How to tell which windows firewall rule is blocking traffic

16

8

I'm trying to set up a computer to accept all incoming traffic but only allow outgoing traffic to a specific IP. I have set an allow all rule for Incoming and an Allow rule that specifies an IP address as the only acceptable Outgoing address. I have also set up a deny all Outgoing rule, assuming that the other rule will take precedence.

The problem I am having is that all traffic is being blocked, even the traffic going to the IP that I specified as being allowed.

I am looking for a way to trace traffic through the firewall and see exactly what rule is blocking the traffic. The log generated by the firewall monitoring tells me that traffic was dropped but not which rule blocked it.

Josh

Posted 2016-09-30T14:59:54.670

Reputation: 163

I've often wanted to do this too, but it seems that the built-in Windows firewall doesn't have much to offer in this regard. I'd be interested to know if you find a solution for getting more detailed logging. – David Woodward – 2016-10-01T04:22:52.117

The Windows firewall is really to protect your PC from the network, not the network from your PC. The network should have its own firewall to protect it. – Ron Maupin – 2016-11-02T18:47:03.127

Answers

20

(Note: this applies to Windows 7 and may or may not work with newer versions.)

Following steps will lead you to the rule blocking your connection:

  • Open a Windows console (with Administration rights) to enter commands
  • Enable the audit for Windows Filtering Platform (WFP):
    • run command:
      auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
    • run command:
      auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
  • (This may drown you in Event Log data - enabling only failure audits, and possibly only connection failures will reduce the number of log entries. Be selective about what you actually need)
  • Reproduce the issue
  • Run command: netsh wfp show state (this creates a XML file in the current folder)
  • Open the event viewer: Run (Windows+R) > eventvwr.msc
    • go to "Windows logs" > "Security"
    • in the list, identify the dropping packet log (hint: use the Search feature on the right menu, searching for items (source IP, destination port, etc.) specific to your issue)
    • in the log details, scroll down and note the filter ID used to block the packet
  • Open the generated XML file:
    • search for the noted filterID, and check out the rule name (element "displayData > name" on the corresponding XML node)

This will give you a good start to find the blocking rule.

When you're done, don't forget to turn off the audit:

  • run command:
    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
  • run command:
    auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

Note: depending on your Windows language setting, the auditing service might use different non-English names. To find the subcategory names, run command: auditpol /get /category:* and find subcategories which correspond to "Filtering Platform Packet Drop" and "Filtering Platform Connection" in the system language.

Bob

Posted 2016-09-30T14:59:54.670

Reputation: 376

1This will get you nowhere if you have outbound filtering enabled in Windows Firewall, because then, all programs without an explicit allow rule will be by default blocked. So, your program might not be blocked by a firewall rule at all. – Alexandru Dicu – 2018-03-09T05:48:24.013

2This worked with Windows Server 2012 R2. – AresAvatar – 2018-03-15T18:12:43.500

In my case DisplayData-name says Default Outbound, so at least I'm sure my allow rule is ignored, so it's a bug is Microsoft firewall. – metablaster – 2019-12-15T15:00:57.167

Asked: 2016-09-30T14:59:54.670

Viewed: 15 860 times

Active: 2018-05-31T15:04:44.997