This took some figuring out, so I have my firewall set to log dropped packets to a folder, in my case:
E:\Firewall\Firewall.Log
This was configured as part of a PowerShell script that sets up various parameters:
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True
Set-NetFirewallProfile `
-DefaultInboundAction Block `
-DefaultOutboundAction Allow `
-AllowUnicastResponseToMulticast True `
-LogAllowed False `
-LogBlocked True `
-LogIgnored False `
-LogMaxSizeKilobytes 5555 `
–LogFileName "E:\Firewall\Firewall.Log"
I test by sending the server a continuous ping and then disabling the ICMP v4 rule that I set up in PowerShell thus:
Get-NetFirewallRule "Local-ICMP v4" -ErrorAction SilentlyContinue
If(!$?)
{
New-NetFirewallRule `
-DisplayName "Local-ICMP v4" `
-Direction Inbound `
-EdgeTraversalPolicy Block `
-Enabled True `
-LocalAddress "Any" `
-Protocol "ICMPv4" `
-LocalPort "Any" `
-Name "Local-ICMP v4" `
-Profile "Any" `
-Program "Any" `
-RemoteAddress "Any" `
-RemotePort "Any" `
-Service "Any"
}
All this, of course, could be achieved by Group Policy as well.
When the Windows Firewall Service restarts, the 'Firewall.Log' file is created, but remains empty of content. This despite the fact that NetSh verifies my configuration, and so does PowerShell. See the following using the commands NetSh ADVFirewall Show AllProfiles and Get-NetFirewallProfile respectively.
NetSh Example Output
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\putleym> netsh advfirewall show allprofiles
Domain Profile Settings:
--------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Disable
RemoteManagement Not Configured
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Enable
FileName E:\Firewall\Firewall.Log
MaxFileSize 5555
Private Profile Settings:
--------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Disable
RemoteManagement Not Configured
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Enable
FileName E:\Firewall\Firewall.Log
MaxFileSize 5555
Public Profile Settings:
--------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Disable
RemoteManagement Not Configured
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Enable
FileName E:\Firewall\Firewall.Log
MaxFileSize 5555
PowerShell Example Output
PS C:\Users\putleym> get-netfirewallprofile
Name : Domain
Enabled : True
DefaultInboundAction : Block
DefaultOutboundAction : Allow
AllowInboundRules : NotConfigured
AllowLocalFirewallRules : NotConfigured
AllowLocalIPsecRules : NotConfigured
AllowUserApps : NotConfigured
AllowUserPorts : NotConfigured
AllowUnicastResponseToMulticast : True
NotifyOnListen : False
EnableStealthModeForIPsec : NotConfigured
LogFileName : E:\Firewall\Firewall.Log
LogMaxSizeKilobytes : 5555
LogAllowed : False
LogBlocked : True
LogIgnored : False
DisabledInterfaceAliases : {NotConfigured}
Name : Private
Enabled : True
DefaultInboundAction : Block
DefaultOutboundAction : Allow
AllowInboundRules : NotConfigured
AllowLocalFirewallRules : NotConfigured
AllowLocalIPsecRules : NotConfigured
AllowUserApps : NotConfigured
AllowUserPorts : NotConfigured
AllowUnicastResponseToMulticast : True
NotifyOnListen : False
EnableStealthModeForIPsec : NotConfigured
LogFileName : E:\Firewall\Firewall.Log
LogMaxSizeKilobytes : 5555
LogAllowed : False
LogBlocked : True
LogIgnored : False
DisabledInterfaceAliases : {NotConfigured}
Name : Public
Enabled : True
DefaultInboundAction : Block
DefaultOutboundAction : Allow
AllowInboundRules : NotConfigured
AllowLocalFirewallRules : NotConfigured
AllowLocalIPsecRules : NotConfigured
AllowUserApps : NotConfigured
AllowUserPorts : NotConfigured
AllowUnicastResponseToMulticast : True
NotifyOnListen : False
EnableStealthModeForIPsec : NotConfigured
LogFileName : E:\Firewall\Firewall.Log
LogMaxSizeKilobytes : 5555
LogAllowed : False
LogBlocked : True
LogIgnored : False
DisabledInterfaceAliases : {NotConfigured}
After many days of research, head-scratching and frustration, here is a list of reasons this can go wrong and the required mitigation.
Leftover Policy Bits
If the firewall has ever been implemented by Group Policy, a bug in the ADMX file means that the registry is left permanently tattooed. You may need to follow these steps, even if it is your intention to use a Group Policy to implement your configuration, it depends on your own individual event history.
Open RegEdit and delete this entire key.
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
Also, clear out any sub-keys of this key:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System
Now, open the local policy editor (GPEDIT.MSC) and navigate to: Computer Configuration\Windows Settings\Security Settings and right-click on 'Windows Firewall with Advanced Security - Local Group Policy Object' and select 'Clear Policy'.
Clearing more vomitus
Firewall Events Piped to Wrong Place
You may find that packet drops are being sent to the Windows Security Event Log, instead of where you want them. You will see them as Event IDs 5157 and 5152. This is due to a default audit setting that (I think) is new to Windows Server 2012 R2. You might like the events going to the security log, in which case you are good to go. I hate it. This can be fixed by resetting the audit policy to defaults, this will not effect your ability to set audit policies by Group Policy. It is achieved using the following command and following the instructions:
Auditpol /Clear
Permissions
The Windows Firewall Service needs permission to the folder you want you log written to. Don't be fooled by the fact it created the file. The initial creation is done by SYSTEM but the contents will be written by NT SERVICE\MPSSVC. The give away is that the file does not have the header and columns inside
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port... etc
People have been known to tie themselves in knots trying to do this, so it probably warrants some screenshots:
Make sure when you go to add the principle, that 'Built-in security principles' is checked.
Make sure you select the local computer name in the locations (at the top)
Enter 'NT Service\MPSSVC' (note the space after 'NT')
The 'Check Name' function will summarize to just 'MpsSvc'
Grant Full Control and you are done!
Anti-Malware Systems
Set an scanning exclusion on your firewal log folder
...and now REBOOT
Example of what the firewall log should look like (with some deliberate dropped pings)
What is nice is that the gaps between the words are TABs so you can paste this directly into Excel.
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode
2016-04-05 16:23 DROP ICMP 10.160.14.51 10.20.4.113 - - 64 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.20.79.216 10.20.4.113 - - 60 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.20.68.108 10.20.4.113 - - 60 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.160.14.51 10.20.4.113 - - 64 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.120.64.11 10.20.4.113 - - 60 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.120.68.56 10.20.4.113 - - 60 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.10.79.216 10.20.4.113 - - 60 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.10.65.211 10.20.4.113 - - 60 - - - - 8 0 - RECEIVE
2016-04-05 16:23 DROP ICMP 10.1.112.214 10.20.4.113 - - 60 - - - - 8 0 - RECEIVE
Cheers!
No comments:
Post a Comment