the Available columns list, select Rule Source, click Add, position it in theDisplayed columns list by clicking Move Up or Move Down, and then click OK. It can take a few seconds for the list to appear with the new information.

  5. In the navigation tree, expand Security Associations, and then select either Main Mode or Quick Mode to view the currently active security associations that are established between the local computer and various remote computers.

  • Only one firewall rule is used to determine if a network packet is allowed or dropped. If the network packet matches multiple rules, then the rule that is used is selected using the following precedence:
    • Rules that specify the action Allow if Secure and also the option Block Override
    • Rules that specify the action Block
    • Rules that specify the action Allow
  • Only currently active rules are displayed in the Monitoring node. Rules might not appear in the list if:
    • The rule is disabled.
    • If the default inbound or outbound firewall behavior is configured to allow traffic that is not blocked by a rule, then allow rules of the specified direction are not displayed.
  • By default, the firewall rules in the groups identified in the following list are enabled. Additional rules might be enabled when you install certain Windows Features or programs.
    • Core Networking – all profiles
    • Remote Assistance – DCOM and RA Server TCP rules for domain profile only, other rules for both domain and private profiles
    • Network Discovery – private profile only

Viewing Firewall and IPsec Events in Event Viewer

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

noteNote
This topic applies to computers that are running Windows 7 and Windows Server 2008 R2 only. To view firewall and IPsec events on computers that are running previous versions of Windows, see Enabling Audit Events for Windows Firewall with Advanced Security

 

 

Windows 7 and Windows Server 2008 R2 automatically log significant firewall and IPsec events in the computer’s event log. You can view events in the log by using Event Viewer.

To view events for Windows Firewall with Advanced Security in Event Viewer

  1. Event Viewer is available as part of Computer Management. Click Start, right-click Computer, and then click Manage. UnderSystem Tools, click Event Viewer.

  2. In the navigation tree, expand Event Viewer, expand Applications and Services, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security.

  3. There are four views of operational events provided:

    • ConnectionSecurity. This log maintains events that relate to the configuration of IPsec rules and settings. For example, when a connection security rule is added or removed or the settings of IPsec are modified, an event is added here.
    • ConnectionSecurityVerbose. This log maintains events that relate to the operational state of the IPsec engine. For example, when a connection security rule become active or when crypto sets are added or removed, an event is added here. This log is disabled by default. To enable this log, right-click ConnectionSecurityVerbose, and then click Enable Log.
    • Firewall. This log maintains events that relate to the configuration of Windows Firewall. For example, when a rule is added, removed, or modified, or when a network interface changes its profile, an event is added here.
    • FirewallVerbose. This log maintains events that relate to the operational state of the firewall. For example, when a firewall rule become active, or when the settings of a profile are changed, an event is added here. This log is disabled by default. To enable this log, right-click FirewallVerbose, and then click Enable Log.
  4. Each event includes a General tab that summarizes the information contained in the event. For more information about an event, click Event Log Online Help to open a web page in the Windows Server Technical Library that contains detailed information and prescriptive guidance.

    The event also includes a Details tab that displays the raw data associated with the event. You can copy and paste the information in the Details tab by selecting the text (CTRL+A selects it all) and then pressing CTRL-C.

     

     

 

 

Enabling Audit Events for Windows Firewall with Advanced Security

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

ImportantImportant
The information in this topic is useful mainly to computers that are running Microsoft® Windows Vista® and Windows Server® 2008. Although the audit events are available in Windows® 7 or Windows Server® 2008 R2, it is more effective to use the operational event logging supported by those versions of Windows. For more information, see Viewing Firewall and IPsec Events in Event Viewer.

 

 

By default, Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 does not log anything in the Event Viewer log. The events that can be logged by Windows Firewall with Advanced Security are called “audit” events, and must be enabled. Once enabled, the events generated by Windows Firewall with Advanced Security can be viewed in Event Viewer.

For more information about events that are generated by Windows Firewall with Advanced Security, see Event IDs Used by Windows Firewall with Advanced Security

Enable audit events for Windows Firewall with Advanced Security

To enable audit events, use auditpol.exe, a command-line tool that modifies audit polices of the local computer. You can use the auditpol command-line tool to enable or disable the various categories and subcategories of events and then view the events in the Event Viewer snap-in.

  • To get the list of event categories recognized by the auditpol tool, type the following at the command prompt: 

    auditpol.exe /list /category

  • To get the list of subcategories under a category (this example uses the category Policy Change), type the following at the command prompt:

    auditpol.exe /list /category:”Policy Change”

  • To set a category and a subcategory to enable, type the following at the command prompt:

    auditpol.exe /set /category:”CategoryName” /SubCategory:”SubcategoryName

An example of setting a category and subcategory to enable is:

auditpol.exe /set /category:”Policy Change” /subcategory:”MPSSVC rule-level Policy Change” /success:enable /failure:enable

The events generated by Windows Firewall with Advanced Security span several categories and subcategories. Consider creating a batch file with the auditpol commands that you want that you can use to enable and disable audit events as needed. The following table lists event categories and subcategories that are relevant to troubleshooting Windows Firewall with Advanced Security.

 

Category Subcategories

Policy Change

  • MPSSVC rule-level policy change
  • Filtering Platform policy change

Logon/Logoff

  • IPsec Main Mode
  • IPsec Quick Mode 
  • IPsec Extended Mode 

System

  • IPsec Driver
  • Other system events 

Object Access

  • Filtering Platform packet drop 
  • Filtering Platform connection 

When you change audit policy settings, for changes to take effect, you must either restart the computer or force a manual policy refresh. You can force a manual refresh by typing the following command at the command prompt:

gpupdate /force

After you are done troubleshooting, you can disable the events by changing the enable settings above to disable and rerunning the commands.

Viewing firewall and IPsec audit events in Event Viewer

Once the audit events are enabled, use Event Viewer to view the events in the Security event log.

To view firewall and IPsec audit events in Event Viewer

  1. Click Start, click Control Panel, click System and Maintenance (on Windows Vista and Windows Server 2008) or System and Security (on Windows 7 and Windows Server 2008 R2), and then under Administrative Tools click View event logs.

  2. In Event Viewer, expand Windows Logs and then click Security. In the details pane, you can view the security-related audit events. The list of logged events is displayed at the top of the details pane. Clicking an event in the list displays more detailed information in the bottom of the Details pane. The General tab gives a description of the event in friendly text. The Details tab gives you the option to view the details of the event in either Friendly View or XML View. If you need more information about an event, on the General tab, click Event Log Online Help.

 

 

 

 

 

Configuring Firewall Log Files

1 out of 6 rated this helpful – Rate this topic

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

You can enable logging in Windows Firewall with Advanced Security to create a text file that contains information about which network connections the firewall allows and drops. You can create the following types of log files:

Configure the firewall log file for a profile

Before you can view firewall logs, you must configure Windows Firewall with Advanced Security to create log files.

To configure logging for a Windows Firewall with Advanced Security profile

  1. In the console tree of the Windows Firewall with Advanced Security snap-in, click Windows Firewall with Advanced Security, and then click Properties in the Actions pane.

  2. Click the tab of the profile for which you want to configure logging (Domain, Private, or Public), and then click Customize.

  3. Specify a name and location.

  4. Specify a log file size limit (Between 1 and 32767 Kbytes).

  5. Click Yes for Log dropped packets.

  6. Click Yes for Log successful connections and then click OK.

 

To view the firewall log file

Open Explorer to the path and filename you chose in the previous procedure, “To configure logging for a profile”. To access the firewall log, you must be an administrator of the local computer.Windows Firewall with Advanced Security

You can view the log file in Notepad or any program that can open a text file.

 

Interpreting the firewall log file

The following log information is collected. Some data in the log file applies to only certain protocols (TCP flags, ICMP type and code, etc.), and some data applies only to dropped packets (size).

 

Fields Description Example

Date

Displays the year, month, and day that the recorded transaction occurred. Dates are recorded in the format YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day.

2006-3-27

Time

Displays the hour, minute, and second when the recorded transaction occurred. Times are recorded in the format: HH:MM:SS, where HH is the hour in 24-hour format, MM is the minute, and SS is the second.

21:36:59

Action

Indicates the operation that was observed by the firewall. The actions available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that occurred but that were not recorded in the log.

OPEN

Protocol

Displays the protocol that was used for the communication. A protocol entry can also be a number for packets that are not using TCP, UDP, or ICMP.

TCP

src-ip

Displays the IP address of the sending computer.

XXX.XXX.X.XX

dst-ip

Displays the IP address of the destination computer.

XXX.XXX.X.XX

src-port

Displays the source port number of the sending computer. A src-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -.

4039

dst-port

Displays the port number of the destination computer. A dst-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -.

53

size

Displays the packet size in bytes.

tcpflags

Displays the TCP control flags that are found in the TCP header of an IP packet:

  • Ack. Acknowledgment field significant
  • Fin. No more data from sender
  • Psh. Push function
  • Rst. Reset the connection
  • Syn. Synchronize sequence numbers
  • Urg. Urgent Pointer field significant 

A flag appears as a single uppercase initial of the flagname. For example, the Fin flag appears as F, the single uppercase initial of the flagname.

AFP

tcpsyn

Displays the TCP sequence number in the packet.

1315819770

tcpack

Displays the TCP acknowledgment number in the packet.

0

tcpwin

Displays the TCP window size of the packet in bytes.

64240

icmptype

Displays a number that represents the Type field of the ICMP message.

8

icmpcode

Displays a number that represents the Code field of the ICMP message.

0

info

Displays an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action creates an entry for the number of events that occurred but were not recorded in the log since the time of the last occurrence of this event type.

23

noteNote
A hyphen (-) is used for fields where no information is available for an entry.

 

 

Create netstat and tasklist text files

You can create two custom log files, one to view network statistics (lists all listening ports) and the other to view the task list of either programs or services. The task list will provide the process identifier (PID) of the event which you can look up in the network statistics file for details. The procedure to create these two files is as follows:

To create network statistics and task list text files

  1. At the command prompt, type netstat -ano > netstat.txt, and then press ENTER.

  2. At the command prompt, type tasklist > tasklist.txt, and then press ENTER. If you want to create a text file for services rather than programs, at the command prompt, type tasklist /svc > tasklist.txt.

  3. Open the tasklist.txt and the netstat.txt files.

  4. In the tasklist.txt file, write down the Process Identifier (PID) for the process you are troubleshooting. Compare the PID with that in the Netstat.txt file. Write down the protocol that is used. The information about the protocol used can be useful when reviewing the information in the firewall log file.

Sample output of Tasklist.txt and Netstat.txt

Netstat.txt

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:XXX 0.0.0.0:0 LISTENING 122

TCP 0.0.0.0:XXXXX 0.0.0.0:0 LISTENING 322

Tasklist.txt

Image Name PID Session Name Session# Mem Usage

==================== ======== ================ =========== ============

svchost.exe 122 Services 0 7,172 K

XzzRpc.exe 322 Services 0 5,104 K

noteNote
The actual IP addresses have been changed to (X), and RPC service to (z).

 

 

 

Verifying that Key Firewall and IPsec Services are Working

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

For Windows Firewall with Advanced Security to operate correctly, the following services must be started:

  • Base Filtering Engine
  • Group Policy Client
  • IKE and AuthIP IPsec Keying Modules
  • IP Helper
  • IPsec Policy Agent
  • Network Location Awareness
  • Network List Service
  • Windows Firewall

To open the Services snap-in and verify that services are started

  1. Click Start and click Control Panel.

  2. Click System and Maintenance.

  3. Scroll to and click Administrative Tools.

  4. Double-click Services.

  5. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  6. Verify that the services listed above are started. If one or more of the services are not started, right-click the service name in the list, and then click Start.

 

 

 

 

Resetting the Defaults in Windows Firewall with Advanced Security

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

As a last resort, you may want to restore Windows Firewall with Advanced Security defaults. When you restore default settings, you lose all settings, all firewall rules, and all IPsec connection security rules configured locally on the computer after Windows was installed. Group Policy applied rules and settings are not disturbed. The loss of locally defined rules might cause some programs to stop working that depend on certain rules or settings. Also, if you are remotely managing this computer, the connection is lost when you restore defaults.

Before resetting the Windows Firewall with Advanced Security defaults, make sure that you save the current firewall state. This allows you to restore your settings if necessary.

The steps to save the firewall state and reset Windows Firewall with Advanced Security to its default configuration are as follows:

To save the current firewall state

  1. In the Windows Firewall with Advanced Security MMC snap-in, click Export Policy in the Actions pane.

  2. In the Save As property sheet, provide a name and path for the export file.

  3. Click Save.

noteNote
You can use the Import Policy option in the Actions pane to reapply your saved configuration.

 

To restore Windows Firewall with Advanced Security to its default configuration

  1. In the Windows Firewall with Advanced Security snap-in, click Restore Defaults in the Actions pane.

  2. At the Windows Firewall with Advanced Security prompt, click Yes to restore firewall defaults.

 

 

 

 

Capturing Firewall and IPsec Events with Netsh WFP

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 introduce the new netsh wfp context that enables you to capture diagnostic trace sessions of the behavior of the Windows Filtering Platform which is the base engine that implements your firewall and connection security rules. Starting a capture session, reproducing the problem, and then stopping the capture results in a log that can help you or Microsoft Customer Support Services (CSS) troubleshoot connectivity problems on your computers.

To capture a Netsh WFP diagnostics session

  1. Open a command prompt with Administrator permissions.

  2. At the command prompt, change the current folder to your desktop by running the command: cd %userprofile%\desktop

  3. To start the capture, run the command netsh wfp capture start.

  4. Reproduce the networking problem whose cause you are trying to diagnose.

  5. To complete the capture, run the command netsh wfp capture stop. The output file is stored in the current folder.

To view the WFP diagnostic data

  1. In Explorer, double-click the .cab file that you created in the previous procedure.

  2. The .cab file contains an .xml file and an .etl file. The .etl file is a binary file that is intended for use by CSS. The .xml file can be loaded and read locally. Because of the size of the .xml files produced by this process we recommend that you acquire an XML Reader program, instead of using a Web browser or Notepad to open the file. Several good ones are available for free download on the Web.

  3. Drag the wfpdiag.xml file from the .cab file to the desktop.

  4. Open the file with your XML reader of choice and examine the contents. Note the main sections:

    • sysInfo – This section contains information about the computer on which the trace was captured.
    • initialState – This section contains information about the state of the WFP and the currently configured rules before the problem was reproduced.
    • Events – This section contains information about things that occurred while the capture session was running.
    • finalState – This section contains the same information as initialState, but was captured when you ran the wfp capture stop command. You can directly compare the two sections to look for differences that might relate to the connection problem you are trying to diagnose.

Similarly, you can use the netsh trace and netsh trace stop commands to capture a variety of diagnostic information customized to a selected scenario, such as wfp-ipsec.

To capture a Netsh Trace diagnostics section

  1. At an Administrator: Command Prompt, run the command netsh trace start scenario=wfp-ipsec tracefile=%userprofile%\desktop\SampleTrace.cab

    Substitute a path a filename appropriate to your environment.

  2. The output of the command shows you that the trace is running, the file to which the data is written, and details of other possible parameters.

  3. Reproduce the problem whose cause you are trying to diagnose.

  4. run the command netsh trace stop.

    The computer takes a few moments to compile the collected trace data into a .cab file at your specified location.

  5. Open Windows Explorer, browse to the folder you specified, and double-click the .cab file, and examine its contents. A variety of text files, .xml files, event log files, and other types are included.

 

 

Also read:

Common Troubleshooting Situations using Windows Firewall with Advanced Security

Windows Firewall with Advanced Security Event Messages 

Enable IPsec and Windows Firewall Audit Events

 

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s