Windows Server 2008 R2 Firewall Security – WindowsITPro.com

Windows Server 2008 R2 Firewall Security

Best practices for enabling a firewall in a production environment

 

Today’s security model is all about layers. If your network suffers a breach, security layers can at least limit the scope of the attack or slow down the hacker. In my experience, Windows Server 2008 R2 and Windows Server 2008 are the first versions of Windows Server in which you can successfully keep your firewall enabled and still have the server work in a production environment. The Microsoft Management Console (MMC) Firewall with Advanced Security snap-in is key to this capability.

 

 

Firewall Profiles

There are three different Windows Firewall profiles that can be configured with a Server 2008 R2 firewall. Only one of these profiles can be active at a time.

1.     Domain profile—This profile is active when the server is connected to an Active Directory (AD) domain via an internal network. This is the profile that’s typically active, because most servers are members of an AD domain.

2.     Private profile—This profile is active when the server is a member of a workgroup. Microsoft recommends more restrictive firewall settings for this profile than for the domain profile.

3.     Public profile—This profile is active when the server is connected to an AD domain via a public network. Microsoft recommends the most restrictive settings for this profile.

When you start the Firewall with Advanced Security snap-in, you can view which firewall profile is active. Although Microsoft recommends that you can have different security settings based on the firewall profile, I typically configure the firewall as if a perimeter firewall doesn’t exist. With this approach, if any ports are accidentally opened on perimeter firewalls, Server 2008’s Windows Firewall will block the traffic. Just as with previous versions of Windows Firewall, all inbound connections are blocked and all outbound connections from the server are allowed by default in Server 2008 R2 (as long as there’s no existing Deny rule).

With these settings, my organization’s firewall configuration leans toward a public profile environment. When we create a rule, we make it active for all three profiles. By using a firewall configuration that’s consistent across all three domain profiles, we don’t have to worry about exposing any unwanted ports in case the Windows Firewall profile changes.

 

 

IPsec and Domain Isolation

You can implement domain isolation by using Windows Firewall’s IPsec feature. Domain isolation prevents the communication of a non-domain computer from connecting to a computer that’s a domain member. When communication is established between two domain members, you can configure the firewall to encrypt all traffic between the two computers with IPsec. This configuration can be useful in an environment in which you have guests on the same network but you want to prevent them from accessing computers that are part of a domain. It can be used as an alternative or in addition to Virtual LANs (VLANs). For more information about domain isolation with IPsec tunnels, see the Microsoft TechNet article “Domain Isolation with Microsoft Windows Explained.”

 

 

Leave the Firewall Enabled

I suggest leaving the firewall enabled when Server 2008 R2 is first installed. Most applications are now smart enough to automatically open the necessary port on the firewall when they’re installed, which eliminates the need to manually open inbound ports on the server. One of the main reasons to have the firewall up during installation is that it protects the OS before you have the chance to apply the latest updates.

The firewall is well-integrated with Server Manager’s roles and features. When a role or feature is added on the server, the firewall automatically opens the necessary inbound ports. SQL Server uses the default port of TCP 1433. Therefore, you must manually create an inbound rule that allows TCP port 1433 on the firewall for SQL Server. (Alternatively, you can change the default.)

 

 

Creating Inbound Rules

If you leave the firewall enabled, you’ll probably need to manually create an inbound firewall rule at some point. Fortunately, there are quite a few rules that are created but disabled by default for many popular Windows applications.

Before creating a rule, check to see whether a rule was already created that will allow the desired inbound traffic to pass. If you find an existing rule, you can simply enable the rule and possibly change the default scope. If you don’t find an existing rule, you can always create one from scratch.

Select Administrative Tools from the Start menu, then select Windows Firewall with Advanced Security to start the Firewall with Advanced Securitysnap-in. For illustration purposes, I’ll explain how to create a rule to allow inbound SQL Server traffic on TCP port 1433 from a Microsoft Office SharePoint Server front-end server.

 

 

 

Right-click Inbound Rules and select New Rule. As Figure 1 shows, you can select Program, Port, Predefined, or Custom for the rule type. I typically select Custom, because this option prompts you to enter a scope for the rule. Click Next to continue.

 

Figure 1: Creating a new inbound rule type
Figure 1: Creating a new inbound rule type


 

In the next dialog box, which Figure 2 shows, you can specify a program or services that the rule will match. In my example, I selected All programs so that traffic will be controlled by the port number.

 

Figure 2: Specifying a program for a new inbound rule
Figure 2: Specifying a program for a new inbound rule


 

As Figure 3 shows, I then selected TCP for the protocol type, and I selected Specific Ports from the Local port drop-down menu and specified port 1433, which is the default port for SQL Server. Because remote ports are dynamic, I selected All Ports.

 

Sugano-WIN2374-Fig3-lg_0
Figure 3: Specifying a protocol and ports for a new inbound rule

 

 

 

In the Scope dialog box, which Figure 4 shows, I specified the local IP address of 192.168.1.11 and the remote IP address of 192.168.1.10, which is the IP address of my organization’s SharePoint front-end server. I strongly recommend specifying a scope with every rule, in case the server is accidentally exposed to unwanted subnets.

 

Sugano-WIN2374-Fig4-lg_0
Figure 4: Specifying local and remote IP addresses in a new inbound rule’s scope

 

 

 

 

In the Action dialog box, which Figure 5 shows, I selected Allow the connection because I want to allow inbound traffic to pass for SQL Server.

 

Sugano-WIN2374-Fig5-lg_0
Figure 5: Specifying the action to take when a connection matches the condition 
in a new inbound rule

 

 

Alternatively, you can allow traffic to pass only if it’s encrypted and secured with IPsec, or you can block the connection. Next, you need to specify the profile(s) for which the rule will apply. As Figure 6 shows, I selected all the profiles (which is a best practice).

 

Sugano-WIN2374-Fig6-lg_0
Figure 6: Specifying profiles for which a new inbound rule will apply

 

 

Finally, use a descriptive name for the rule, specifying the allowed service, scope, and ports, as Figure 7 shows. Using a descriptive name makes it easier to identify what a rule does. Click Finish to create the new inbound rule.

 

Sugano-WIN2374-Fig7-lg_0
Figure 7: Naming a new inbound rule

 

 

 

 

Creating Outbound Rules

By default, all inbound traffic is blocked and all outbound traffic is allowed on all three firewall profiles (i.e., domain, public, and private). If you use the default settings, you don’t need to open any outbound ports. Alternatively, you can block outbound traffic—but then you must open up the necessary outbound ports.

Creating outbound rules is similar to creating inbound rules, except the traffic flow is reversed. You can use the Firewall with Advanced Security snap-in to block outbound traffic on specific ports if the server becomes infected with a virus and attempts to attack other computers on specific ports.

 

Managing Firewall Configuration

In addition to the Firewall with Advanced Security snap-in, you can use Netsh commands to create firewall rules. For more information about using Netsh to configure Windows Firewall, see the article “How to use the ‘netsh advfirewall firewall’ context instead of the ‘netsh firewall’ context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista.” 

You can also use Group Policy to control the configuration of the firewall. One of the easiest ways to push out a firewall rule with Group Policy is to use theFirewall with Advanced Security snap-in to create the rule, export it, and import it into the Group Policy Management Editor. Then you can use Group Policy to push out the rule to the appropriate computers. For more information about how to use Group Policy to control the Windows Firewall, see the article “Best Practice: How to manage Windows Firewall settings using Group Policy.”

 

 

 

 

Troubleshooting

If you’re having difficulty connecting to a server that has Windows Firewall enabled, you can enable logging to determine if specific ports are being blocked. By default, firewall logging isn’t enabled. To enable firewall logging, right-click Windows Firewall with Advanced Security and select Properties. Click the Active Profile tab (Domain, Private, or Public) under the Logging section, and click Customize.

By default, the firewall log is located in C:\Windows\system32\LogFiles\Firewall\pfirewall.log. When troubleshooting connectivity problems, I typically log only the dropped packets, as Figure 8 shows; otherwise, the logs can fill up with a lot of successful connection information. Open the log with Notepad to determine if any packets are getting dropped by the firewall.

 

Sugano-WIN2374-Fig8-lg_0
Figure 8: Enabling firewall logging for the domain profile

 

 

 

 

Another troubleshooting tip is to temporarily disable the firewall to see if doing so solves the connectivity problem. If you can establish a connection with the firewall disabled, open a command prompt and issue the command Netstat -AN to view the connection details. As long as the application is connecting with TCP, you can look at the local and foreign IP addresses with anEstablished state to determine the application’s port(s). This can be especially helpful when you’re not sure which port(s) a particular application uses to establish a connection.

 

The Windows Sysinternals tool TCPView is like Netstat on steroids. This tool provides detailed TCP connection information and can be helpful when troubleshooting connectivity issues.

 

Happy Firewalling

Server 2008 R2 and Server 2008 are the first versions of Windows Server that make it possible to keep the firewall enabled in a production environment. The trick is to leave the firewall enabled during installation of any programs on the server. This practice lets you test the server’s connectivity before it goes into production. Use the Log dropped packets option to determine if any packets are getting dropped by the firewall. If you decide that you want to enable the firewall on the server after it’s been in production for a while, I suggest that you establish a lab environment first to determine which ports are necessary to open on the firewall. Happy firewalling!

 

 

 

 


 

The Windows Firewall Service Fails to start – Introduction

The Windows Firewall Service Fails to start – Introduction

 

There can be several causes that will prevent the Windows Firewall from starting and I will attempt to cover them in this series of five blog posts. In this first post, I will cover Windows XP and Windows Vista / Windows 7 separately as they are two different services. Last I will cover one issue with OneCare. Note: Specifics on Windows Vista and Windows 7will come in a later blog post.

Windows XP

In Windows XP, the firewall service is named “Windows Firewall/Internet Connection Sharing (ICS)”, or SharedAccess service.

Typical errors seen as either popups or within event logs when the service fails to start are:

  • Cannot start the Windows Firewall/Internet connection sharing (ICS) Service on local computer
  • Error 2: The system cannot find the file specified
  • Error 1705: While starting windows firewall and internet connection sharing services

Problems starting the Firewall Service in Windows XP are most commonly related to an issue with the Shared Access registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

The quickest resolution is generally to rebuild the key. Instructions for doing this are in the following article, along with a FIXIT link:

You cannot start the Windows Firewall service in Windows XP SP2

Other things you will want to check are:

  • Verify that the “Remote Procedure Call (RPC)” service is started
  • Verify that the service is configured to logon as Local System Account, as shown below:

clip_image001

The above 3 items cover the vast majority of the issues with starting the Firewall in Windows XP.

Windows Vista and later (Windows 7, Windows Server 2008, and Windows Server 2008 R2)

In Windows Vista and later, the firewall service is “Windows Firewall” (MPSSVC); it combines both Firewall and IPsec functionality.

The first thing to check is that the Base Filtering engine (BFE) is running. There are a number of services dependent on the BFE service (including the Windows Firewall) that may also fail to start:

  • IPsec Policy Agent (PolicyAgent)
  • Windows Firewall
  • IKE and AuthIP IPsec Keying Modules
  • Internet Connection Sharing (ICS)
  • Routing and Remote Access

In my experience most of the issues starting these services are related to permissions.

Typical errors seen in relation to starting this service are:

  • Event ID: 7024 – The Windows Firewall service terminated with service-specific error 5 (0x5)
  • Windows could not start the Base Filtering Engine service on Local Computer. Error 5: Access is denied.
  • Windows could not start the IPsec Policy Agent service on Local Computer. Error 1068: The dependency service or group failed to start.
  • Windows could not start the Network Location Awareness on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -1073741288.
  • The Windows Firewall service terminated with service-specific error 87 (0x57)
  • Error 0x80004015: The class is configured to run as a security id different from the caller.
  • The Windows Firewall service terminated with service-specific error 6801 (0x1A91).
  • “net start mpssvc” in cmd.exe returns the system error 1297.

What to look for (specific details will be shared in a future blog post):

  • Verify Log On permissions
  • Verify registry permissions
  • Verify privilege permissions
  • Verify Service Dependencies
  • Reset the default security permissions
  • Verify that the TxR folder exists : %systemroot%\system32\config\TxR
  • Verify the following registry keys by comparing them to a default Windows installation:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShareAccess

Windows OneCare

Lastly, I am including information about one issue that may be seen with the Windows OneCare Firewall Service. The following messages may be seen:

The Windows OneCare Firewall Service Could not Start

Urgent – Turn on Firewall

You will see this error in the Windows OneCare interface, with a red status action item asking you to enable the firewall. The action listed does not enable the firewall, however.

This issue is also very specific because the firewall settings in Windows OneCare are grayed out and cannot be modified.

To resolve this issue:

Use the steps below to ensure that the PATH environment variable contains the following path:

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM

  1. Click Start / Control Panel and open the System Icon.
  2. In System, click the Advanced tab and then Environment Variables.
  3. Ensure that in the lower box “System variables” that PATH exists. If Path does not exist click NEW and type in PATH as the variable name and enter the above path in the variable value.
  4. If PATH already exists, highlight it and click Edit.
  5. Under variable name, click at the end of the line to append the above mentioned path to the end of the current path. NOTE: BE SURE TO SEPERATE THE OLD PATH AND THE NEW PATH WITH A SEMI-COLON ( ; ).
  6. Click OK to close the windows and restart the computer.

If this does not resolve the issue, try the following step:

  1. Click Start / Run and type Regsvr32 %SystemRoot%\System32\wbem\wmidcprv.dll and click OK.
  2. Restart the computer and test the firewall again.

If this does not resolve the issue, or if the problem does not match the description, please follow the steps in KB article 910659.

Conclusion

This wraps up my overview of how to troubleshoot issues starting the Windows Firewall Service. 

– David Pracht

Restore Windows Firewall Default Settings

Restore Windows Firewall Default Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use this procedure to reset Windows Firewall to its default configuration.

noteNote
Windows Firewall will be turned on when you perform this procedure. This ensures that your computer is protected by Windows Firewall when you restore default settings.

 

Administrative Credentials

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

Special Considerations

You can configure Windows Firewall settings in the standard profile or the domain profile. The domain profile is used when a computer is connected to a network in which the computer’s domain account resides. The standard profile is used when a computer is connected to a network in which the computer’s domain account does not reside, such as a public network or the Internet. Make sure Windows Firewall is using the correct profile when you perform this procedure.

For more information about Windows Firewall profiles, see Managing Windows Firewall Profiles.

To restore Windows Firewall default settings

This procedure can be performed using the graphical user interface or the command prompt. You cannot use Group Policy to restore Windows Firewall default settings.

Using the graphical user interface

To restore Windows Firewall default settings

  1. Open Windows Firewall.

  2. Click the Advanced tab, click Restore Defaults, and then click OK.

If a Windows Firewall setting appears dimmed in the graphical user interface, and on the General tab, you see For your security, some settings are controlled by Group Policy, the setting might be managed by Group Policy. If all Windows Firewall settings appear dimmed, and on the General tab, you see You must be a computer administrator to change these settings, you do not have administrative rights to configure Windows Firewall.

Using the command prompt

To restore Windows Firewall default settings

  • Type the following at the command prompt, and press ENTER:

    netsh firewall reset

If you get an “Access Denied” message when you run a command, you do not have administrative rights to configure Windows Firewall. If you get an “Ok” message but the command does not take effect, the setting might be managed by Group Policy.

Notes

  • To start Windows Firewall, click Start, point to Control Panel, and then click Windows Firewall.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command Prompt.
  • Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.
  • Internet Connection Sharing and Network Bridge are not included in Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and the Itanium-based versions of the original release of the Windows Server 2003 operating systems.

See Also

Managing Windows Firewall Profiles

Managing Windows Firewall Profiles

Updated: March 28, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When you are configuring Windows Firewall settings, you must know which profile (standard or domain) Windows Firewall is using and how to specify a Windows Firewall profile. Both profiles contain the same set of Windows Firewall settings. However, you typically configure standard profile settings to be more restrictive than domain profile settings because the standard profile settings do not need to include applications and services that are used in a managed domain environment.

When you configure Windows Firewall in Control Panel, you are configuring settings in the profile that is currently in use. You cannot use Windows Firewall in Control Panel to configure settings in the profile that is not currently in use. When you configure Windows Firewall Group Policy settings, you can configure individual policy settings in either the domain profile or the standard profile. The Group Policy Object Editor shows you which profile you are configuring. Likewise, when you use the netsh firewall commands to configure Windows Firewall settings, you can choose to configure settings in either the domain profile or the standard profile; however, if you do not specify a profile, the settings are applied to the profile that is currently in use.

noteNote
If you do not configure standard profile settings, the default values for standard profile settings are applied whenever Windows Firewall uses the standard profile. These settings might not be appropriate when a computer is connected to a public network like the Internet. It is highly recommended that you configure both domain and standard profile settings and enable Windows Firewall for both profiles.

 

 

For more information about the way Windows Firewall determines which profile to use, see the section titled “How Windows Firewall Works” in the Windows Firewall Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42729).

When to perform this task

You should determine which profile Windows Firewall is using whenever you configure Windows Firewall settings through the graphical user interface or command prompt.

You should specify which profile you are configuring whenever you use the command prompt or the Group Policy Object Editor.

Task requirements

No special tools are required to complete this task.

Task procedures

To complete this task, perform the following procedure:

Determine Which Profile Windows Firewall Is Using

Specify Which Profile You Are Configuring

See Also

Tools and Procedures Used to Troubleshoot Windows Firewall – TechNet

 

Tools and Procedures Used to Troubleshoot Windows Firewall

 

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Using Monitoring in Windows Firewall with Advanced Security

Updated: December 6, 2011

Applies To: Windows 7, Windows Server 2008 R2

The first step you typically take in troubleshooting a Windows Firewall or IPsec problem is to view which rules are currently being applied to the computer. Using the Monitoring node in Windows Firewall with Advanced Security enables you to see the rules currently being applied both locally and by Group Policy.

  1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation tree, select and then expand Monitoring.

  2. In the navigation tree, select Firewall to view the currently active inbound and outbound rules. You can double-click a rule to view its details.

  3. In the navigation tree, select Connection Security Rules to view the currently active connection security rules that implement IPsec requirements on network traffic. You can double-click a rule to view its details.

  4. For either Firewall or Connection Security Rules, you can determine where a rule came from. In the Actions pane, clickView, and then click Add/Remove Columns. In the Available columns list, select Rule Source, click Add, position it in theDisplayed columns list by clicking Move Up or Move Down, and then click OK. It can take a few seconds for the list to appear with the new information.

  5. In the navigation tree, expand Security Associations, and then select either Main Mode or Quick Mode to view the currently active security associations that are established between the local computer and various remote computers.

  • Only one firewall rule is used to determine if a network packet is allowed or dropped. If the network packet matches multiple rules, then the rule that is used is selected using the following precedence:

    • Rules that specify the action Allow if Secure and also the option Block Override

    • Rules that specify the action Block
    • Rules that specify the action Allow
  • Only currently active rules are displayed in the Monitoring node. Rules might not appear in the list if:
    • The rule is disabled.

    • If the default inbound or outbound firewall behavior is configured to allow traffic that is not blocked by a rule, then allow rules of the specified direction are not displayed.
  • By default, the firewall rules in the groups identified in the following list are enabled. Additional rules might be enabled when you install certain Windows Features or programs.
    • Core Networking – all profiles

    • Remote Assistance – DCOM and RA Server TCP rules for domain profile only, other rules for both domain and private profiles
    • Network Discovery – private profile only

Viewing Firewall and IPsec Events in Event Viewer

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

noteNote
This topic applies to computers that are running Windows 7 and Windows Server 2008 R2 only. To view firewall and IPsec events on computers that are running previous versions of Windows, see Enabling Audit Events for Windows Firewall with Advanced Security

 

 

Windows 7 and Windows Server 2008 R2 automatically log significant firewall and IPsec events in the computer’s event log. You can view events in the log by using Event Viewer.

To view events for Windows Firewall with Advanced Security in Event Viewer

  1. Event Viewer is available as part of Computer Management. Click Start, right-click Computer, and then click Manage. UnderSystem Tools, click Event Viewer.

  2. In the navigation tree, expand Event Viewer, expand Applications and Services, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security.

  3. There are four views of operational events provided:

    • ConnectionSecurity. This log maintains events that relate to the configuration of IPsec rules and settings. For example, when a connection security rule is added or removed or the settings of IPsec are modified, an event is added here.

    • ConnectionSecurityVerbose. This log maintains events that relate to the operational state of the IPsec engine. For example, when a connection security rule become active or when crypto sets are added or removed, an event is added here. This log is disabled by default. To enable this log, right-click ConnectionSecurityVerbose, and then click Enable Log.
    • Firewall. This log maintains events that relate to the configuration of Windows Firewall. For example, when a rule is added, removed, or modified, or when a network interface changes its profile, an event is added here.
    • FirewallVerbose. This log maintains events that relate to the operational state of the firewall. For example, when a firewall rule become active, or when the settings of a profile are changed, an event is added here. This log is disabled by default. To enable this log, right-click FirewallVerbose, and then click Enable Log.
  4. Each event includes a General tab that summarizes the information contained in the event. For more information about an event, click Event Log Online Help to open a web page in the Windows Server Technical Library that contains detailed information and prescriptive guidance.

    The event also includes a Details tab that displays the raw data associated with the event. You can copy and paste the information in the Details tab by selecting the text (CTRL+A selects it all) and then pressing CTRL-C.

     

     

 

 

Enabling Audit Events for Windows Firewall with Advanced Security

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

ImportantImportant
The information in this topic is useful mainly to computers that are running Microsoft® Windows Vista® and Windows Server® 2008. Although the audit events are available in Windows® 7 or Windows Server® 2008 R2, it is more effective to use the operational event logging supported by those versions of Windows. For more information, see Viewing Firewall and IPsec Events in Event Viewer.

 

 

By default, Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 does not log anything in the Event Viewer log. The events that can be logged by Windows Firewall with Advanced Security are called “audit” events, and must be enabled. Once enabled, the events generated by Windows Firewall with Advanced Security can be viewed in Event Viewer.

For more information about events that are generated by Windows Firewall with Advanced Security, see Event IDs Used by Windows Firewall with Advanced Security


Enable audit events for Windows Firewall with Advanced Security

To enable audit events, use auditpol.exe, a command-line tool that modifies audit polices of the local computer. You can use the auditpol command-line tool to enable or disable the various categories and subcategories of events and then view the events in the Event Viewer snap-in.

  • To get the list of event categories recognized by the auditpol tool, type the following at the command prompt: 

    auditpol.exe /list /category

  • To get the list of subcategories under a category (this example uses the category Policy Change), type the following at the command prompt:

    auditpol.exe /list /category:”Policy Change”

  • To set a category and a subcategory to enable, type the following at the command prompt:

    auditpol.exe /set /category:”CategoryName” /SubCategory:”SubcategoryName

An example of setting a category and subcategory to enable is:

auditpol.exe /set /category:”Policy Change” /subcategory:”MPSSVC rule-level Policy Change” /success:enable /failure:enable

The events generated by Windows Firewall with Advanced Security span several categories and subcategories. Consider creating a batch file with the auditpol commands that you want that you can use to enable and disable audit events as needed. The following table lists event categories and subcategories that are relevant to troubleshooting Windows Firewall with Advanced Security.

 

Category Subcategories

Policy Change

  • MPSSVC rule-level policy change

  • Filtering Platform policy change

Logon/Logoff

  • IPsec Main Mode

  • IPsec Quick Mode 
  • IPsec Extended Mode 

System

  • IPsec Driver

  • Other system events 

Object Access

  • Filtering Platform packet drop 

  • Filtering Platform connection 

When you change audit policy settings, for changes to take effect, you must either restart the computer or force a manual policy refresh. You can force a manual refresh by typing the following command at the command prompt:

gpupdate /force

After you are done troubleshooting, you can disable the events by changing the enable settings above to disable and rerunning the commands.


Viewing firewall and IPsec audit events in Event Viewer

Once the audit events are enabled, use Event Viewer to view the events in the Security event log.

To view firewall and IPsec audit events in Event Viewer

  1. Click Start, click Control Panel, click System and Maintenance (on Windows Vista and Windows Server 2008) or System and Security (on Windows 7 and Windows Server 2008 R2), and then under Administrative Tools click View event logs.

  2. In Event Viewer, expand Windows Logs and then click Security. In the details pane, you can view the security-related audit events. The list of logged events is displayed at the top of the details pane. Clicking an event in the list displays more detailed information in the bottom of the Details pane. The General tab gives a description of the event in friendly text. The Details tab gives you the option to view the details of the event in either Friendly View or XML View. If you need more information about an event, on the General tab, click Event Log Online Help.

 

 

 

 

 

Configuring Firewall Log Files

1 out of 6 rated this helpful – Rate this topic

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

You can enable logging in Windows Firewall with Advanced Security to create a text file that contains information about which network connections the firewall allows and drops. You can create the following types of log files:


Configure the firewall log file for a profile

Before you can view firewall logs, you must configure Windows Firewall with Advanced Security to create log files.

To configure logging for a Windows Firewall with Advanced Security profile

  1. In the console tree of the Windows Firewall with Advanced Security snap-in, click Windows Firewall with Advanced Security, and then click Properties in the Actions pane.

  2. Click the tab of the profile for which you want to configure logging (Domain, Private, or Public), and then click Customize.

  3. Specify a name and location.

  4. Specify a log file size limit (Between 1 and 32767 Kbytes).

  5. Click Yes for Log dropped packets.

  6. Click Yes for Log successful connections and then click OK.

 

To view the firewall log file

Open Explorer to the path and filename you chose in the previous procedure, “To configure logging for a profile”. To access the firewall log, you must be an administrator of the local computer.Windows Firewall with Advanced Security

You can view the log file in Notepad or any program that can open a text file.

 

Interpreting the firewall log file

The following log information is collected. Some data in the log file applies to only certain protocols (TCP flags, ICMP type and code, etc.), and some data applies only to dropped packets (size).

 

Fields Description Example

Date

Displays the year, month, and day that the recorded transaction occurred. Dates are recorded in the format YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day.

2006-3-27

Time

Displays the hour, minute, and second when the recorded transaction occurred. Times are recorded in the format: HH:MM:SS, where HH is the hour in 24-hour format, MM is the minute, and SS is the second.

21:36:59

Action

Indicates the operation that was observed by the firewall. The actions available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that occurred but that were not recorded in the log.

OPEN

Protocol

Displays the protocol that was used for the communication. A protocol entry can also be a number for packets that are not using TCP, UDP, or ICMP.

TCP

src-ip

Displays the IP address of the sending computer.

XXX.XXX.X.XX

dst-ip

Displays the IP address of the destination computer.

XXX.XXX.X.XX

src-port

Displays the source port number of the sending computer. A src-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -.

4039

dst-port

Displays the port number of the destination computer. A dst-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -.

53

size

Displays the packet size in bytes.

tcpflags

Displays the TCP control flags that are found in the TCP header of an IP packet:

  • Ack. Acknowledgment field significant

  • Fin. No more data from sender
  • Psh. Push function
  • Rst. Reset the connection
  • Syn. Synchronize sequence numbers
  • Urg. Urgent Pointer field significant 

A flag appears as a single uppercase initial of the flagname. For example, the Fin flag appears as F, the single uppercase initial of the flagname.

AFP

tcpsyn

Displays the TCP sequence number in the packet.

1315819770

tcpack

Displays the TCP acknowledgment number in the packet.

0

tcpwin

Displays the TCP window size of the packet in bytes.

64240

icmptype

Displays a number that represents the Type field of the ICMP message.

8

icmpcode

Displays a number that represents the Code field of the ICMP message.

0

info

Displays an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action creates an entry for the number of events that occurred but were not recorded in the log since the time of the last occurrence of this event type.

23

noteNote
A hyphen (-) is used for fields where no information is available for an entry.

 

 


Create netstat and tasklist text files

You can create two custom log files, one to view network statistics (lists all listening ports) and the other to view the task list of either programs or services. The task list will provide the process identifier (PID) of the event which you can look up in the network statistics file for details. The procedure to create these two files is as follows:

To create network statistics and task list text files

  1. At the command prompt, type netstat -ano > netstat.txt, and then press ENTER.

  2. At the command prompt, type tasklist > tasklist.txt, and then press ENTER. If you want to create a text file for services rather than programs, at the command prompt, type tasklist /svc > tasklist.txt.

  3. Open the tasklist.txt and the netstat.txt files.

  4. In the tasklist.txt file, write down the Process Identifier (PID) for the process you are troubleshooting. Compare the PID with that in the Netstat.txt file. Write down the protocol that is used. The information about the protocol used can be useful when reviewing the information in the firewall log file.

Sample output of Tasklist.txt and Netstat.txt

Netstat.txt

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:XXX 0.0.0.0:0 LISTENING 122

TCP 0.0.0.0:XXXXX 0.0.0.0:0 LISTENING 322

Tasklist.txt

Image Name PID Session Name Session# Mem Usage

==================== ======== ================ =========== ============

svchost.exe 122 Services 0 7,172 K

XzzRpc.exe 322 Services 0 5,104 K

noteNote
The actual IP addresses have been changed to (X), and RPC service to (z).

 

 

 

Verifying that Key Firewall and IPsec Services are Working

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

For Windows Firewall with Advanced Security to operate correctly, the following services must be started:

  • Base Filtering Engine

  • Group Policy Client
  • IKE and AuthIP IPsec Keying Modules
  • IP Helper
  • IPsec Policy Agent
  • Network Location Awareness
  • Network List Service
  • Windows Firewall

To open the Services snap-in and verify that services are started

  1. Click Start and click Control Panel.

  2. Click System and Maintenance.

  3. Scroll to and click Administrative Tools.

  4. Double-click Services.

  5. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  6. Verify that the services listed above are started. If one or more of the services are not started, right-click the service name in the list, and then click Start.

 

 

 

 

Resetting the Defaults in Windows Firewall with Advanced Security

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

As a last resort, you may want to restore Windows Firewall with Advanced Security defaults. When you restore default settings, you lose all settings, all firewall rules, and all IPsec connection security rules configured locally on the computer after Windows was installed. Group Policy applied rules and settings are not disturbed. The loss of locally defined rules might cause some programs to stop working that depend on certain rules or settings. Also, if you are remotely managing this computer, the connection is lost when you restore defaults.

Before resetting the Windows Firewall with Advanced Security defaults, make sure that you save the current firewall state. This allows you to restore your settings if necessary.

The steps to save the firewall state and reset Windows Firewall with Advanced Security to its default configuration are as follows:

To save the current firewall state

  1. In the Windows Firewall with Advanced Security MMC snap-in, click Export Policy in the Actions pane.

  2. In the Save As property sheet, provide a name and path for the export file.

  3. Click Save.

noteNote
You can use the Import Policy option in the Actions pane to reapply your saved configuration.

 

To restore Windows Firewall with Advanced Security to its default configuration

  1. In the Windows Firewall with Advanced Security snap-in, click Restore Defaults in the Actions pane.

  2. At the Windows Firewall with Advanced Security prompt, click Yes to restore firewall defaults.

 

 

 

 

Capturing Firewall and IPsec Events with Netsh WFP

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 introduce the new netsh wfp context that enables you to capture diagnostic trace sessions of the behavior of the Windows Filtering Platform which is the base engine that implements your firewall and connection security rules. Starting a capture session, reproducing the problem, and then stopping the capture results in a log that can help you or Microsoft Customer Support Services (CSS) troubleshoot connectivity problems on your computers.

To capture a Netsh WFP diagnostics session

  1. Open a command prompt with Administrator permissions.

  2. At the command prompt, change the current folder to your desktop by running the command: cd %userprofile%\desktop

  3. To start the capture, run the command netsh wfp capture start.

  4. Reproduce the networking problem whose cause you are trying to diagnose.

  5. To complete the capture, run the command netsh wfp capture stop. The output file is stored in the current folder.

To view the WFP diagnostic data

  1. In Explorer, double-click the .cab file that you created in the previous procedure.

  2. The .cab file contains an .xml file and an .etl file. The .etl file is a binary file that is intended for use by CSS. The .xml file can be loaded and read locally. Because of the size of the .xml files produced by this process we recommend that you acquire an XML Reader program, instead of using a Web browser or Notepad to open the file. Several good ones are available for free download on the Web.

  3. Drag the wfpdiag.xml file from the .cab file to the desktop.

  4. Open the file with your XML reader of choice and examine the contents. Note the main sections:

    • sysInfo – This section contains information about the computer on which the trace was captured.

    • initialState – This section contains information about the state of the WFP and the currently configured rules before the problem was reproduced.
    • Events – This section contains information about things that occurred while the capture session was running.
    • finalState – This section contains the same information as initialState, but was captured when you ran the wfp capture stop command. You can directly compare the two sections to look for differences that might relate to the connection problem you are trying to diagnose.

Similarly, you can use the netsh trace and netsh trace stop commands to capture a variety of diagnostic information customized to a selected scenario, such as wfp-ipsec.

To capture a Netsh Trace diagnostics section

  1. At an Administrator: Command Prompt, run the command netsh trace start scenario=wfp-ipsec tracefile=%userprofile%\desktop\SampleTrace.cab

    Substitute a path a filename appropriate to your environment.

  2. The output of the command shows you that the trace is running, the file to which the data is written, and details of other possible parameters.

  3. Reproduce the problem whose cause you are trying to diagnose.

  4. run the command netsh trace stop.

    The computer takes a few moments to compile the collected trace data into a .cab file at your specified location.

  5. Open Windows Explorer, browse to the folder you specified, and double-click the .cab file, and examine its contents. A variety of text files, .xml files, event log files, and other types are included.

 

 

Also read:

Common Troubleshooting Situations using Windows Firewall with Advanced Security

Windows Firewall with Advanced Security Event Messages 

Enable IPsec and Windows Firewall Audit Events

 

Tools and Procedures Used to Troubleshoot Windows Firewall

 

Tools and Procedures Used to Troubleshoot Windows Firewall

 

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Using Monitoring in Windows Firewall with Advanced Security

Updated: December 6, 2011

Applies To: Windows 7, Windows Server 2008 R2

The first step you typically take in troubleshooting a Windows Firewall or IPsec problem is to view which rules are currently being applied to the computer. Using the Monitoring node in Windows Firewall with Advanced Security enables you to see the rules currently being applied both locally and by Group Policy.

  1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation tree, select and then expand Monitoring.

  2. In the navigation tree, select Firewall to view the currently active inbound and outbound rules. You can double-click a rule to view its details.

  3. In the navigation tree, select Connection Security Rules to view the currently active connection security rules that implement IPsec requirements on network traffic. You can double-click a rule to view its details.

  4. For either Firewall or Connection Security Rules, you can determine where a rule came from. In the Actions pane, clickView, and then click Add/Remove Columns. In the Available columns list, select Rule Source, click Add, position it in theDisplayed columns list by clicking Move Up or Move Down, and then click OK. It can take a few seconds for the list to appear with the new information.

  5. In the navigation tree, expand Security Associations, and then select either Main Mode or Quick Mode to view the currently active security associations that are established between the local computer and various remote computers.

  • Only one firewall rule is used to determine if a network packet is allowed or dropped. If the network packet matches multiple rules, then the rule that is used is selected using the following precedence:

    • Rules that specify the action Allow if Secure and also the option Block Override

    • Rules that specify the action Block
    • Rules that specify the action Allow
  • Only currently active rules are displayed in the Monitoring node. Rules might not appear in the list if:
    • The rule is disabled.

    • If the default inbound or outbound firewall behavior is configured to allow traffic that is not blocked by a rule, then allow rules of the specified direction are not displayed.
  • By default, the firewall rules in the groups identified in the following list are enabled. Additional rules might be enabled when you install certain Windows Features or programs.
    • Core Networking – all profiles

    • Remote Assistance – DCOM and RA Server TCP rules for domain profile only, other rules for both domain and private profiles
    • Network Discovery – private profile only

Viewing Firewall and IPsec Events in Event Viewer

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

noteNote
This topic applies to computers that are running Windows 7 and Windows Server 2008 R2 only. To view firewall and IPsec events on computers that are running previous versions of Windows, see Enabling Audit Events for Windows Firewall with Advanced Security

 

 

Windows 7 and Windows Server 2008 R2 automatically log significant firewall and IPsec events in the computer’s event log. You can view events in the log by using Event Viewer.

To view events for Windows Firewall with Advanced Security in Event Viewer

  1. Event Viewer is available as part of Computer Management. Click Start, right-click Computer, and then click Manage. UnderSystem Tools, click Event Viewer.

  2. In the navigation tree, expand Event Viewer, expand Applications and Services, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security.

  3. There are four views of operational events provided:

    • ConnectionSecurity. This log maintains events that relate to the configuration of IPsec rules and settings. For example, when a connection security rule is added or removed or the settings of IPsec are modified, an event is added here.

    • ConnectionSecurityVerbose. This log maintains events that relate to the operational state of the IPsec engine. For example, when a connection security rule become active or when crypto sets are added or removed, an event is added here. This log is disabled by default. To enable this log, right-click ConnectionSecurityVerbose, and then click Enable Log.
    • Firewall. This log maintains events that relate to the configuration of Windows Firewall. For example, when a rule is added, removed, or modified, or when a network interface changes its profile, an event is added here.
    • FirewallVerbose. This log maintains events that relate to the operational state of the firewall. For example, when a firewall rule become active, or when the settings of a profile are changed, an event is added here. This log is disabled by default. To enable this log, right-click FirewallVerbose, and then click Enable Log.
  4. Each event includes a General tab that summarizes the information contained in the event. For more information about an event, click Event Log Online Help to open a web page in the Windows Server Technical Library that contains detailed information and prescriptive guidance.

    The event also includes a Details tab that displays the raw data associated with the event. You can copy and paste the information in the Details tab by selecting the text (CTRL+A selects it all) and then pressing CTRL-C.

     

     

 

 

Enabling Audit Events for Windows Firewall with Advanced Security

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

ImportantImportant
The information in this topic is useful mainly to computers that are running Microsoft® Windows Vista® and Windows Server® 2008. Although the audit events are available in Windows® 7 or Windows Server® 2008 R2, it is more effective to use the operational event logging supported by those versions of Windows. For more information, see Viewing Firewall and IPsec Events in Event Viewer.

 

 

By default, Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 does not log anything in the Event Viewer log. The events that can be logged by Windows Firewall with Advanced Security are called “audit” events, and must be enabled. Once enabled, the events generated by Windows Firewall with Advanced Security can be viewed in Event Viewer.

For more information about events that are generated by Windows Firewall with Advanced Security, see Event IDs Used by Windows Firewall with Advanced Security


Enable audit events for Windows Firewall with Advanced Security

To enable audit events, use auditpol.exe, a command-line tool that modifies audit polices of the local computer. You can use the auditpol command-line tool to enable or disable the various categories and subcategories of events and then view the events in the Event Viewer snap-in.

  • To get the list of event categories recognized by the auditpol tool, type the following at the command prompt: 

    auditpol.exe /list /category

  • To get the list of subcategories under a category (this example uses the category Policy Change), type the following at the command prompt:

    auditpol.exe /list /category:”Policy Change”

  • To set a category and a subcategory to enable, type the following at the command prompt:

    auditpol.exe /set /category:”CategoryName” /SubCategory:”SubcategoryName

An example of setting a category and subcategory to enable is:

auditpol.exe /set /category:”Policy Change” /subcategory:”MPSSVC rule-level Policy Change” /success:enable /failure:enable

The events generated by Windows Firewall with Advanced Security span several categories and subcategories. Consider creating a batch file with the auditpol commands that you want that you can use to enable and disable audit events as needed. The following table lists event categories and subcategories that are relevant to troubleshooting Windows Firewall with Advanced Security.

 

Category Subcategories

Policy Change

  • MPSSVC rule-level policy change

  • Filtering Platform policy change

Logon/Logoff

  • IPsec Main Mode

  • IPsec Quick Mode 
  • IPsec Extended Mode 

System

  • IPsec Driver

  • Other system events 

Object Access

  • Filtering Platform packet drop 

  • Filtering Platform connection 

When you change audit policy settings, for changes to take effect, you must either restart the computer or force a manual policy refresh. You can force a manual refresh by typing the following command at the command prompt:

gpupdate /force

After you are done troubleshooting, you can disable the events by changing the enable settings above to disable and rerunning the commands.


Viewing firewall and IPsec audit events in Event Viewer

Once the audit events are enabled, use Event Viewer to view the events in the Security event log.

To view firewall and IPsec audit events in Event Viewer

  1. Click Start, click Control Panel, click System and Maintenance (on Windows Vista and Windows Server 2008) or System and Security (on Windows 7 and Windows Server 2008 R2), and then under Administrative Tools click View event logs.

  2. In Event Viewer, expand Windows Logs and then click Security. In the details pane, you can view the security-related audit events. The list of logged events is displayed at the top of the details pane. Clicking an event in the list displays more detailed information in the bottom of the Details pane. The General tab gives a description of the event in friendly text. The Details tab gives you the option to view the details of the event in either Friendly View or XML View. If you need more information about an event, on the General tab, click Event Log Online Help.

 

 

 

 

 

Configuring Firewall Log Files

1 out of 6 rated this helpful – Rate this topic

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

You can enable logging in Windows Firewall with Advanced Security to create a text file that contains information about which network connections the firewall allows and drops. You can create the following types of log files:


Configure the firewall log file for a profile

Before you can view firewall logs, you must configure Windows Firewall with Advanced Security to create log files.

To configure logging for a Windows Firewall with Advanced Security profile

  1. In the console tree of the Windows Firewall with Advanced Security snap-in, click Windows Firewall with Advanced Security, and then click Properties in the Actions pane.

  2. Click the tab of the profile for which you want to configure logging (Domain, Private, or Public), and then click Customize.

  3. Specify a name and location.

  4. Specify a log file size limit (Between 1 and 32767 Kbytes).

  5. Click Yes for Log dropped packets.

  6. Click Yes for Log successful connections and then click OK.

 

To view the firewall log file

Open Explorer to the path and filename you chose in the previous procedure, “To configure logging for a profile”. To access the firewall log, you must be an administrator of the local computer.Windows Firewall with Advanced Security

You can view the log file in Notepad or any program that can open a text file.

 

Interpreting the firewall log file

The following log information is collected. Some data in the log file applies to only certain protocols (TCP flags, ICMP type and code, etc.), and some data applies only to dropped packets (size).

 

Fields Description Example

Date

Displays the year, month, and day that the recorded transaction occurred. Dates are recorded in the format YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day.

2006-3-27

Time

Displays the hour, minute, and second when the recorded transaction occurred. Times are recorded in the format: HH:MM:SS, where HH is the hour in 24-hour format, MM is the minute, and SS is the second.

21:36:59

Action

Indicates the operation that was observed by the firewall. The actions available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that occurred but that were not recorded in the log.

OPEN

Protocol

Displays the protocol that was used for the communication. A protocol entry can also be a number for packets that are not using TCP, UDP, or ICMP.

TCP

src-ip

Displays the IP address of the sending computer.

XXX.XXX.X.XX

dst-ip

Displays the IP address of the destination computer.

XXX.XXX.X.XX

src-port

Displays the source port number of the sending computer. A src-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -.

4039

dst-port

Displays the port number of the destination computer. A dst-port entry is recorded in the form of a whole number, between 1 and 65,535. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -.

53

size

Displays the packet size in bytes.

tcpflags

Displays the TCP control flags that are found in the TCP header of an IP packet:

  • Ack. Acknowledgment field significant

  • Fin. No more data from sender
  • Psh. Push function
  • Rst. Reset the connection
  • Syn. Synchronize sequence numbers
  • Urg. Urgent Pointer field significant 

A flag appears as a single uppercase initial of the flagname. For example, the Fin flag appears as F, the single uppercase initial of the flagname.

AFP

tcpsyn

Displays the TCP sequence number in the packet.

1315819770

tcpack

Displays the TCP acknowledgment number in the packet.

0

tcpwin

Displays the TCP window size of the packet in bytes.

64240

icmptype

Displays a number that represents the Type field of the ICMP message.

8

icmpcode

Displays a number that represents the Code field of the ICMP message.

0

info

Displays an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action creates an entry for the number of events that occurred but were not recorded in the log since the time of the last occurrence of this event type.

23

noteNote
A hyphen (-) is used for fields where no information is available for an entry.

 

 


Create netstat and tasklist text files

You can create two custom log files, one to view network statistics (lists all listening ports) and the other to view the task list of either programs or services. The task list will provide the process identifier (PID) of the event which you can look up in the network statistics file for details. The procedure to create these two files is as follows:

To create network statistics and task list text files

  1. At the command prompt, type netstat -ano > netstat.txt, and then press ENTER.

  2. At the command prompt, type tasklist > tasklist.txt, and then press ENTER. If you want to create a text file for services rather than programs, at the command prompt, type tasklist /svc > tasklist.txt.

  3. Open the tasklist.txt and the netstat.txt files.

  4. In the tasklist.txt file, write down the Process Identifier (PID) for the process you are troubleshooting. Compare the PID with that in the Netstat.txt file. Write down the protocol that is used. The information about the protocol used can be useful when reviewing the information in the firewall log file.

Sample output of Tasklist.txt and Netstat.txt

Netstat.txt

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:XXX 0.0.0.0:0 LISTENING 122

TCP 0.0.0.0:XXXXX 0.0.0.0:0 LISTENING 322

Tasklist.txt

Image Name PID Session Name Session# Mem Usage

==================== ======== ================ =========== ============

svchost.exe 122 Services 0 7,172 K

XzzRpc.exe 322 Services 0 5,104 K

noteNote
The actual IP addresses have been changed to (X), and RPC service to (z).

 

 

 

Verifying that Key Firewall and IPsec Services are Working

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

For Windows Firewall with Advanced Security to operate correctly, the following services must be started:

  • Base Filtering Engine

  • Group Policy Client
  • IKE and AuthIP IPsec Keying Modules
  • IP Helper
  • IPsec Policy Agent
  • Network Location Awareness
  • Network List Service
  • Windows Firewall

To open the Services snap-in and verify that services are started

  1. Click Start and click Control Panel.

  2. Click System and Maintenance.

  3. Scroll to and click Administrative Tools.

  4. Double-click Services.

  5. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  6. Verify that the services listed above are started. If one or more of the services are not started, right-click the service name in the list, and then click Start.

 

 

 

 

Resetting the Defaults in Windows Firewall with Advanced Security

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

As a last resort, you may want to restore Windows Firewall with Advanced Security defaults. When you restore default settings, you lose all settings, all firewall rules, and all IPsec connection security rules configured locally on the computer after Windows was installed. Group Policy applied rules and settings are not disturbed. The loss of locally defined rules might cause some programs to stop working that depend on certain rules or settings. Also, if you are remotely managing this computer, the connection is lost when you restore defaults.

Before resetting the Windows Firewall with Advanced Security defaults, make sure that you save the current firewall state. This allows you to restore your settings if necessary.

The steps to save the firewall state and reset Windows Firewall with Advanced Security to its default configuration are as follows:

To save the current firewall state

  1. In the Windows Firewall with Advanced Security MMC snap-in, click Export Policy in the Actions pane.

  2. In the Save As property sheet, provide a name and path for the export file.

  3. Click Save.

noteNote
You can use the Import Policy option in the Actions pane to reapply your saved configuration.

 

To restore Windows Firewall with Advanced Security to its default configuration

  1. In the Windows Firewall with Advanced Security snap-in, click Restore Defaults in the Actions pane.

  2. At the Windows Firewall with Advanced Security prompt, click Yes to restore firewall defaults.

 

 

 

 

Capturing Firewall and IPsec Events with Netsh WFP

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 introduce the new netsh wfp context that enables you to capture diagnostic trace sessions of the behavior of the Windows Filtering Platform which is the base engine that implements your firewall and connection security rules. Starting a capture session, reproducing the problem, and then stopping the capture results in a log that can help you or Microsoft Customer Support Services (CSS) troubleshoot connectivity problems on your computers.

To capture a Netsh WFP diagnostics session

  1. Open a command prompt with Administrator permissions.

  2. At the command prompt, change the current folder to your desktop by running the command: cd %userprofile%\desktop

  3. To start the capture, run the command netsh wfp capture start.

  4. Reproduce the networking problem whose cause you are trying to diagnose.

  5. To complete the capture, run the command netsh wfp capture stop. The output file is stored in the current folder.

To view the WFP diagnostic data

  1. In Explorer, double-click the .cab file that you created in the previous procedure.

  2. The .cab file contains an .xml file and an .etl file. The .etl file is a binary file that is intended for use by CSS. The .xml file can be loaded and read locally. Because of the size of the .xml files produced by this process we recommend that you acquire an XML Reader program, instead of using a Web browser or Notepad to open the file. Several good ones are available for free download on the Web.

  3. Drag the wfpdiag.xml file from the .cab file to the desktop.

  4. Open the file with your XML reader of choice and examine the contents. Note the main sections:

    • sysInfo – This section contains information about the computer on which the trace was captured.

    • initialState – This section contains information about the state of the WFP and the currently configured rules before the problem was reproduced.
    • Events – This section contains information about things that occurred while the capture session was running.
    • finalState – This section contains the same information as initialState, but was captured when you ran the wfp capture stop command. You can directly compare the two sections to look for differences that might relate to the connection problem you are trying to diagnose.

Similarly, you can use the netsh trace and netsh trace stop commands to capture a variety of diagnostic information customized to a selected scenario, such as wfp-ipsec.

To capture a Netsh Trace diagnostics section

  1. At an Administrator: Command Prompt, run the command netsh trace start scenario=wfp-ipsec tracefile=%userprofile%\desktop\SampleTrace.cab

    Substitute a path a filename appropriate to your environment.

  2. The output of the command shows you that the trace is running, the file to which the data is written, and details of other possible parameters.

  3. Reproduce the problem whose cause you are trying to diagnose.

  4. run the command netsh trace stop.

    The computer takes a few moments to compile the collected trace data into a .cab file at your specified location.

  5. Open Windows Explorer, browse to the folder you specified, and double-click the .cab file, and examine its contents. A variety of text files, .xml files, event log files, and other types are included.

 

 

Also read:

Common Troubleshooting Situations using Windows Firewall with Advanced Security

 

 

Resetting the Defaults in Windows Firewall with Advanced Security – Technet

Resetting the Defaults in Windows Firewall with Advanced Security

Resetting the Defaults in Windows Firewall with Advanced Security

Updated: February 18, 2010

Applies To: Windows 7, Windows Server 2008 R2

As a last resort, you may want to restore Windows Firewall with Advanced Security defaults. When you restore default settings, you lose all settings, all firewall rules, and all IPsec connection security rules configured locally on the computer after Windows was installed. Group Policy applied rules and settings are not disturbed. The loss of locally defined rules might cause some programs to stop working that depend on certain rules or settings. Also, if you are remotely managing this computer, the connection is lost when you restore defaults.

Before resetting the Windows Firewall with Advanced Security defaults, make sure that you save the current firewall state. This allows you to restore your settings if necessary.

The steps to save the firewall state and reset Windows Firewall with Advanced Security to its default configuration are as follows:

To save the current firewall state

  1. In the Windows Firewall with Advanced Security MMC snap-in, click Export Policy in the Actions pane.
  2. In the Save As property sheet, provide a name and path for the export file.
  3. Click Save.
noteNote
You can use the Import Policy option in the Actions pane to reapply your saved configuration.

To restore Windows Firewall with Advanced Security to its default configuration

  1. In the Windows Firewall with Advanced Security snap-in, click Restore Defaults in the Actions pane.
  2. At the Windows Firewall with Advanced Security prompt, click Yes to restore firewall defaults.