Working with the Windows Firewall
Troubleshooting Advanced Firewall Problems
Troubleshooting advanced firewall configurations can become very complicated in a
hurry. This is true especially if you have created customized authentication meth-
ods, applied certificate-based communications, or edited the standardized listings
available within the management console. You must be methodical and patient when
pursuing these problems in some cases. Do not become discouraged because you can
always fall back to the post-installation configuration by restoring the default settings.
When you are experiencing problems with advanced firewall configurations, the first
thing to set is the logging feature for each profile associated with Windows Firewall.
Although you must enable logging separately for each profile, the firewall records all
logged activities—dropped packets, successful connections, or both—in a central
logfile. The default location for the firewall log is %SystemRoot%\System32\logfiles\
firewall\pfirewall.log. This log can help you diagnose problems, and offers some
insight into additional issues associated with the advanced firewall features.
If you are having problems with inbound or outbound connections, refer to the pro-
file settings for the active profile. When you select the Monitoring node in Windows
Firewall with Advanced Security, the active profile is listed as such. Check the status
of your current profile. If the firewall is on and you are blocking all incoming connec-
tions, select Block instead of Block All Connections. If the firewall is on and you are
blocking outgoing connections, select Allow instead of Block.
If you have created IPSec policies for specific connection types or you require IPSec
for communications, verify that you have the correct certificate installed or make
sure the certificate has not expired or become untrusted. You will also want to verify
that the remote computer has the same authentication methods set to allow proper
authentication among them. You may also want to enable IPSec exemptions to allow
ICMP traffic to flow regularly with IPSec. This can save a lot of time when determin-
ing specific network issues without IPSec blocking echo requests.
If a specific program does not work, make sure you have not created a customized
rule that denies the desired behavior. Look in the inbound and outbound rules to
make sure the settings are correct for the port, protocol, and IP address require-
ments as well as associated computers or users. Make sure you have enabled or dis-
abled the rule, depending on your specific situation. You should also try to
determine the correct ports and protocols in use for the program to operate cor-
rectly. Once you have the correct information, ensure that you have either created
the custom rule for inbound and outbound traffic, or changed the predefined listing
to work correctly according to your information.
Sometimes it helps to restart the Windows Firewall service to make sure something
has not ended up in an unusable state due to configuration changes. Also, confirm
that the desired functionality works with the firewall disabled. This can help to
determine if you have a separate issue besides the firewall configuration.